From 46e6fb5ad19f847ec70d137e1f609b50504cb6a3 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 27 Oct 2022 11:37:38 +0100 Subject: [PATCH 001/113] Fix CircleCI config (#804) * Fix CircleCI config * Add manual trigger option --- .circleci/config.yml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2fc6a19..ca48a33 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,14 +5,17 @@ orbs: jobs: update-helm-charts-index: docker: - - image: docker.mirror.hashicorp.services/circleci/golang:1.19.2 + - image: docker.mirror.hashicorp.services/cimg/go:1.19.2 steps: - checkout - run: name: verify Chart version matches tag version + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | - GO111MODULE=on go get github.com/mikefarah/yq/v2 - git_tag=$(echo "${CIRCLE_TAG#v}") + go install github.com/mikefarah/yq/v2@latest + export TAG=${RELEASE_TAG:-$CIRCLE_TAG} + git_tag=$(echo "${TAG#v}") chart_tag=$(yq r Chart.yaml version) if [ "${git_tag}" != "${chart_tag}" ]; then echo "chart version (${chart_tag}) did not match git version (${git_tag})" @@ -20,17 +23,25 @@ jobs: fi - run: name: update helm-charts index + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" +parameters: + release-tag: + type: string + default: "" + description: "The tag to release, including v, e.g. v0.22.1" + workflows: version: 2 # Note: unit and acceptance tests are now being run in GitHub Actions @@ -43,3 +54,8 @@ workflows: only: /^v.*/ branches: ignore: /.*/ + manual-trigger-update-helm-charts-index: + when: << pipeline.parameters.release-tag >> + jobs: + - update-helm-charts-index: + context: helm-charts-trigger-vault From ab5b471c270aa4bad3811cd0a7f979a7de343397 Mon Sep 17 00:00:00 2001 From: Aleksandr Titov <26012167+AleksandrTitov@users.noreply.github.com> Date: Thu, 3 Nov 2022 04:01:35 +0300 Subject: [PATCH 002/113] Add extraLabels for Vault server serviceAccount (#806) --- CHANGELOG.md | 3 +++ templates/server-serviceaccount.yaml | 3 +++ test/unit/server-serviceaccount.bats | 10 ++++++++++ values.yaml | 3 +++ 4 files changed, 19 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index df95800..9282dd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) + ## 0.22.1 (October 26th, 2022) Changes: diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index c0d32d1..580a953 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -10,5 +10,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "vault.serviceAccount.annotations" . }} {{ end }} diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index fbc2b94..2c82603 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -117,3 +117,13 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/serviceAccount: specify server.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 3d31930..a8a036c 100644 --- a/values.yaml +++ b/values.yaml @@ -851,6 +851,9 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} # Settings for the statefulSet used to run Vault. statefulSet: From 0110f977b2a26a7163a2d04249dfe7b029730f6d Mon Sep 17 00:00:00 2001 From: Steven Kriegler <61625851+justusbunsi@users.noreply.github.com> Date: Wed, 9 Nov 2022 23:19:38 +0100 Subject: [PATCH 003/113] Quote `.server.ha.clusterAddr` value (#810) --- CHANGELOG.md | 3 +++ templates/server-statefulset.yaml | 2 +- test/unit/server-ha-statefulset.bats | 16 ++++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9282dd0..d2862b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + ## 0.22.1 (October 26th, 2022) Changes: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index fb3cbfa..8d556e8 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -106,7 +106,7 @@ spec: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR {{- if .Values.server.ha.clusterAddr }} - value: {{ .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" {{- end }} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 342fa43..06a0ca0 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -476,6 +476,22 @@ load _helpers [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] } +@test "server/ha-StatefulSet: clusterAddr gets quoted" { + cd `chart_dir` + local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' + local rendered=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set "server.ha.clusterAddr=${customUrl}" \ + . | tee /dev/stderr | \ + grep -F "${customUrl}" | tee /dev/stderr) + +local value=$(echo $rendered | + yq -Y '.' | tee /dev/stderr) + [ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] +} + #-------------------------------------------------------------------- # VAULT_RAFT_NODE_ID renders From 21ce5245a35f25919e8db5b87145145dc79bdb20 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Nov 2022 14:10:21 +0000 Subject: [PATCH 004/113] Support selectively disabling active/standby services and service discovery role (#811) --- CHANGELOG.md | 2 + templates/server-discovery-role.yaml | 2 +- templates/server-discovery-rolebinding.yaml | 2 +- templates/server-ha-active-service.yaml | 2 + templates/server-ha-standby-service.yaml | 4 +- templates/server-statefulset.yaml | 1 - test/unit/server-discovery-role.bats | 41 +++++++++++++++++++++ test/unit/server-discovery-rolebinding.bats | 41 +++++++++++++++++++++ test/unit/server-ha-active-service.bats | 12 ++++++ test/unit/server-ha-standby-service.bats | 12 ++++++ values.schema.json | 27 ++++++++++++++ values.yaml | 13 +++++++ 12 files changed, 155 insertions(+), 4 deletions(-) create mode 100755 test/unit/server-discovery-role.bats create mode 100755 test/unit/server-discovery-rolebinding.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index d2862b7..96937b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 9ca23dd..4dba09d 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 6e22e4c..280ec6c 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index ef21237..849c867 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -44,3 +45,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e6d66af..e0750aa 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -42,4 +43,5 @@ spec: vault-active: "false" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 8d556e8..a4ec05a 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -52,7 +52,6 @@ spec: {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} - volumes: {{ template "vault.volumes" . }} - name: home diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats new file mode 100755 index 0000000..11473a0 --- /dev/null +++ b/test/unit/server-discovery-role.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRole: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRole: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRole: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats new file mode 100755 index 0000000..568c240 --- /dev/null +++ b/test/unit/server-discovery-rolebinding.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRoleBinding: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d74e749..6a2e349 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -35,6 +35,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: disable with server.service.active.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.active.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 045560c..3a9a39f 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -46,6 +46,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: disable with server.service.standby.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.standby.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.schema.json b/values.schema.json index 676efb7..2ba9ab8 100644 --- a/values.schema.json +++ b/values.schema.json @@ -851,6 +851,14 @@ "service": { "type": "object", "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "annotations": { "type": [ "object", @@ -869,6 +877,14 @@ "publishNotReadyAddresses": { "type": "boolean" }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "targetPort": { "type": "integer" }, @@ -895,8 +911,19 @@ "create": { "type": "boolean" }, + "extraLabels": { + "type": "object" + }, "name": { "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, diff --git a/values.yaml b/values.yaml index a8a036c..0045066 100644 --- a/values.yaml +++ b/values.yaml @@ -596,6 +596,14 @@ server: # Enables a headless service to be used by the Vault Statefulset service: enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labelled themselves as the cluster leader with `vault-active: "true"` + active: + enabled: true + # Enable or disable the vault-standby service, which selects Vault pods that + # have labelled themselves as a cluster follower with `vault-active: "false"` + standby: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled @@ -854,6 +862,11 @@ server: # Extra labels to attach to the serviceAccount # This should be a YAML map of the labels to apply to the serviceAccount extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true # Settings for the statefulSet used to run Vault. statefulSet: From c13151a6ac18765f42a05524362946fae16e8a3f Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 17 Nov 2022 19:54:18 +0000 Subject: [PATCH 005/113] server: Allow disabling the instance selector for services (#813) --- CHANGELOG.md | 1 + templates/server-ha-active-service.yaml | 2 ++ templates/server-ha-standby-service.yaml | 2 ++ templates/server-service.yaml | 2 ++ test/unit/server-ha-active-service.bats | 18 ++++++++++++++++++ test/unit/server-ha-standby-service.bats | 18 ++++++++++++++++++ test/unit/server-headless-service.bats | 18 ++++++++++++++++++ test/unit/server-service.bats | 17 +++++++++++++++++ values.schema.json | 8 ++++++++ values.yaml | 5 +++++ 10 files changed, 91 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96937b5..3bf7e67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) * server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 849c867..7def2a0 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -39,7 +39,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "true" {{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e0750aa..50fca4b 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -38,7 +38,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "false" {{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 3a9b0e7..913b569 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -38,7 +38,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server {{- end }} {{- end }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index 6a2e349..d78f5d4 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -226,3 +226,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-active-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 3a9a39f..6698314 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -237,3 +237,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-standby-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 4e2d135..0794d0e 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -17,3 +17,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/headless-Service: instance selector cannot be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 5208f6e..70a5445 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -431,3 +431,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/values.schema.json b/values.schema.json index 2ba9ab8..c183957 100644 --- a/values.schema.json +++ b/values.schema.json @@ -871,6 +871,14 @@ "externalTrafficPolicy": { "type": "string" }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" }, diff --git a/values.yaml b/values.yaml index 0045066..965f5a8 100644 --- a/values.yaml +++ b/values.yaml @@ -604,6 +604,11 @@ server: # have labelled themselves as a cluster follower with `vault-active: "false"` standby: enabled: true + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled From 2d7fd5d5652d9f3f09dd686e3318aa7dc8f661eb Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 28 Nov 2022 23:33:08 +0000 Subject: [PATCH 006/113] Prepare for 0.23.0 release (#814) --- CHANGELOG.md | 7 +++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 8 ++++---- 6 files changed, 20 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3bf7e67..9a647c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ ## Unreleased +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) diff --git a/Chart.yaml b/Chart.yaml index 9eb3f1f..f42a831 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.22.1 -appVersion: 1.12.0 +version: 0.23.0 +appVersion: 1.12.1 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 2a675a7..11effe9 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index be9d55a..7eaf0cc 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index ee00563..02985ed 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.0.1-ubi" + tag: "1.1.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.0-ubi" + tag: "1.12.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.0-ubi" + tag: "1.12.1-ubi" diff --git a/values.yaml b/values.yaml index 965f5a8..2c3d9e2 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.0.1" + tag: "1.1.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -70,7 +70,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.12.0" + tag: "1.12.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -332,7 +332,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.12.0" + tag: "1.12.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -947,7 +947,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.0" + tag: "1.2.1" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 72914d873c938730757b5af0c5b513839feb95d2 Mon Sep 17 00:00:00 2001 From: Douglas Thomson <36892985+dtrts@users.noreply.github.com> Date: Thu, 12 Jan 2023 17:38:29 +0000 Subject: [PATCH 007/113] Amending docs (#828) --- templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 3897391..ca79b69 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -59,7 +59,7 @@ Compute if the server is enabled. {{- end -}} {{/* -Compute if the server auth delegator serviceaccount is enabled. +Compute if the server serviceaccount is enabled. */}} {{- define "vault.serverServiceAccountEnabled" -}} {{- $_ := set . "serverServiceAccountEnabled" From a4e076b132d32d374096bf62c5a2c1e6d551ae64 Mon Sep 17 00:00:00 2001 From: claire labry Date: Fri, 3 Feb 2023 17:41:49 -0600 Subject: [PATCH 008/113] swap helm charts call to GHA (#840) * swap helm charts call to GHA * fix path for gh utility --- .circleci/config.yml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ca48a33..588db5e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -21,17 +21,24 @@ jobs: echo "chart version (${chart_tag}) did not match git version (${git_tag})" exit 1 fi + - run: + name: install gh tool + command: | + version="2.22.1" + curl --show-error --silent --location --output "gh.tar.gz" "https://github.com/cli/cli/releases/download/v${version}/gh_${version}_linux_amd64.tar.gz" + tar -xvzf gh.tar.gz && mkdir -p bin && mv "gh_${version}_linux_amd64/bin/gh" bin/ + - run: name: update helm-charts index environment: RELEASE_TAG: << pipeline.parameters.release-tag >> command: | - curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ - -X POST \ - -H 'Content-Type: application/json' \ - -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ - "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" + export GITHUB_TOKEN="${HELM_CHARTS_GITHUB_TOKEN}" + ./bin/gh workflow run .github/workflows/publish-charts.yml \ + --repo hashicorp/helm-charts \ + --ref main \ + -f SOURCE_TAG="${CIRCLE_TAG}" \ + -f SOURCE_REPO="${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}" - slack/status: fail_only: true failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" From c5c28cb385ba928591a6c1d69967bc7ced883b60 Mon Sep 17 00:00:00 2001 From: Mariano Asselborn Date: Mon, 13 Feb 2023 10:58:13 -0500 Subject: [PATCH 009/113] Call helm publish workflow by file name without path (#843) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 588db5e..ecc3c60 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -34,7 +34,7 @@ jobs: RELEASE_TAG: << pipeline.parameters.release-tag >> command: | export GITHUB_TOKEN="${HELM_CHARTS_GITHUB_TOKEN}" - ./bin/gh workflow run .github/workflows/publish-charts.yml \ + ./bin/gh workflow run publish-charts.yml \ --repo hashicorp/helm-charts \ --ref main \ -f SOURCE_TAG="${CIRCLE_TAG}" \ From 742ddb1c52934e657ed7d4832fcf80324806adfb Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 13 Feb 2023 08:48:20 -0800 Subject: [PATCH 010/113] adding SPDX copyright headers (#844) --- .circleci/config.yml | 3 +++ .github/ISSUE_TEMPLATE/config.yml | 3 +++ Chart.yaml | 3 +++ templates/_helpers.tpl | 5 +++++ templates/csi-clusterrole.yaml | 5 +++++ templates/csi-clusterrolebinding.yaml | 5 +++++ templates/csi-daemonset.yaml | 5 +++++ templates/csi-serviceaccount.yaml | 5 +++++ templates/injector-certs-secret.yaml | 5 +++++ templates/injector-clusterrole.yaml | 5 +++++ templates/injector-clusterrolebinding.yaml | 5 +++++ templates/injector-deployment.yaml | 5 +++++ templates/injector-disruptionbudget.yaml | 5 +++++ templates/injector-mutating-webhook.yaml | 5 +++++ templates/injector-network-policy.yaml | 5 +++++ templates/injector-psp-role.yaml | 5 +++++ templates/injector-psp-rolebinding.yaml | 5 +++++ templates/injector-psp.yaml | 5 +++++ templates/injector-role.yaml | 5 +++++ templates/injector-rolebinding.yaml | 5 +++++ templates/injector-service.yaml | 5 +++++ templates/injector-serviceaccount.yaml | 5 +++++ templates/prometheus-prometheusrules.yaml | 5 +++++ templates/prometheus-servicemonitor.yaml | 5 +++++ templates/server-clusterrolebinding.yaml | 5 +++++ templates/server-config-configmap.yaml | 5 +++++ templates/server-discovery-role.yaml | 5 +++++ templates/server-discovery-rolebinding.yaml | 5 +++++ templates/server-disruptionbudget.yaml | 5 +++++ templates/server-ha-active-service.yaml | 5 +++++ templates/server-ha-standby-service.yaml | 5 +++++ templates/server-headless-service.yaml | 5 +++++ templates/server-ingress.yaml | 5 +++++ templates/server-network-policy.yaml | 5 +++++ templates/server-psp-role.yaml | 5 +++++ templates/server-psp-rolebinding.yaml | 5 +++++ templates/server-psp.yaml | 5 +++++ templates/server-route.yaml | 5 +++++ templates/server-service.yaml | 5 +++++ templates/server-serviceaccount.yaml | 5 +++++ templates/server-statefulset.yaml | 5 +++++ templates/tests/server-test.yaml | 5 +++++ templates/ui-service.yaml | 5 +++++ test/acceptance/_helpers.bash | 3 +++ test/acceptance/csi-test/nginx.yaml | 3 +++ test/acceptance/csi-test/vault-kv-secretproviderclass.yaml | 3 +++ test/acceptance/csi-test/vault-policy.hcl | 3 +++ test/acceptance/injector-test/bootstrap.sh | 3 +++ test/acceptance/injector-test/job.yaml | 3 +++ test/acceptance/injector-test/pg-deployment.yaml | 3 +++ test/acceptance/injector-test/pgdump-policy.hcl | 3 +++ test/acceptance/server-test/annotations-overrides.yaml | 3 +++ test/acceptance/server-test/telemetry.yaml | 3 +++ test/chart/_helpers.bash | 3 +++ test/docker/Test.dockerfile | 3 +++ test/kind/config.yaml | 3 +++ test/terraform/main.tf | 3 +++ test/terraform/outputs.tf | 3 +++ test/terraform/variables.tf | 3 +++ test/unit/_helpers.bash | 3 +++ values.openshift.yaml | 3 +++ values.yaml | 3 +++ 62 files changed, 266 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index ecc3c60..f434417 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + version: 2.1 orbs: slack: circleci/slack@3.4.2 diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index b24b36b..746c03c 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + contact_links: - name: Ask a question url: https://discuss.hashicorp.com/c/vault diff --git a/Chart.yaml b/Chart.yaml index f42a831..55ebcf4 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + apiVersion: v2 name: vault version: 0.23.0 diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ca79b69..dcfcbb8 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index ec6a3d2..6d979ea 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index d5b62a5..d5a9346 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index d131aac..e38cc47 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: apps/v1 diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index 8d6fa53..25e123e 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: v1 diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index e88685b..3e5ddb7 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 6a0d6be..d5682dd 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 4c193f8..9253e4f 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f060559..9c16ed8 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} # Deployment for the injector diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index b44fd73..5862977 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.injector.podDisruptionBudget }} apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index 3d3fd36..d03cd13 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 68892d2..4c3b087 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.openshift | toString) "true" }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 5d23c75..65d8e9b 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index 4f6b0a8..48a3a26 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index 1eee2fc..0eca9a8 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 08c8264..df7b0ed 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index ea0db11..0848e43 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 5e747d6..5b20692 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index d1919b9..9b5c2f6 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 diff --git a/templates/prometheus-prometheusrules.yaml b/templates/prometheus-prometheusrules.yaml index 572f1a0..7e58a0e 100644 --- a/templates/prometheus-prometheusrules.yaml +++ b/templates/prometheus-prometheusrules.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ if and (.Values.serverTelemetry.prometheusRules.rules) (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 323e51f..60f2729 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} --- diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 8cdd611..b694129 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.serverAuthDelegator" . }} {{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index f40c696..5d29e98 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4dba09d..adae42a 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 280ec6c..853ee87 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index d940fa4..c823a42 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" -}} {{- if .serverEnabled -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 7def2a0..58d540f 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 50fca4b..b9f6435 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index b03f491..c4eca7a 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index c81e5f5..e775690 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if not .Values.global.openshift }} {{ template "vault.mode" . }} {{- if ne .mode "external" }} diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml index 5f4c21a..62d4ae1 100644 --- a/templates/server-network-policy.yaml +++ b/templates/server-network-policy.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index b8eb897..0c8c983 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index fded9fb..9b975d5 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index d210af3..567e662 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml index e122d93..3f35aef 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.global.openshift }} {{- if ne .mode "external" }} {{- if .Values.server.route.enabled -}} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 913b569..8e34c88 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 580a953..e154f8d 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.serverServiceAccountEnabled" . }} {{- if .serverServiceAccountEnabled -}} apiVersion: v1 diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index a4ec05a..4defbb5 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 56dbee7..59b1501 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index d45afdd..4b2e8f7 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.uiEnabled" . -}} diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index db8b051..490cdeb 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # name_prefix returns the prefix of the resources within Kubernetes. name_prefix() { printf "vault" diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml index fed1137..2fd8603 100644 --- a/test/acceptance/csi-test/nginx.yaml +++ b/test/acceptance/csi-test/nginx.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml index e793bde..b9470fe 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # The "Hello World" Vault SecretProviderClass apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 kind: SecretProviderClass diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl index 48b670e..07bb749 100644 --- a/test/acceptance/csi-test/vault-policy.hcl +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + path "secret/data/kv1" { capabilities = ["read"] } \ No newline at end of file diff --git a/test/acceptance/injector-test/bootstrap.sh b/test/acceptance/injector-test/bootstrap.sh index d738fd2..96f1617 100755 --- a/test/acceptance/injector-test/bootstrap.sh +++ b/test/acceptance/injector-test/bootstrap.sh @@ -1,4 +1,7 @@ #!/bin/sh +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + OUTPUT=/tmp/output.txt diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index d665383..50a3b5f 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index caf8605..cacc994 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: Service diff --git a/test/acceptance/injector-test/pgdump-policy.hcl b/test/acceptance/injector-test/pgdump-policy.hcl index 88a6cd6..60da677 100644 --- a/test/acceptance/injector-test/pgdump-policy.hcl +++ b/test/acceptance/injector-test/pgdump-policy.hcl @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + path "database/creds/db-backup" { capabilities = ["read"] } diff --git a/test/acceptance/server-test/annotations-overrides.yaml b/test/acceptance/server-test/annotations-overrides.yaml index 459576a..5aba0f9 100644 --- a/test/acceptance/server-test/annotations-overrides.yaml +++ b/test/acceptance/server-test/annotations-overrides.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: annotations: | environment: production diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 2925bc8..7380df2 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: standalone: config: | diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash index fb9db31..4d24657 100644 --- a/test/chart/_helpers.bash +++ b/test/chart/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # chart_dir returns the directory for the chart chart_dir() { echo ${BATS_TEST_DIRNAME}/../.. diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 98afeac..472a97a 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # This Dockerfile installs all the dependencies necessary to run the unit and # acceptance tests. This image also contains gcloud so you can run tests # against a GKE cluster easily. diff --git a/test/kind/config.yaml b/test/kind/config.yaml index 8b18a3a..5fef18a 100644 --- a/test/kind/config.yaml +++ b/test/kind/config.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 5c3570f..d1de1a2 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + provider "google" { project = "${var.project}" } diff --git a/test/terraform/outputs.tf b/test/terraform/outputs.tf index 6435d2b..3793987 100644 --- a/test/terraform/outputs.tf +++ b/test/terraform/outputs.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + output "cluster_id" { value = "${google_container_cluster.cluster.id}" } diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf index 971af4e..df4832b 100644 --- a/test/terraform/variables.tf +++ b/test/terraform/variables.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + variable "project" { default = "vault-helm-dev-246514" diff --git a/test/unit/_helpers.bash b/test/unit/_helpers.bash index 530b66e..5f8a94d 100644 --- a/test/unit/_helpers.bash +++ b/test/unit/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # chart_dir returns the directory for the chart chart_dir() { echo ${BATS_TEST_DIRNAME}/../.. diff --git a/values.openshift.yaml b/values.openshift.yaml index 02985ed..13a7463 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # These overrides are appropriate defaults for deploying this chart on OpenShift global: diff --git a/values.yaml b/values.yaml index 2c3d9e2..2f88ab3 100644 --- a/values.yaml +++ b/values.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # Available parameters and their default values for the Vault chart. global: From 34d8650ccac77dcedca4c20c478cd52c04b9fce3 Mon Sep 17 00:00:00 2001 From: jordanfelle Date: Thu, 16 Feb 2023 12:07:41 -0500 Subject: [PATCH 011/113] Fix typo in telemetry example (#846) Also in the telemetry test --- test/acceptance/server-test/telemetry.yaml | 2 +- values.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 7380df2..5570084 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -21,7 +21,7 @@ server: } telemetry { - prometheus_retention_time = "30s", + prometheus_retention_time = "30s" disable_hostname = true } diff --git a/values.yaml b/values.yaml index 2f88ab3..f007e12 100644 --- a/values.yaml +++ b/values.yaml @@ -747,7 +747,7 @@ server: # Example configuration for enabling Prometheus metrics in your config. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} @@ -841,7 +841,7 @@ server: # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. # You may wish to enable unauthenticated metrics in the listener block above. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} @@ -1083,7 +1083,7 @@ serverTelemetry: # # example: # telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true # } # From e31e70ea0b36717a5e3b38e99aeec32b22c0043c Mon Sep 17 00:00:00 2001 From: Dimitar Zafirov <45163383+mitashkistz@users.noreply.github.com> Date: Thu, 16 Feb 2023 20:49:07 +0200 Subject: [PATCH 012/113] Add extraPorts property (#841) --- CHANGELOG.md | 3 +++ templates/server-statefulset.yaml | 3 +++ test/unit/server-statefulset.bats | 23 +++++++++++++++++++++++ values.schema.json | 6 ++++++ values.yaml | 6 ++++++ 5 files changed, 41 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a647c2..063fd09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) + ## 0.23.0 (November 28th, 2022) Changes: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 4defbb5..d7a34ac 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -148,6 +148,9 @@ spec: name: https-internal - containerPort: 8202 name: {{ include "vault.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} {{- if .Values.server.readinessProbe.enabled }} readinessProbe: {{- if .Values.server.readinessProbe.path }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 6206e11..e56ce84 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1806,3 +1806,26 @@ load _helpers yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# extraPorts + +@test "server/standalone-StatefulSet: adds extra ports" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.extraPorts[0].containerPort=1111' \ + --set 'server.extraPorts[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.containerPort' | tee /dev/stderr) + [ "${actual}" = "1111" ] + + local actual=$(echo $object | + yq -r '.name' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} diff --git a/values.schema.json b/values.schema.json index c183957..c52c200 100644 --- a/values.schema.json +++ b/values.schema.json @@ -593,6 +593,12 @@ "extraArgs": { "type": "string" }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, "extraContainers": { "type": [ "null", diff --git a/values.yaml b/values.yaml index f007e12..08e9f21 100644 --- a/values.yaml +++ b/values.yaml @@ -456,6 +456,12 @@ server: # extraArgs is a string containing additional Vault server arguments. extraArgs: "" + # extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: null + # - containerPort: 8300 + # name: http-monitoring + # Used to define custom readinessProbe settings readinessProbe: enabled: true From f4f05aaa747cc49cddfb41c0dcd9fe24b3a0ed50 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Mon, 27 Feb 2023 12:04:17 -0800 Subject: [PATCH 013/113] fix: remove k8s 1.16 from acceptance testing (#848) * remove 1.16 from the versions tested in .github/workflows/acceptance.yaml as kind no longer supports creating a k8s 1.16 cluster * update vault-helm's minimum support k8s version to 1.20 in README and Chart.yaml * refactor server-ingress's templating and unit tests applied to k8s versions < 1.20 --- .github/workflows/acceptance.yaml | 2 +- CHANGELOG.md | 3 +++ Chart.yaml | 2 +- README.md | 2 +- templates/server-ingress.yaml | 7 ------- test/unit/injector-disruptionbudget.bats | 2 +- test/unit/server-ha-disruptionbudget.bats | 2 +- test/unit/server-ingress.bats | 23 +++++------------------ 8 files changed, 13 insertions(+), 30 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 648616b..395a0de 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,7 +7,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] + kind-k8s-version: [1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/CHANGELOG.md b/CHANGELOG.md index 063fd09..56b99a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Changes: +* Earliest Kubernetes version tested is now 1.20 + Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) diff --git a/Chart.yaml b/Chart.yaml index 55ebcf4..456b1a9 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -5,7 +5,7 @@ apiVersion: v2 name: vault version: 0.23.0 appVersion: 1.12.1 -kubeVersion: ">= 1.16.0-0" +kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/README.md b/README.md index c9971ff..3d64944 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: * **Helm 3.6+** - * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.20+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index e775690..6628153 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -61,19 +61,12 @@ spec: {{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} pathType: {{ $pathType }} - {{ end }} backend: - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} service: name: {{ $serviceName }} port: number: {{ $servicePort }} - {{ else }} - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{ end }} {{- end }} {{- end }} {{- end }} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 2f8f50a..03fc738 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -36,7 +36,7 @@ load _helpers local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.19.5 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index c98bc66..05b1f34 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -104,7 +104,7 @@ load _helpers --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=1' \ - --kube-version 1.19.5 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index aade5d5..588d01a 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -197,7 +197,7 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { +@test "server/ingress: k8s 1.20.15 uses correct service format when not ha - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -206,9 +206,9 @@ load _helpers --set 'server.dev.enabled=false' \ --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ - --kube-version 1.18.3 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault" ] } @@ -227,32 +227,19 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { +@test "server/ingress: pathType is added to Kubernetes version == 1.20.15" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.19.0 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "ImplementationSpecific" ] } -@test "server/ingress: pathType is not added to Kubernetes versions < 1.19" { - cd `chart_dir` - - local actual=$(helm template \ - --show-only templates/server-ingress.yaml \ - --set 'server.ingress.enabled=true' \ - --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.18.3 \ - . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - @test "server/ingress: pathType is added to Kubernetes versions > 1.19" { cd `chart_dir` From 932891778f8e6c3a3d8ba495993e93540901aec5 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Thu, 16 Mar 2023 12:03:27 -0700 Subject: [PATCH 014/113] feat: make injector livenessProbe and readinessProbe configurable and add configurable startupProbe (#852) --- CHANGELOG.md | 1 + templates/injector-deployment.yaml | 30 ++++--- test/unit/injector-deployment.bats | 129 +++++++++++++++++++++++++++++ values.yaml | 37 +++++++++ 4 files changed, 187 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56b99a6..ef4ab5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ Changes: Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) ## 0.23.0 (November 28th, 2022) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 9c16ed8..7e0101a 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -130,21 +130,31 @@ spec: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} readinessProbe: httpGet: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 9d2271c..3cfe777 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -275,6 +275,135 @@ load _helpers [ "${value}" = "auth/k8s" ] } +@test "injector/deployment: default livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.livenessProbe.failureThreshold=100' \ + --set 'injector.livenessProbe.initialDelaySeconds=100' \ + --set 'injector.livenessProbe.periodSeconds=100' \ + --set 'injector.livenessProbe.successThreshold=100' \ + --set 'injector.livenessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.readinessProbe.failureThreshold=100' \ + --set 'injector.readinessProbe.initialDelaySeconds=100' \ + --set 'injector.readinessProbe.periodSeconds=100' \ + --set 'injector.readinessProbe.successThreshold=100' \ + --set 'injector.readinessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.startupProbe.failureThreshold=100' \ + --set 'injector.startupProbe.initialDelaySeconds=100' \ + --set 'injector.startupProbe.periodSeconds=100' \ + --set 'injector.startupProbe.successThreshold=100' \ + --set 'injector.startupProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + @test "injector/deployment: default logLevel" { cd `chart_dir` local object=$(helm template \ diff --git a/values.yaml b/values.yaml index 08e9f21..ac82a31 100644 --- a/values.yaml +++ b/values.yaml @@ -93,6 +93,43 @@ injector: exitOnRetryFailure: true staticSecretRenderInterval: "" + # Used to define custom livenessProbe settings + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" From 2c4cd3a3c3ab9ef62a817e9c1a36daaedb446e9b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 3 Apr 2023 16:44:13 -0700 Subject: [PATCH 015/113] Updating GHA and default Vault version (#863) Test with latest kind k8s versions 1.22-1.26. Remove support for old disruptionbudget and ingress APIs (pre 1.22). Pin all actions to SHAs, and use the common jira sync. Update the default Vault version to v1.13.1. Update chart-verifier used in tests to 1.10.1, also add an openshift name annotation to Chart.yaml (one of the required checks). --- .github/workflows/acceptance.yaml | 8 +-- .github/workflows/jira.yaml | 71 +++---------------- .../workflows/setup-test-tools/action.yaml | 4 +- .github/workflows/tests.yaml | 8 +-- CHANGELOG.md | 3 +- Chart.yaml | 6 +- Makefile | 2 +- README.md | 2 +- templates/injector-disruptionbudget.yaml | 2 +- templates/server-disruptionbudget.yaml | 2 +- templates/server-ingress.yaml | 8 +-- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/chart/verifier.bats | 17 +++-- test/unit/injector-disruptionbudget.bats | 15 +--- test/unit/server-ha-disruptionbudget.bats | 16 +---- test/unit/server-ingress.bats | 10 +-- values.openshift.yaml | 4 +- values.yaml | 4 +- 19 files changed, 59 insertions(+), 131 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 395a0de..e3c28e3 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,19 +7,19 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] + kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.4.0 + uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.16.0 + version: v0.17.0 - run: bats --tap --timing ./test/acceptance env: diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index fc03b21..ad6237c 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -1,3 +1,4 @@ +name: Jira Sync on: issues: types: [opened, closed, deleted, reopened] @@ -5,68 +6,12 @@ on: types: [opened, closed, reopened] issue_comment: # Also triggers when commenting on a PR from the conversation view types: [created] - -name: Jira Sync - jobs: sync: - runs-on: ubuntu-latest - name: Jira sync - steps: - - name: Login - uses: atlassian/gajira-login@v2.0.0 - env: - JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - - - name: Preprocess - if: github.event.action == 'opened' || github.event.action == 'created' - id: preprocess - run: | - if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then - echo "::set-output name=type::PR" - else - echo "::set-output name=type::ISS" - fi - - - name: Create ticket - if: github.event.action == 'opened' - uses: tomhjp/gh-action-jira-create@v0.2.0 - with: - project: VAULT - issuetype: "GH Issue" - summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}" - description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" - # customfield_10089 is Issue Link custom field - # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - - - name: Search - if: github.event.action != 'opened' - id: search - uses: tomhjp/gh-action-jira-search@v0.2.1 - with: - # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - - - name: Sync comment - if: github.event.action == 'created' && steps.search.outputs.issue - uses: tomhjp/gh-action-jira-comment@v0.2.0 - with: - issue: ${{ steps.search.outputs.issue }} - comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}" - - - name: Close ticket - if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: Closed - - - name: Reopen ticket - if: github.event.action == 'reopened' && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: "Pending Triage" + uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main + secrets: + JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} + JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} + JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} + with: + teams-array: '["ecosystem", "foundations"]' diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml index 8c69e3d..7683deb 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/workflows/setup-test-tools/action.yaml @@ -4,7 +4,7 @@ description: Install bats and python-yq runs: using: "composite" steps: - - uses: actions/setup-node@v2 + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: '16' - run: npm install -g bats@${BATS_VERSION} @@ -13,7 +13,7 @@ runs: BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: '3.10' - run: pip install yq diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index bcabd1d..5bfd153 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -6,19 +6,19 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest env: - CHART_VERIFIER_VERSION: '1.2.1' + CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v3 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} diff --git a/CHANGELOG.md b/CHANGELOG.md index ef4ab5a..3a1357f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ ## Unreleased Changes: -* Earliest Kubernetes version tested is now 1.20 +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) diff --git a/Chart.yaml b/Chart.yaml index 456b1a9..d74782b 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,8 +4,8 @@ apiVersion: v2 name: vault version: 0.23.0 -appVersion: 1.12.1 -kubeVersion: ">= 1.20.0-0" +appVersion: 1.13.1 +kubeVersion: ">= 1.22.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png @@ -15,3 +15,5 @@ sources: - https://github.com/hashicorp/vault-helm - https://github.com/hashicorp/vault-k8s - https://github.com/hashicorp/vault-csi-provider +annotations: + charts.openshift.io/name: HashiCorp Vault diff --git a/Makefile b/Makefile index e423f35..5600220 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.25.0 +KIND_K8S_VERSION?=v1.26.3 # Generate json schema for chart values. See test/README.md for more details. values-schema: diff --git a/README.md b/README.md index 3d64944..6e70143 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: * **Helm 3.6+** - * **Kubernetes 1.20+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 5862977..6ae714b 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -4,7 +4,7 @@ SPDX-License-Identifier: MPL-2.0 */}} {{- if .Values.injector.podDisruptionBudget }} -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index c823a42..3ff1109 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -9,7 +9,7 @@ SPDX-License-Identifier: MPL-2.0 {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 6628153..3aba668 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -17,13 +17,7 @@ SPDX-License-Identifier: MPL-2.0 {{- $servicePort := .Values.server.service.port -}} {{- $pathType := .Values.server.ingress.pathType -}} {{- $kubeVersion := .Capabilities.KubeVersion.Version }} -{{ if semverCompare ">= 1.19.0-0" $kubeVersion }} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end }} kind: Ingress metadata: name: {{ template "vault.fullname" . }} @@ -72,4 +66,4 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 11effe9..911cf8d 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 7eaf0cc..c63f763 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index 63c7939..6d35f69 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -6,9 +6,9 @@ setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" export CHART_VOLUME=vault-helm-chart-src - local IMAGE="quay.io/redhat-certification/chart-verifier:1.2.1" + local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1" # chart-verifier requires an openshift version if a cluster isn't available - local OPENSHIFT_VERSION="4.8" + local OPENSHIFT_VERSION="4.12" local DISABLED_TESTS="chart-testing" local run_cmd="chart-verifier" @@ -40,7 +40,7 @@ teardown_file() { } @test "has-kubeversion" { - check_result v1.0/has-kubeversion + check_result v1.1/has-kubeversion } @test "is-helm-v3" { @@ -76,10 +76,19 @@ teardown_file() { } @test "images-are-certified" { - check_result v1.0/images-are-certified + check_result v1.1/images-are-certified +} + +@test "required-annotations-present" { + check_result v1.0/required-annotations-present } @test "chart-testing" { skip "Skipping since this test requires a kubernetes/openshift cluster" check_result v1.0/chart-testing } + +@test "signature-is-valid" { + skip "Chart is not signed : Signature verification not required" + check_result v1.0/signature-is-valid +} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 03fc738..72be93f 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -31,18 +31,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-disruptionbudget.yaml \ - --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.20.15 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { +@test "injector/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ @@ -51,4 +40,4 @@ load _helpers . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 05b1f34..4cb3ae6 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -98,19 +98,7 @@ load _helpers [ "${actual}" = "2" ] } -@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-disruptionbudget.yaml \ - --set 'server.ha.enabled=true' \ - --set 'server.ha.replicas=1' \ - --kube-version 1.20.15 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { +@test "server/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-disruptionbudget.yaml \ @@ -120,4 +108,4 @@ load _helpers . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 588d01a..0cc5b26 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -197,7 +197,7 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: k8s 1.20.15 uses correct service format when not ha - yaml" { +@test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -206,7 +206,7 @@ load _helpers --set 'server.dev.enabled=false' \ --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ - --kube-version 1.20.15 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault" ] @@ -227,14 +227,14 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: pathType is added to Kubernetes version == 1.20.15" { +@test "server/ingress: pathType is added to Kubernetes version == 1.26.3" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.20.15 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "ImplementationSpecific" ] @@ -247,7 +247,7 @@ load _helpers --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=Prefix \ - --kube-version 1.20.0 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "Prefix" ] diff --git a/values.openshift.yaml b/values.openshift.yaml index 13a7463..88521a1 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -13,9 +13,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" diff --git a/values.yaml b/values.yaml index ac82a31..08b1ad1 100644 --- a/values.yaml +++ b/values.yaml @@ -73,7 +73,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.12.1" + tag: "1.13.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -372,7 +372,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.12.1" + tag: "1.13.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 9f189801a6317350bb61b1c49ceaa7e703524137 Mon Sep 17 00:00:00 2001 From: Bhargav Akhani <47673253+bhargav2427@users.noreply.github.com> Date: Tue, 4 Apr 2023 19:47:24 +0530 Subject: [PATCH 016/113] Add portnumber (#831) * Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset. Co-authored-by: Kyle Schochenmaier --- templates/server-statefulset.yaml | 4 ++-- test/unit/server-statefulset.bats | 27 +++++++++++++++++++++++++++ values.yaml | 4 ++++ 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index d7a34ac..7ab7de8 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -156,7 +156,7 @@ spec: {{- if .Values.server.readinessProbe.path }} httpGet: path: {{ .Values.server.readinessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.readinessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} {{- else }} # Check status; unsealed vault servers return 0 @@ -177,7 +177,7 @@ spec: livenessProbe: httpGet: path: {{ .Values.server.livenessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.livenessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index e56ce84..510c888 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1829,3 +1829,30 @@ load _helpers yq -r '.name' | tee /dev/stderr) [ "${actual}" = "foo" ] } + +#-------------------------------------------------------------------- +# readinessProbe + +@test "server/StatefulSet: server.readinessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.readinessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + + +#-------------------------------------------------------------------- +# livenessProbe + +@test "server/StatefulSet: server.livenessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} diff --git a/values.yaml b/values.yaml index 08b1ad1..e599927 100644 --- a/values.yaml +++ b/values.yaml @@ -505,6 +505,8 @@ server: # If you need to use a http path instead of the default exec # path: /v1/sys/health?standbyok=true + # Port number on which readinessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -519,6 +521,8 @@ server: livenessProbe: enabled: false path: "/v1/sys/health?standbyok=true" + # Port nuumber on which livenessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates From fc7d4326fcc5bbaa1b42aa4120d01d39e64e75a5 Mon Sep 17 00:00:00 2001 From: Kyle Schochenmaier Date: Tue, 4 Apr 2023 10:21:42 -0500 Subject: [PATCH 017/113] Add changelog for #831 (#867) * Add changelog for #831 * fixes bats test --- CHANGELOG.md | 1 + test/unit/server-statefulset.bats | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a1357f..3a1dbf0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Changes: Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) * injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) ## 0.23.0 (November 28th, 2022) diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 510c888..67cde81 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1838,6 +1838,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.readinessProbe.enabled=true' \ + --set 'server.readinessProbe.path=foo' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe.httpGet.port' | tee /dev/stderr) [ "${actual}" = "8200" ] From 0fe916481c86aa97f521cf88879fa38a6946e7b5 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 6 Apr 2023 19:45:10 +0100 Subject: [PATCH 018/113] Add Vault Agent sidecar to CSI Provider (#749) Adds Agent as a sidecar for the CSI Provider to: * Cache k8s auth login leases * Cache secret leases * Automatically renew renewable leases in the background --- CHANGELOG.md | 1 + templates/_helpers.tpl | 10 + templates/csi-agent-configmap.yaml | 29 +++ templates/csi-daemonset.yaml | 67 +++++-- .../vault-kv-secretproviderclass.yaml | 3 +- test/acceptance/csi.bats | 38 +++- test/unit/csi-agent-configmap.bats | 45 +++++ test/unit/csi-daemonset.bats | 182 +++++++++++++----- values.schema.json | 34 ++++ values.yaml | 21 +- 10 files changed, 365 insertions(+), 65 deletions(-) create mode 100644 templates/csi-agent-configmap.yaml create mode 100644 test/unit/csi-agent-configmap.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a1dbf0..823fb56 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) * server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) * injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) ## 0.23.0 (November 28th, 2022) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index dcfcbb8..4b6baf1 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -778,6 +778,16 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + {{/* Sets extra CSI daemonset annotations */}} diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml new file mode 100644 index 0000000..cb373f8 --- /dev/null +++ b/templates/csi-agent-configmap.yaml @@ -0,0 +1,29 @@ +{{- template "vault.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index e38cc47..0285a0c 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -55,11 +55,13 @@ spec: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} {{- if .Values.csi.extraArgs }} - {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- end }} env: - name: VAULT_ADDR - {{- if .Values.global.externalVaultAddr }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} value: "{{ .Values.global.externalVaultAddr }}" {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} @@ -67,9 +69,10 @@ spec: volumeMounts: - name: providervol mountPath: "/provider" - - name: mountpoint-dir - mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - mountPropagation: HostToContainer + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} {{- if .Values.csi.volumeMounts }} {{- toYaml .Values.csi.volumeMounts | nindent 12}} {{- end }} @@ -91,15 +94,57 @@ spec: periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "vault.name" . }}-agent + image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - vault + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: VAULT_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: VAULT_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} volumes: - name: providervol hostPath: path: {{ .Values.csi.daemonSet.providersDir }} - - name: mountpoint-dir - hostPath: - path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - {{- if .Values.csi.volumes }} - {{- toYaml .Values.csi.volumes | nindent 8}} - {{- end }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} {{- include "imagePullSecrets" . | nindent 6 }} {{- end }} diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml index b9470fe..d52fab1 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 # The "Hello World" Vault SecretProviderClass -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: vault-kv @@ -10,7 +10,6 @@ spec: provider: vault parameters: roleName: "kv-role" - vaultAddress: http://vault:8200 objects: | - objectName: "bar" secretPath: "secret/data/kv1" diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index ea164f7..2d7ba8d 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -9,19 +9,28 @@ load _helpers kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly + # so we can see Agent's cache working. + CSI_DRIVER_VERSION=1.3.2 + helm install secrets-store-csi-driver secrets-store-csi-driver \ + --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version=$(CSI_DRIVER_VERSION) \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ - --set syncSecret.enabled=true + --set tokenRequests[0].audience="vault" \ + --set enableSecretRotation=true \ + --set rotationPollInterval=5s # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ --namespace=acceptance \ --set="server.dev.enabled=true" \ --set="csi.enabled=true" \ - --set="injector.enabled=false" . + --set="csi.debug=true" \ + --set="csi.agent.logLevel=debug" \ + --set="injector.enabled=false" \ + . kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider @@ -29,10 +38,7 @@ load _helpers cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ - disable_iss_validation=true' + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ @@ -46,6 +52,22 @@ load _helpers result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) [[ "$result" == "hello1" ]] + + for i in $(seq 10); do + sleep 2 + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "returning cached response: path=/v1/auth/kubernetes/login")" ]; then + echo "Agent returned a cached login response" + return + fi + + echo "Waiting for a cached response from Agent..." + done + + # Print the logs and fail the test + echo "Failed to find a log for a cached Agent response" + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider + exit 1 } # Clean up diff --git a/test/unit/csi-agent-configmap.bats b/test/unit/csi-agent-configmap.bats new file mode 100644 index 0000000..4ae4a30 --- /dev/null +++ b/test/unit/csi-agent-configmap.bats @@ -0,0 +1,45 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/Agent-ConfigMap: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-agent-configmap.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Agent-ConfigMap: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-agent-config" ] +} + +@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --release-name not-external-test \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://not-external-test-vault.default.svc:8200" +} + +@test "csi/Agent-ConfigMap: Vault addr correctly set for externalVaultAddr" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://vault-outside" +} \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 0da308b..76c74b3 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -65,24 +65,32 @@ load _helpers } # Image -@test "csi/daemonset: image is configurable" { +@test "csi/daemonset: images are configurable" { cd `chart_dir` - local actual=$(helm template \ + local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set "csi.enabled=true" \ - --set "csi.image.repository=SomeOtherImage" \ + --set "csi.image.repository=Image1" \ --set "csi.image.tag=0.0.1" \ + --set "csi.image.pullPolicy=PullPolicy1" \ + --set "csi.agent.image.repository=Image2" \ + --set "csi.agent.image.tag=0.0.2" \ + --set "csi.agent.image.pullPolicy=PullPolicy2" \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:0.0.1" ] + yq -r '.spec.template.spec.containers' | tee /dev/stderr) - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set "csi.enabled=true" \ - --set "csi.image.pullPolicy=SomePullPolicy" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) - [ "${actual}" = "SomePullPolicy" ] + local actual=$(echo $object | + yq -r '.[0].image' | tee /dev/stderr) + [ "${actual}" = "Image1:0.0.1" ] + local actual=$(echo $object | + yq -r '.[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy1" ] + local actual=$(echo $object | + yq -r '.[1].image' | tee /dev/stderr) + [ "${actual}" = "Image2:0.0.2" ] + local actual=$(echo $object | + yq -r '.[1].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy2" ] } @test "csi/daemonset: Custom imagePullSecrets" { @@ -379,21 +387,6 @@ load _helpers [ "${actual}" = "/etc/kubernetes/secrets-store-csi-providers" ] } -@test "csi/daemonset: csi kubeletRootDir default" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/var/lib/kubelet/pods" ] -} - @test "csi/daemonset: csi providersDir override " { cd `chart_dir` @@ -410,22 +403,6 @@ load _helpers [ "${actual}" = "/alt/csi-prov-dir" ] } -@test "csi/daemonset: csi kubeletRootDir override" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.daemonSet.kubeletRootDir=/alt/kubelet-root' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/alt/kubelet-root/pods" ] -} - #-------------------------------------------------------------------- # volumeMounts @@ -564,11 +541,39 @@ load _helpers [ "${actual}" = "14" ] } +@test "csi/daemonset: VAULT_ADDR defaults to Agent unix socket" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + +@test "csi/daemonset: VAULT_ADDR remains pointed to Agent unix socket if external Vault" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + @test "csi/daemonset: with only injector.externalVaultAddr" { cd `chart_dir` local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ + --set 'csi.agent.enabled=false' \ --release-name not-external-test \ --set 'injector.externalVaultAddr=http://vault-outside' \ . | tee /dev/stderr | @@ -584,6 +589,7 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ + --set 'csi.agent.enabled=false' \ --set 'global.externalVaultAddr=http://vault-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -648,3 +654,93 @@ load _helpers yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# Agent sidecar configurables + +@test "csi/daemonset: Agent sidecar enabled by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers | length' | tee /dev/stderr) + [ "${actual}" = "2" ] +} + +@test "csi/daemonset: Agent sidecar can pass extra args" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.extraArgs[0]=-config=extra-config.hcl' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].args[2]' | tee /dev/stderr) + [ "${actual}" = "-config=extra-config.hcl" ] +} + +@test "csi/daemonset: Agent log level settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logLevel=error' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "error" ] +} + +@test "csi/daemonset: Agent log format settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} + +@test "csi/daemonset: Agent default resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: Agent custom resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.resources.requests.memory=256Mi' \ + --set 'csi.agent.resources.requests.cpu=250m' \ + --set 'csi.agent.resources.limits.memory=512Mi' \ + --set 'csi.agent.resources.limits.cpu=500m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + local value=$(echo $object | + yq -r '.requests.memory' | tee /dev/stderr) + [ "${value}" = "256Mi" ] + + local value=$(echo $object | + yq -r '.requests.cpu' | tee /dev/stderr) + [ "${value}" = "250m" ] + + local value=$(echo $object | + yq -r '.limits.memory' | tee /dev/stderr) + [ "${value}" = "512Mi" ] + + local value=$(echo $object | + yq -r '.limits.cpu' | tee /dev/stderr) + [ "${value}" = "500m" ] +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index c52c200..44980e1 100644 --- a/values.schema.json +++ b/values.schema.json @@ -5,6 +5,40 @@ "csi": { "type": "object", "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, "daemonSet": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index e599927..75da40b 100644 --- a/values.yaml +++ b/values.yaml @@ -997,7 +997,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.1" + tag: "1.3.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1061,7 +1061,26 @@ csi: # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} + agent: + enabled: true + extraArgs: [] + image: + repository: "hashicorp/vault" + tag: "1.13.1" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m # Priority class for csi pods priorityClassName: "" From d52c4a519db8c9d92c3d9ec60d3e6c0a82121307 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 6 Apr 2023 15:38:23 -0700 Subject: [PATCH 019/113] Prepare for 0.24.0 release (#868) --- CHANGELOG.md | 2 ++ Chart.yaml | 2 +- test/acceptance/csi.bats | 2 +- values.openshift.yaml | 2 +- values.yaml | 2 +- 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 823fb56..d1c2f32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.24.0 (April 6, 2023) + Changes: * Earliest Kubernetes version tested is now 1.22 * `vault` updated to 1.13.1 diff --git a/Chart.yaml b/Chart.yaml index d74782b..a4f7485 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: vault -version: 0.23.0 +version: 0.24.0 appVersion: 1.13.1 kubeVersion: ">= 1.22.0-0" description: Official HashiCorp Vault Chart diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 2d7ba8d..d454364 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -14,7 +14,7 @@ load _helpers CSI_DRIVER_VERSION=1.3.2 helm install secrets-store-csi-driver secrets-store-csi-driver \ --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ - --version=$(CSI_DRIVER_VERSION) \ + --version=$CSI_DRIVER_VERSION \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ diff --git a/values.openshift.yaml b/values.openshift.yaml index 88521a1..da71dcf 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -9,7 +9,7 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.1.0-ubi" + tag: "1.2.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" diff --git a/values.yaml b/values.yaml index 75da40b..9df0ffa 100644 --- a/values.yaml +++ b/values.yaml @@ -65,7 +65,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.1.0" + tag: "1.2.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent From 1307dbea76330dfb5cf190d331b250d16e90cf57 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 11 Apr 2023 11:00:47 -0700 Subject: [PATCH 020/113] add copyright header to csi-agent-configmap.yaml (#870) --- templates/csi-agent-configmap.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml index cb373f8..7af08e8 100644 --- a/templates/csi-agent-configmap.yaml +++ b/templates/csi-agent-configmap.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} apiVersion: v1 From bb9a069c06248284d5dec3d4dbe8309bea663dae Mon Sep 17 00:00:00 2001 From: hc-github-team-es-release-engineering <82989873+hc-github-team-es-release-engineering@users.noreply.github.com> Date: Wed, 12 Apr 2023 15:19:02 +0100 Subject: [PATCH 021/113] Convert hashicorp/vault-helm to GitHub Actions (#861) * Add workflow hashicorp/vault-helm/update-helm-charts-index * Add workflow hashicorp/vault-helm/manual-trigger-update-helm-charts-index * SHA-pin all 3rd-party actions * Restrict workflow permissions * Add actionslint * Add dependabot * Add CODEOWNERS * Replace deprecated references * fixup: First pass at cleaning up update-helm-charts-index * fixup: move to self-hosted for access to vault * fixup: remove vault bits, correct GHA action * fixup: Remove manual invocation * fixup: update CODEOWNERS * Update CODEOWNERS * Fix CODEOWNERS syntax * Use common workflow for action lint * fixup: address review feedback * fixup: codeowners set * Apply suggestions from code review Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> * fixup: remove slack status action * fixup: more clear error message and correct syntax * fixup: limit actionlint trigger to GHA paths * fixup: glob * fixup: incorporate emily's superior syntax --------- Co-authored-by: Daniel Kimsey Co-authored-by: Tom Proctor Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> --- .github/dependabot.yml | 7 ++++ .github/workflows/acceptance.yaml | 6 +-- .github/workflows/actionlint.yml | 16 ++++++++ .../workflows/setup-test-tools/action.yaml | 3 +- .github/workflows/tests.yaml | 5 +-- .../workflows/update-helm-charts-index.yml | 40 +++++++++++++++++++ CODEOWNERS | 1 + 7 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/actionlint.yml create mode 100644 .github/workflows/update-helm-charts-index.yml create mode 100644 CODEOWNERS diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8a90cca --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 + +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index e3c28e3..ac1dac1 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -1,7 +1,5 @@ name: Acceptance Tests - on: [push, workflow_dispatch] - jobs: kind: strategy: @@ -13,14 +11,14 @@ jobs: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - name: Create K8s Kind Cluster uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} version: v0.17.0 - - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} +permissions: + contents: read diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 0000000..bdee70f --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,16 @@ +# If the repository is public, be sure to change to GitHub hosted runners +name: Lint GitHub Actions Workflows +on: + push: + paths: + - .github/workflows/**.yml + pull_request: + paths: + - .github/workflows/**.yml +permissions: + contents: read +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml index 7683deb..d666e23 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/workflows/setup-test-tools/action.yaml @@ -1,6 +1,5 @@ name: Setup common testing tools description: Install bats and python-yq - runs: using: "composite" steps: @@ -18,3 +17,5 @@ runs: python-version: '3.10' - run: pip install yq shell: bash +permissions: + contents: read diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 5bfd153..30968c8 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,7 +1,5 @@ name: Tests - on: [push, workflow_dispatch] - jobs: bats-unit-tests: runs-on: ubuntu-latest @@ -9,7 +7,6 @@ jobs: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit - chart-verifier: runs-on: ubuntu-latest env: @@ -23,3 +20,5 @@ jobs: go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - run: bats --tap --timing ./test/chart +permissions: + contents: read diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml new file mode 100644 index 0000000..7a1061d --- /dev/null +++ b/.github/workflows/update-helm-charts-index.yml @@ -0,0 +1,40 @@ +name: update-helm-charts-index +on: + push: + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + +permissions: + contents: read + +jobs: + update-helm-charts-index: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: verify Chart version matches tag version + run: |- + export TAG=${{ github.ref_name }} + git_tag=$(echo "${TAG#v}") + chart_tag=$(yq r Chart.yaml version) + if [ "${git_tag}" != "${chart_tag}" ]; then + echo "chart version (${chart_tag}) did not match git version (${git_tag})" + exit 1 + fi + - name: update helm-charts index + id: update + env: + GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }} + run: |- + gh workflow run publish-charts.yml \ + --repo hashicorp/helm-charts \ + --ref main \ + -f SOURCE_TAG="${{ github.ref_name }}" \ + -f SOURCE_REPO="${{ github.repository }}" + - uses: hashicorp/actions-slack-status@v1 + if: ${{always()}} + with: + success-message: "vault-helm charts index update triggered successfully. View the run ." + failure-message: "vault-helm charts index update trigger failed." + status: ${{job.status}} + slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}} diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..af6a350 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @hashicorp/vault-ecosystem-foundations From ded705d73204f9e600e1628c2581223e2b37b44c Mon Sep 17 00:00:00 2001 From: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Date: Wed, 12 Apr 2023 11:18:40 -0500 Subject: [PATCH 022/113] Remove CircelCI (#871) Follow-up of #861 and hashicorp/gha-migration#158 --- .circleci/config.yml | 71 -------------------------------------------- 1 file changed, 71 deletions(-) delete mode 100644 .circleci/config.yml diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index f434417..0000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -version: 2.1 -orbs: - slack: circleci/slack@3.4.2 - -jobs: - update-helm-charts-index: - docker: - - image: docker.mirror.hashicorp.services/cimg/go:1.19.2 - steps: - - checkout - - run: - name: verify Chart version matches tag version - environment: - RELEASE_TAG: << pipeline.parameters.release-tag >> - command: | - go install github.com/mikefarah/yq/v2@latest - export TAG=${RELEASE_TAG:-$CIRCLE_TAG} - git_tag=$(echo "${TAG#v}") - chart_tag=$(yq r Chart.yaml version) - if [ "${git_tag}" != "${chart_tag}" ]; then - echo "chart version (${chart_tag}) did not match git version (${git_tag})" - exit 1 - fi - - run: - name: install gh tool - command: | - version="2.22.1" - curl --show-error --silent --location --output "gh.tar.gz" "https://github.com/cli/cli/releases/download/v${version}/gh_${version}_linux_amd64.tar.gz" - tar -xvzf gh.tar.gz && mkdir -p bin && mv "gh_${version}_linux_amd64/bin/gh" bin/ - - - run: - name: update helm-charts index - environment: - RELEASE_TAG: << pipeline.parameters.release-tag >> - command: | - export GITHUB_TOKEN="${HELM_CHARTS_GITHUB_TOKEN}" - ./bin/gh workflow run publish-charts.yml \ - --repo hashicorp/helm-charts \ - --ref main \ - -f SOURCE_TAG="${CIRCLE_TAG}" \ - -f SOURCE_REPO="${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}" - - slack/status: - fail_only: true - failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" - -parameters: - release-tag: - type: string - default: "" - description: "The tag to release, including v, e.g. v0.22.1" - -workflows: - version: 2 - # Note: unit and acceptance tests are now being run in GitHub Actions - update-helm-charts-index: - jobs: - - update-helm-charts-index: - context: helm-charts-trigger-vault - filters: - tags: - only: /^v.*/ - branches: - ignore: /.*/ - manual-trigger-update-helm-charts-index: - when: << pipeline.parameters.release-tag >> - jobs: - - update-helm-charts-index: - context: helm-charts-trigger-vault From 9954df5e682a59aa1292ad3ee888707e1c603e8c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 14 Apr 2023 12:31:41 +0000 Subject: [PATCH 023/113] Add role for creating CSI's HMAC secret key (#872) --- templates/csi-daemonset.yaml | 5 +++++ templates/csi-role.yaml | 31 +++++++++++++++++++++++++++ templates/csi-rolebinding.yaml | 24 +++++++++++++++++++++ test/unit/csi-daemonset.bats | 31 +++++++++++++++++++++------ test/unit/csi-role.bats | 39 ++++++++++++++++++++++++++++++++++ test/unit/csi-rolebinding.bats | 22 +++++++++++++++++++ values.yaml | 4 ++++ 7 files changed, 150 insertions(+), 6 deletions(-) create mode 100644 templates/csi-role.yaml create mode 100644 templates/csi-rolebinding.yaml create mode 100644 test/unit/csi-role.bats create mode 100644 test/unit/csi-rolebinding.bats diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 0285a0c..a32ef7c 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -54,6 +54,11 @@ spec: args: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + {{- end }} {{- if .Values.csi.extraArgs }} {{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- end }} diff --git a/templates/csi-role.yaml b/templates/csi-role.yaml new file mode 100644 index 0000000..dd23af6 --- /dev/null +++ b/templates/csi-role.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-role + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "vault.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/templates/csi-rolebinding.yaml b/templates/csi-rolebinding.yaml new file mode 100644 index 0000000..e61f2dc --- /dev/null +++ b/templates/csi-rolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 76c74b3..3ad9675 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -168,6 +168,25 @@ load _helpers [ "${actual}" = "--debug=true" ] } +# HMAC secret arg +@test "csi/daemonset: HMAC secret arg is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.hmacSecretName=foo" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=foo" ] +} + # Extra args @test "csi/daemonset: extra args can be passed" { cd `chart_dir` @@ -176,7 +195,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) - [ "${actual}" = "2" ] + [ "${actual}" = "3" ] local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -186,15 +205,15 @@ load _helpers yq -r '.spec.template.spec.containers[0]') local actual=$(echo $object | yq -r '.args | length' | tee /dev/stderr) - [ "${actual}" = "5" ] - local actual=$(echo $object | - yq -r '.args[2]' | tee /dev/stderr) - [ "${actual}" = "--foo=bar" ] + [ "${actual}" = "6" ] local actual=$(echo $object | yq -r '.args[3]' | tee /dev/stderr) - [ "${actual}" = "--bar baz" ] + [ "${actual}" = "--foo=bar" ] local actual=$(echo $object | yq -r '.args[4]' | tee /dev/stderr) + [ "${actual}" = "--bar baz" ] + local actual=$(echo $object | + yq -r '.args[5]' | tee /dev/stderr) [ "${actual}" = "first" ] } diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats new file mode 100644 index 0000000..e7eb7e6 --- /dev/null +++ b/test/unit/csi-role.bats @@ -0,0 +1,39 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/Role: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Role: names" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-role" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "vault-csi-provider-hmac-key" ] +} + +@test "csi/Role: HMAC secret name configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'csi.hmacSecretName=foo' \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} \ No newline at end of file diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats new file mode 100644 index 0000000..caf368b --- /dev/null +++ b/test/unit/csi-rolebinding.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/RoleBinding: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/RoleBinding: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ] +} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 9df0ffa..9e35ac8 100644 --- a/values.yaml +++ b/values.yaml @@ -1025,6 +1025,10 @@ csi: # cpu: 50m # memory: 128Mi + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + # Settings for the daemonSet used to run the provider. daemonSet: updateStrategy: From 677c932e35458c02a1f682c27b4c0d77c567d99e Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 17 Apr 2023 17:14:59 +0000 Subject: [PATCH 024/113] Prepare for 0.24.1 release (#879) --- CHANGELOG.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1c2f32..741c5ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,17 @@ ## Unreleased +## 0.24.1 (April 17, 2023) + +Bugs: +* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) + ## 0.24.0 (April 6, 2023) Changes: * Earliest Kubernetes version tested is now 1.22 -* `vault` updated to 1.13.1 +* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) +* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) +* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) From a5d803ad3c79dcb3a8491f51432d01bdf2c80acf Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 17 Apr 2023 17:48:39 +0000 Subject: [PATCH 025/113] Fix chart version for 0.24.1 release (#880) --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index a4f7485..1803a52 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: vault -version: 0.24.0 +version: 0.24.1 appVersion: 1.13.1 kubeVersion: ">= 1.22.0-0" description: Official HashiCorp Vault Chart From 14585a1331d0bc12ac55489defea84ea259c66ca Mon Sep 17 00:00:00 2001 From: "hashicorp-tsccr[bot]" <129506189+hashicorp-tsccr[bot]@users.noreply.github.com> Date: Fri, 21 Apr 2023 10:12:31 -0700 Subject: [PATCH 026/113] Result of tsccr-helper -pin-all-workflows . (#882) Co-authored-by: hashicorp-tsccr[bot] --- .github/workflows/acceptance.yaml | 2 +- .github/workflows/tests.yaml | 6 +++--- .github/workflows/update-helm-charts-index.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index ac1dac1..597a644 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -8,7 +8,7 @@ jobs: kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3] runs-on: ubuntu-latest steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 30968c8..661307a 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -4,7 +4,7 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: @@ -12,10 +12,10 @@ jobs: env: CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 7a1061d..4154349 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -11,7 +11,7 @@ jobs: update-helm-charts-index: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: verify Chart version matches tag version run: |- export TAG=${{ github.ref_name }} From 582e7d0c3b55b94ada6b081a73f1f5ff528b3683 Mon Sep 17 00:00:00 2001 From: Ashish Kumar Date: Mon, 15 May 2023 22:24:41 +0530 Subject: [PATCH 027/113] spelling fix (#888) --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 9e35ac8..e060b0b 100644 --- a/values.yaml +++ b/values.yaml @@ -521,7 +521,7 @@ server: livenessProbe: enabled: false path: "/v1/sys/health?standbyok=true" - # Port nuumber on which livenessProbe will be checked. + # Port number on which livenessProbe will be checked. port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 From b9096ee15b5df95cbcf3dbea661ff9ca94652c6c Mon Sep 17 00:00:00 2001 From: Krishnadas M <89966612+krishnadas-m@users.noreply.github.com> Date: Wed, 17 May 2023 18:29:05 +0530 Subject: [PATCH 028/113] Make injected Agent ephemeral storage configurable through injector.agentDefaults (#798) --- CHANGELOG.md | 3 +++ templates/injector-deployment.yaml | 8 ++++++++ test/unit/injector-deployment.bats | 11 +++++++++++ values.schema.json | 6 ++++++ values.yaml | 2 ++ 5 files changed, 30 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 741c5ab..a68f853 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,9 @@ Features: Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) +Improvements: +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) + ## 0.22.1 (October 26th, 2022) Changes: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 7e0101a..fbf32c0 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -109,6 +109,14 @@ spec: value: "{{ .Values.injector.agentDefaults.memRequest }}" - name: AGENT_INJECT_MEM_LIMIT value: "{{ .Values.injector.agentDefaults.memLimit }}" + {{- if .Values.injector.agentDefaults.ephemeralRequest }} + - name: AGENT_INJECT_EPHEMERAL_REQUEST + value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" + {{- end }} + {{- if .Values.injector.agentDefaults.ephemeralLimit }} + - name: AGENT_INJECT_EPHEMERAL_LIMIT + value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" + {{- end }} - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 3cfe777..7723a15 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -963,6 +963,7 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) [ "${value}" = "64Mi" ] + } @test "injector/deployment: can set agent default resources" { @@ -973,6 +974,8 @@ EOF --set 'injector.agentDefaults.cpuRequest=cpuRequest' \ --set 'injector.agentDefaults.memLimit=memLimit' \ --set 'injector.agentDefaults.memRequest=memRequest' \ + --set 'injector.agentDefaults.ephemeralLimit=ephemeralLimit' \ + --set 'injector.agentDefaults.ephemeralRequest=ephemeralRequest' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -991,6 +994,14 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) [ "${value}" = "memRequest" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_EPHEMERAL_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "ephemeralLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_EPHEMERAL_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "ephemeralRequest" ] } @test "injector/deployment: agent default template" { diff --git a/values.schema.json b/values.schema.json index 44980e1..4214e4b 100644 --- a/values.schema.json +++ b/values.schema.json @@ -266,6 +266,12 @@ "memRequest": { "type": "string" }, + "ephemeralLimit": { + "type": "string" + }, + "ephemeralRequest": { + "type": "string" + }, "template": { "type": "string" }, diff --git a/values.yaml b/values.yaml index e060b0b..13938fb 100644 --- a/values.yaml +++ b/values.yaml @@ -83,6 +83,8 @@ injector: cpuRequest: "250m" memLimit: "128Mi" memRequest: "64Mi" + # ephemeralLimit: "128Mi" + # ephemeralRequest: "64Mi" # Default template type for secrets when no custom template is specified. # Possible values include: "json" and "map". From a276600b716375b235b96a2ff289271931861a39 Mon Sep 17 00:00:00 2001 From: risson <18313093+rissson@users.noreply.github.com> Date: Thu, 18 May 2023 07:01:22 +0200 Subject: [PATCH 029/113] Default prometheusRules.rules should be an empty list (#886) Support for prometheus-operator was added in https://github.com/hashicorp/vault-helm/pull/772 and a default empty set of rules was defined as an empty map `{}`. However, as evidenced by the commented out rule examples below that very same values.yaml, this is expected to be a list, so `rules:` value should be set to an empty list `[]`. Co-authored-by: Marc 'risson' Schmitt Co-authored-by: Vitaliy --- CHANGELOG.md | 3 +++ test/unit/prometheus-prometheusrules.bats | 14 +++++++------- values.schema.json | 19 +++++++++++++++++++ values.yaml | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a68f853..ce70750 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Bugs: +* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) + ## 0.24.1 (April 17, 2023) Bugs: diff --git a/test/unit/prometheus-prometheusrules.bats b/test/unit/prometheus-prometheusrules.bats index 87736cf..efe4d25 100755 --- a/test/unit/prometheus-prometheusrules.bats +++ b/test/unit/prometheus-prometheusrules.bats @@ -6,7 +6,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -26,16 +26,16 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ - --set 'serverTelemetry.prometheusRules.rules.baz=qux' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[1].baz=qux' \ .) | tee /dev/stderr ) [ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ] [ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ] [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-vault" ] [ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ] - [ "$(echo "$output" | yq -r '.spec.groups[0].rules.foo')" = "bar" ] - [ "$(echo "$output" | yq -r '.spec.groups[0].rules.baz')" = "qux" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules[0].foo')" = "bar" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules[1].baz')" = "qux" ] } @test "prometheus/PrometheusRules-server: assertSelectors default" { @@ -43,7 +43,7 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ . ) | tee /dev/stderr) [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] @@ -55,7 +55,7 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ --set 'serverTelemetry.prometheusRules.selectors.baz=qux' \ --set 'serverTelemetry.prometheusRules.selectors.bar=foo' \ . ) | tee /dev/stderr) diff --git a/values.schema.json b/values.schema.json index 4214e4b..e296426 100644 --- a/values.schema.json +++ b/values.schema.json @@ -1066,6 +1066,25 @@ } } }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusRules": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rules": { + "type": "array" + }, + "selectors": { + "type": "object" + } + } + } + } + }, "ui": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index 13938fb..2a9ec9c 100644 --- a/values.yaml +++ b/values.yaml @@ -1200,7 +1200,7 @@ serverTelemetry: selectors: {} # Some example rules. - rules: {} + rules: [] # - alert: vault-HighResponseTime # annotations: # message: The response time of Vault is over 500ms on average over the last 5 minutes. From 3640daaf654698ebac15c0e3afe1eb438b61b942 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 23 May 2023 13:16:42 -0700 Subject: [PATCH 030/113] ci: upgrade kind-action and kind version (#899) kind-action v1.5.0 -> v1.7.0 kind v0.17.0 -> v0.19.0 Add k8s 1.27 to testing, and update the rest of the kind image versions. --- .github/workflows/acceptance.yaml | 6 +++--- CHANGELOG.md | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 597a644..11c33b6 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -5,18 +5,18 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3] + kind-k8s-version: [1.22.17, 1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] runs-on: ubuntu-latest steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 + uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.17.0 + version: v0.19.0 - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/CHANGELOG.md b/CHANGELOG.md index ce70750..8704bfa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Changes: +* Latest Kubernetes version tested is now 1.27 + Bugs: * server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) From da34c6c986775f419c23a6bfe0074740266c81cb Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Tue, 30 May 2023 15:54:00 +0100 Subject: [PATCH 031/113] publishNotReadyAddresses for headless service always true (#902) --- CHANGELOG.md | 1 + templates/server-headless-service.yaml | 2 +- test/unit/server-headless-service.bats | 4 ++-- values.yaml | 4 +++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8704bfa..2d12e92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Changes: * Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) Bugs: * server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index c4eca7a..42e1aa0 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -23,7 +23,7 @@ metadata: {{ template "vault.service.annotations" .}} spec: clusterIP: None - publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + publishNotReadyAddresses: true ports: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 0794d0e..7c0e441 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -2,7 +2,7 @@ load _helpers -@test "server/headless-Service: publishNotReadyAddresses can be changed" { +@test "server/headless-Service: publishNotReadyAddresses cannot be changed" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-headless-service.yaml \ @@ -15,7 +15,7 @@ load _helpers --set 'server.service.publishNotReadyAddresses=false' \ . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "server/headless-Service: instance selector cannot be disabled" { diff --git a/values.yaml b/values.yaml index 2a9ec9c..2df0014 100644 --- a/values.yaml +++ b/values.yaml @@ -673,7 +673,9 @@ server: # or NodePort. #type: ClusterIP - # Do not wait for pods to be ready + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. publishNotReadyAddresses: true # The externalTrafficPolicy can be set to either Cluster or Local From a56c27c892be1c2fcae90deb982c35a245893d7d Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 31 May 2023 12:27:18 +0100 Subject: [PATCH 032/113] Fix syntax for actionlint workflow (#903) * Fix syntax for actionlint workflow * Move .github/workflows/setup-test-tools/ -> .github/actions/setup-test-tools/ * Fix reported actionlint failures --- .github/{workflows => actions}/setup-test-tools/action.yaml | 0 .github/workflows/acceptance.yaml | 2 +- .github/workflows/actionlint.yml | 4 +--- .github/workflows/tests.yaml | 6 +++--- .github/workflows/update-helm-charts-index.yml | 2 +- 5 files changed, 6 insertions(+), 8 deletions(-) rename .github/{workflows => actions}/setup-test-tools/action.yaml (100%) diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/actions/setup-test-tools/action.yaml similarity index 100% rename from .github/workflows/setup-test-tools/action.yaml rename to .github/actions/setup-test-tools/action.yaml diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 11c33b6..b5ef45a 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools + uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0 with: diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index bdee70f..ec209f5 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -11,6 +11,4 @@ permissions: contents: read jobs: actionlint: - runs-on: ubuntu-latest - steps: - - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main + uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 661307a..6e90a09 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -5,7 +5,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - uses: ./.github/workflows/setup-test-tools + - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest @@ -14,11 +14,11 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools + uses: ./.github/actions/setup-test-tools - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.19.2' - - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: bats --tap --timing ./test/chart permissions: contents: read diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 4154349..450cc1d 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -15,7 +15,7 @@ jobs: - name: verify Chart version matches tag version run: |- export TAG=${{ github.ref_name }} - git_tag=$(echo "${TAG#v}") + git_tag="${TAG#v}" chart_tag=$(yq r Chart.yaml version) if [ "${git_tag}" != "${chart_tag}" ]; then echo "chart version (${chart_tag}) did not match git version (${git_tag})" From 3ce721fca4ecbad0265a95ea02dbab04289b4e69 Mon Sep 17 00:00:00 2001 From: Toninh0 Date: Thu, 1 Jun 2023 11:38:22 +0200 Subject: [PATCH 033/113] CSI configurable nodeSelector and affinity (#862) --- CHANGELOG.md | 3 ++ templates/_helpers.tpl | 28 +++++++++++++++ templates/csi-daemonset.yaml | 2 ++ test/unit/csi-daemonset.bats | 68 ++++++++++++++++++++++++++++++++++++ values.schema.json | 14 ++++++++ values.yaml | 11 ++++++ 6 files changed, 126 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d12e92..eabf9fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ Changes: * Latest Kubernetes version tested is now 1.27 * server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +Features: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) + Bugs: * server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 4b6baf1..dafac37 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -849,6 +849,34 @@ Sets the injector toleration for pod placement {{- end }} {{- end -}} +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} {{/* Sets extra CSI provider pod annotations */}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index a32ef7c..28e7cd0 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -45,6 +45,8 @@ spec: {{- end }} serviceAccountName: {{ template "vault.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 3ad9675..97bc86d 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -345,6 +345,74 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# nodeSelector +@test "csi/daemonset: nodeSelector not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .nodeSelector? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.nodeSelector=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.nodeSelector[0].foo=bar,csi.pod.nodeSelector[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector[0].foo == "bar" and .spec.template.spec.nodeSelector[1].baz == "qux"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# affinity +@test "csi/daemonset: affinity not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.affinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.affinity.podAntiAffinity=foobar" \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity.podAntiAffinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Extra Labels diff --git a/values.schema.json b/values.schema.json index e296426..7a7643b 100644 --- a/values.schema.json +++ b/values.schema.json @@ -136,6 +136,13 @@ "pod": { "type": "object", "properties": { + "affinity": { + "type": [ + "null", + "array", + "string" + ] + }, "annotations": { "type": [ "object", @@ -145,6 +152,13 @@ "extraLabels": { "type": "object" }, + "nodeSelector": { + "type": [ + "null", + "array", + "string" + ] + }, "tolerations": { "type": [ "null", diff --git a/values.yaml b/values.yaml index 2df0014..d80a043 100644 --- a/values.yaml +++ b/values.yaml @@ -1065,6 +1065,17 @@ csi: # in a PodSpec. tolerations: [] + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: [] + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + # Extra labels to attach to the vault-csi-provider pod # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} From 1be10380d179dc20de58f71cf139e937046da19b Mon Sep 17 00:00:00 2001 From: "hashicorp-copywrite[bot]" <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 15:50:09 -0700 Subject: [PATCH 034/113] [COMPLIANCE] Add Copyright and License Headers (#905) Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> --- .github/actions/setup-test-tools/action.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/actions/setup-test-tools/action.yaml b/.github/actions/setup-test-tools/action.yaml index d666e23..6da07b5 100644 --- a/.github/actions/setup-test-tools/action.yaml +++ b/.github/actions/setup-test-tools/action.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + name: Setup common testing tools description: Install bats and python-yq runs: From cd30d9890a72e0897ab4224d4224d6f1e51293a7 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 6 Jun 2023 22:51:14 -0700 Subject: [PATCH 035/113] csi: update affinity and nodeselector schema (#907) array -> object --- test/unit/csi-daemonset.bats | 6 +++--- values.schema.json | 4 ++-- values.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 97bc86d..e1fd0ef 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -373,9 +373,9 @@ load _helpers local actual=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set "csi.pod.nodeSelector[0].foo=bar,csi.pod.nodeSelector[1].baz=qux" \ + --set "csi.pod.nodeSelector.foo=bar,csi.pod.nodeSelector.baz=qux" \ . | tee /dev/stderr | - yq '.spec.template.spec.nodeSelector[0].foo == "bar" and .spec.template.spec.nodeSelector[1].baz == "qux"' | tee /dev/stderr) + yq '.spec.template.spec.nodeSelector.foo == "bar" and .spec.template.spec.nodeSelector.baz == "qux"' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -830,4 +830,4 @@ load _helpers local value=$(echo $object | yq -r '.limits.cpu' | tee /dev/stderr) [ "${value}" = "500m" ] -} \ No newline at end of file +} diff --git a/values.schema.json b/values.schema.json index 7a7643b..ecb97de 100644 --- a/values.schema.json +++ b/values.schema.json @@ -139,7 +139,7 @@ "affinity": { "type": [ "null", - "array", + "object", "string" ] }, @@ -155,7 +155,7 @@ "nodeSelector": { "type": [ "null", - "array", + "object", "string" ] }, diff --git a/values.yaml b/values.yaml index d80a043..15852c8 100644 --- a/values.yaml +++ b/values.yaml @@ -1070,7 +1070,7 @@ csi: # Example: # nodeSelector: # beta.kubernetes.io/arch: amd64 - nodeSelector: [] + nodeSelector: {} # Affinity Settings # This should be either a multi-line string or YAML matching the PodSpec's affinity field. From 38335f81c61f88f729d761f49aeed5fad35fed7a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Jun 2023 10:54:53 +0100 Subject: [PATCH 036/113] Bump actions/checkout from 3.5.2 to 3.5.3 (#910) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e5e7e5ab8b370d6c329ec480221332ada57f0ab...c85c95e3d7251135ab7dc9ce3241c5835cc595a9) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/acceptance.yaml | 2 +- .github/workflows/tests.yaml | 4 ++-- .github/workflows/update-helm-charts-index.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index b5ef45a..4c8720d 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -8,7 +8,7 @@ jobs: kind-k8s-version: [1.22.17, 1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup test tools uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 6e90a09..9914138 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -4,7 +4,7 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: @@ -12,7 +12,7 @@ jobs: env: CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup test tools uses: ./.github/actions/setup-test-tools - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 450cc1d..11c11ba 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -11,7 +11,7 @@ jobs: update-helm-charts-index: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: verify Chart version matches tag version run: |- export TAG=${{ github.ref_name }} From 785a5e7c123e5d69bbf3d08fb4e8ff875e48e6b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Jun 2023 11:24:45 +0100 Subject: [PATCH 037/113] Bump actions/setup-go from 4.0.0 to 4.0.1 (#891) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 9914138..ea3e7b5 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup test tools uses: ./.github/actions/setup-test-tools - - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.19.2' - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" From a86803d5c8ae72912514793b4fccfb938a698ac3 Mon Sep 17 00:00:00 2001 From: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Date: Mon, 19 Jun 2023 09:57:16 -0500 Subject: [PATCH 038/113] ci: Fix yq command syntax (#881) The original CCI version used an older version of yq. The syntax changed and this was missed when ported. Co-authored-by: Tom Proctor --- .github/workflows/update-helm-charts-index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 11c11ba..55cebb5 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -16,7 +16,7 @@ jobs: run: |- export TAG=${{ github.ref_name }} git_tag="${TAG#v}" - chart_tag=$(yq r Chart.yaml version) + chart_tag=$(yq -r '.version' Chart.yaml) if [ "${git_tag}" != "${chart_tag}" ]; then echo "chart version (${chart_tag}) did not match git version (${git_tag})" exit 1 From e2711a2002df36caef2efc3878806a2b9f29952d Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 26 Jun 2023 16:00:04 +0100 Subject: [PATCH 039/113] Prepare for 0.25.0 release (#916) * Prepare for 0.25.0 release * Update CSI acceptance test assertion Starting in 1.4.0, the CSI provider caches Vault tokens locally. The main thing we want to check is that the Agent cache is being used so that it's doing the renewal legwork for any leased secrets, so check for the renewal log message instead because CSI won't auth over and over anymore. --- CHANGELOG.md | 11 +++++++---- Chart.yaml | 6 +++--- test/acceptance/csi.bats | 6 +++--- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 4 ++-- values.yaml | 8 ++++---- 7 files changed, 23 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eabf9fe..f3c466f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,17 @@ ## Unreleased +## 0.25.0 (June 26, 2023) + Changes: * Latest Kubernetes version tested is now 1.27 * server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) -Features: +Improvements: * CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) Bugs: * server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) @@ -45,9 +51,6 @@ Features: Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) -Improvements: -* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) - ## 0.22.1 (October 26th, 2022) Changes: diff --git a/Chart.yaml b/Chart.yaml index 1803a52..104b05f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,9 +3,9 @@ apiVersion: v2 name: vault -version: 0.24.1 -appVersion: 1.13.1 -kubeVersion: ">= 1.22.0-0" +version: 0.25.0 +appVersion: 1.14.0 +kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index d454364..aa6edc4 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -55,16 +55,16 @@ load _helpers for i in $(seq 10); do sleep 2 - if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "returning cached response: path=/v1/auth/kubernetes/login")" ]; then + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then echo "Agent returned a cached login response" return fi - echo "Waiting for a cached response from Agent..." + echo "Waiting to confirm the Agent is renewing CSI's auth token..." done # Print the logs and fail the test - echo "Failed to find a log for a cached Agent response" + echo "Failed to find a log for the Agent renewing CSI's auth token" kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider exit 1 diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 911cf8d..264be67 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index c63f763..15025c9 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index da71dcf..6e575e4 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -13,9 +13,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.13.1-ubi" + tag: "1.14.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.13.1-ubi" + tag: "1.14.0-ubi" diff --git a/values.yaml b/values.yaml index 15852c8..58eb8a2 100644 --- a/values.yaml +++ b/values.yaml @@ -73,7 +73,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -374,7 +374,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -1001,7 +1001,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.3.0" + tag: "1.4.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1086,7 +1086,7 @@ csi: image: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" pullPolicy: IfNotPresent logFormat: standard From 9a16496e869abd8b5c6d63ee5119427e9cf2d353 Mon Sep 17 00:00:00 2001 From: KhizerJaan <73934880+KhizerJaan@users.noreply.github.com> Date: Tue, 4 Jul 2023 18:30:35 +0500 Subject: [PATCH 040/113] Allows the release namespace to be overridden (#909) --- CHANGELOG.md | 6 ++++++ templates/_helpers.tpl | 7 ++++++ templates/csi-agent-configmap.yaml | 4 ++-- templates/csi-clusterrolebinding.yaml | 2 +- templates/csi-daemonset.yaml | 4 ++-- templates/csi-role.yaml | 1 + templates/csi-rolebinding.yaml | 3 ++- templates/csi-serviceaccount.yaml | 2 +- templates/injector-certs-secret.yaml | 2 +- templates/injector-clusterrolebinding.yaml | 2 +- templates/injector-deployment.yaml | 6 +++--- templates/injector-disruptionbudget.yaml | 2 +- templates/injector-mutating-webhook.yaml | 2 +- templates/injector-psp-role.yaml | 2 +- templates/injector-psp-rolebinding.yaml | 2 +- templates/injector-role.yaml | 2 +- templates/injector-rolebinding.yaml | 4 ++-- templates/injector-service.yaml | 2 +- templates/injector-serviceaccount.yaml | 2 +- templates/prometheus-servicemonitor.yaml | 2 +- templates/server-clusterrolebinding.yaml | 2 +- templates/server-config-configmap.yaml | 2 +- templates/server-discovery-role.yaml | 2 +- templates/server-discovery-rolebinding.yaml | 4 ++-- templates/server-disruptionbudget.yaml | 2 +- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 2 +- templates/server-headless-service.yaml | 2 +- templates/server-ingress.yaml | 2 +- templates/server-psp-role.yaml | 2 +- templates/server-psp-rolebinding.yaml | 2 +- templates/server-route.yaml | 2 +- templates/server-service.yaml | 2 +- templates/server-serviceaccount.yaml | 2 +- templates/server-statefulset.yaml | 2 +- templates/tests/server-test.yaml | 4 ++-- templates/ui-service.yaml | 2 +- test/unit/csi-agent-configmap.bats | 19 ++++++++++++++++ test/unit/csi-clusterrolebinding.bats | 20 +++++++++++++++++ test/unit/csi-daemonset.bats | 20 +++++++++++++++++ test/unit/csi-role.bats | 19 ++++++++++++++++ test/unit/csi-rolebinding.bats | 19 ++++++++++++++++ test/unit/csi-serviceaccount.bats | 20 +++++++++++++++++ test/unit/injector-clusterrolebinding.bats | 19 ++++++++++++++++ test/unit/injector-deployment.bats | 19 ++++++++++++++++ test/unit/injector-disruptionbudget.bats | 19 ++++++++++++++++ test/unit/injector-leader-elector.bats | 24 +++++++++++++++++++++ test/unit/injector-mutating-webhook.bats | 8 +++++++ test/unit/injector-psp-role.bats | 21 ++++++++++++++++++ test/unit/injector-psp-rolebinding.bats | 21 ++++++++++++++++++ test/unit/injector-service.bats | 17 +++++++++++++++ test/unit/injector-serviceaccount.bats | 17 +++++++++++++++ test/unit/server-clusterrolebinding.bats | 17 +++++++++++++++ test/unit/server-configmap.bats | 17 +++++++++++++++ test/unit/server-discovery-role.bats | 19 ++++++++++++++++ test/unit/server-discovery-rolebinding.bats | 19 ++++++++++++++++ test/unit/server-ha-active-service.bats | 19 ++++++++++++++++ test/unit/server-ha-disruptionbudget.bats | 19 ++++++++++++++++ test/unit/server-ha-standby-service.bats | 19 ++++++++++++++++ test/unit/server-headless-service.bats | 19 ++++++++++++++++ test/unit/server-ingress.bats | 19 ++++++++++++++++ test/unit/server-psp-role.bats | 19 ++++++++++++++++ test/unit/server-psp-rolebinding.bats | 19 ++++++++++++++++ test/unit/server-route.bats | 21 ++++++++++++++++++ test/unit/server-service.bats | 19 ++++++++++++++++ test/unit/server-serviceaccount.bats | 19 ++++++++++++++++ test/unit/server-statefulset.bats | 19 ++++++++++++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 69 files changed, 627 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3c466f..3e59ade 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +Bugs: +* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + +Improvements: +* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + ## 0.25.0 (June 26, 2023) Changes: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index dafac37..d796ab5 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -36,6 +36,13 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "vault.namespace" -}} +{{- default .Release.Namespace .Values.global.namespace -}} +{{- end -}} + {{/* Compute if the csi driver is enabled. */}} diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml index 7af08e8..18cdb04 100644 --- a/templates/csi-agent-configmap.yaml +++ b/templates/csi-agent-configmap.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "vault.fullname" . }}-csi-provider-agent-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider @@ -21,7 +21,7 @@ data: {{- if .Values.global.externalVaultAddr }} "address" = "{{ .Values.global.externalVaultAddr }}" {{- else }} - "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}" + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" {{- end }} } diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index d5a9346..506ec94 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -20,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 28e7cd0..1436ff9 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -9,7 +9,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} @@ -71,7 +71,7 @@ spec: {{- else if .Values.global.externalVaultAddr }} value: "{{ .Values.global.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} volumeMounts: - name: providervol diff --git a/templates/csi-role.yaml b/templates/csi-role.yaml index dd23af6..17e1918 100644 --- a/templates/csi-role.yaml +++ b/templates/csi-role.yaml @@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-csi-provider-role + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/csi-rolebinding.yaml b/templates/csi-rolebinding.yaml index e61f2dc..3d3b981 100644 --- a/templates/csi-rolebinding.yaml +++ b/templates/csi-rolebinding.yaml @@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} @@ -20,5 +21,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index 25e123e..6327a7b 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 3e5ddb7..f6995af 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Secret metadata: name: vault-injector-certs - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 9253e4f..82cbce0 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -20,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index fbf32c0..822e8e4 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -10,7 +10,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -64,7 +64,7 @@ spec: {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} @@ -79,7 +79,7 @@ spec: - name: AGENT_INJECT_TLS_AUTO value: {{ template "vault.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc + value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 6ae714b..2b2a61c 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -8,7 +8,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index d03cd13..b1de1ee 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -28,7 +28,7 @@ webhooks: clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} path: "/mutate" caBundle: {{ .Values.injector.certs.caBundle | quote }} rules: diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 65d8e9b..a07f8f6 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index 48a3a26..3c97e8d 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index df7b0ed..b2ad0c7 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index 0848e43..6ad25ca 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -22,6 +22,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} {{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 5b20692..1479cd1 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index 9b5c2f6..2f91c3d 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 60f2729..25d30a4 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -45,5 +45,5 @@ spec: insecureSkipVerify: true namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "vault.namespace" . }} {{ end }} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index b694129..14ec838 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -25,5 +25,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} \ No newline at end of file diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 5d29e98..5c66057 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "vault.fullname" . }}-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index adae42a..0cbdefa 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -10,7 +10,7 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} name: {{ template "vault.fullname" . }}-discovery-role labels: helm.sh/chart: {{ include "vault.chart" . }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 853ee87..87b0f61 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -15,7 +15,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -28,7 +28,7 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} {{ end }} {{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3ff1109..bbe9eb2 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -13,7 +13,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 58d540f..2a3375a 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-active - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index b9f6435..27fdfce 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-standby - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index 42e1aa0..4df81e2 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-internal - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 3aba668..d796bae 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -21,7 +21,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index 0c8c983..64cd6c5 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index 9b975d5..342f553 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 3f35aef..4e95555 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -14,7 +14,7 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 8e34c88..444b15e 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index e154f8d..216ea61 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 7ab7de8..519d421 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -12,7 +12,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 59b1501..2c577aa 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Pod metadata: name: "{{ .Release.Name }}-server-test" - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} annotations: "helm.sh/hook": test spec: @@ -21,7 +21,7 @@ spec: imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 4b2e8f7..261732b 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-ui - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-ui diff --git a/test/unit/csi-agent-configmap.bats b/test/unit/csi-agent-configmap.bats index 4ae4a30..515e4c8 100644 --- a/test/unit/csi-agent-configmap.bats +++ b/test/unit/csi-agent-configmap.bats @@ -21,6 +21,25 @@ load _helpers [ "${actual}" = "release-name-vault-csi-provider-agent-config" ] } +@test "csi/Agent-ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index ccd98c5..6490d2c 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -41,4 +41,24 @@ load _helpers . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) [ "${actual}" = "release-name-vault-csi-provider" ] +} + +# ClusterRoleBinding service account namespace +@test "csi/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index e1fd0ef..d3d4221 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,26 @@ load _helpers [ "${actual}" = "true" ] } +# namespace +@test "csi/daemonset: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + # priorityClassName @test "csi/daemonset: priorityClassName not set by default" { diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats index e7eb7e6..88f7d05 100644 --- a/test/unit/csi-role.bats +++ b/test/unit/csi-role.bats @@ -27,6 +27,25 @@ load _helpers [ "${actual}" = "vault-csi-provider-hmac-key" ] } +@test "csi/Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/Role: HMAC secret name configurable" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats index caf368b..dc4a1af 100644 --- a/test/unit/csi-rolebinding.bats +++ b/test/unit/csi-rolebinding.bats @@ -19,4 +19,23 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ] +} + +@test "csi/RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] } \ No newline at end of file diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 41c1734..aa89749 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -32,6 +32,26 @@ load _helpers [ "${actual}" = "release-name-vault-csi-provider" ] } +# serviceAccountNamespace namespace +@test "csi/daemonset: serviceAccountNamespace namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/serviceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-clusterrolebinding.bats b/test/unit/injector-clusterrolebinding.bats index 6e21787..e997ebd 100755 --- a/test/unit/injector-clusterrolebinding.bats +++ b/test/unit/injector-clusterrolebinding.bats @@ -20,3 +20,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 7723a15..7b2bb5a 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -42,6 +42,25 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 72be93f..4ce5515 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index bbd4829..e72354a 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -96,6 +96,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/role: created/skipped as appropriate" { @@ -147,6 +155,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/rolebinding: created/skipped as appropriate" { @@ -198,4 +214,12 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 0a8be0a..fcf4e7b 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -40,6 +40,14 @@ load _helpers . | tee /dev/stderr | yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/MutatingWebhookConfiguration: caBundle is empty string" { diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index 8e7acd7..3dda504 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index 88bfe79..62afe7b 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index 027eaa0..b5eea49 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -18,6 +18,23 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/Service: service with default port" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-serviceaccount.bats b/test/unit/injector-serviceaccount.bats index bf178a3..f7ba319 100755 --- a/test/unit/injector-serviceaccount.bats +++ b/test/unit/injector-serviceaccount.bats @@ -21,6 +21,23 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/ServiceAccount: generic annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index 9d05aea..d80f05f 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -71,3 +71,20 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "server/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index fe2ac12..eea7e70 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -75,6 +75,23 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ConfigMap: standalone extraConfig is set" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats index 11473a0..f17dcf4 100755 --- a/test/unit/server-discovery-role.bats +++ b/test/unit/server-discovery-role.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRole: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats index 568c240..83e8def 100755 --- a/test/unit/server-discovery-rolebinding.bats +++ b/test/unit/server-discovery-rolebinding.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d78f5d4..b7e2ec5 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -47,6 +47,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 4cb3ae6..4daff30 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -53,6 +53,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/DisruptionBudget: correct maxUnavailable with n=1" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 6698314..5f2654e 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -58,6 +58,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 7c0e441..8a1f52f 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -35,3 +35,22 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "release-name" ] } + +@test "server/headless-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 0cc5b26..90ed0a2 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -11,6 +11,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ingress: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ingress: disable by injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-psp-role.bats b/test/unit/server-psp-role.bats index 1d3e62c..28239b0 100644 --- a/test/unit/server-psp-role.bats +++ b/test/unit/server-psp-role.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-psp-rolebinding.bats b/test/unit/server-psp-rolebinding.bats index 4171219..4a4bae3 100644 --- a/test/unit/server-psp-rolebinding.bats +++ b/test/unit/server-psp-rolebinding.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 51b1a30..a1716fb 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -24,6 +24,27 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/route: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/route: OpenShift - checking host entry gets added and path is /" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 70a5445..b84e5b1 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -113,6 +113,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 2c82603..9a688a9 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -30,6 +30,25 @@ load _helpers } +@test "server/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ServiceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 67cde81..7dc01f5 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -78,6 +78,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/standalone-StatefulSet: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.schema.json b/values.schema.json index ecb97de..2aefb06 100644 --- a/values.schema.json +++ b/values.schema.json @@ -228,6 +228,9 @@ "enabled": { "type": "boolean" }, + "namespace": { + "type": "string" + }, "externalVaultAddr": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 58eb8a2..8538cd6 100644 --- a/values.yaml +++ b/values.yaml @@ -8,6 +8,9 @@ global: # will enable or disable all the components within this chart by default. enabled: true + # The namespace to deploy to. Defaults to the `helm` installation namespace. + namespace: "" + # Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] From ec964a33eac6ccb617ce64cf507038673a195692 Mon Sep 17 00:00:00 2001 From: Johannes Siebel Date: Tue, 15 Aug 2023 11:50:25 +0200 Subject: [PATCH 041/113] Allow scale to zero (#943) --- templates/_helpers.tpl | 6 +++++- test/unit/server-ha-statefulset.bats | 22 ++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index d796ab5..fc06838 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -156,7 +156,11 @@ Set's the replica count based on the different modes configured by user {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} - {{- .Values.server.ha.replicas | default 3 -}} + {{- if kindIs "int64" .Values.server.ha.replicas -}} + {{- .Values.server.ha.replicas -}} + {{ else }} + {{- 3 -}} + {{- end -}} {{ else }} {{- default 1 -}} {{ end }} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 06a0ca0..9bb5118 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -157,6 +157,28 @@ load _helpers [ "${actual}" = "10" ] } +@test "server/ha-StatefulSet: zero replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=0' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "0" ] +} + +@test "server/ha-StatefulSet: invalid value for replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=null' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "3" ] +} + #-------------------------------------------------------------------- # resources From 1e12d49d743445ab2d4c7f865b261460836129e7 Mon Sep 17 00:00:00 2001 From: gillcaleb Date: Thu, 17 Aug 2023 09:05:50 -0400 Subject: [PATCH 042/113] Add optional long lived SA token (#923) --------- Co-authored-by: Caleb Gill --- templates/_helpers.tpl | 11 +++ templates/server-serviceaccount-secret.yaml | 21 ++++++ test/unit/server-serviceaccount-secret.bats | 77 +++++++++++++++++++++ values.schema.json | 3 + values.yaml | 6 ++ 5 files changed, 118 insertions(+) create mode 100644 templates/server-serviceaccount-secret.yaml create mode 100644 test/unit/server-serviceaccount-secret.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index fc06838..d76971c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -82,6 +82,17 @@ Compute if the server serviceaccount is enabled. (eq (.Values.global.enabled | toString) "true"))) -}} {{- end -}} +{{/* +Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. +*/}} +{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- $_ := set . "serverServiceAccountSecretCreationEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true") + (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} +{{- end -}} + + {{/* Compute if the server auth delegator serviceaccount is enabled. */}} diff --git a/templates/server-serviceaccount-secret.yaml b/templates/server-serviceaccount-secret.yaml new file mode 100644 index 0000000..74d70f9 --- /dev/null +++ b/templates/server-serviceaccount-secret.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{- if .serverServiceAccountSecretCreationEnabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vault.serviceAccount.name" . }}-token + namespace: {{ include "vault.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: kubernetes.io/service-account-token +{{ end }} \ No newline at end of file diff --git a/test/unit/server-serviceaccount-secret.bats b/test/unit/server-serviceaccount-secret.bats new file mode 100644 index 0000000..2cfe333 --- /dev/null +++ b/test/unit/server-serviceaccount-secret.bats @@ -0,0 +1,77 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ServiceAccountSecret: verify service account name match" { + cd `chart_dir` + + local actual=$( (helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.create=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa-token" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-token" ] + +} + +@test "server/ServiceAccountSecret: annotation mapping to service account" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "release-name-vault" ] + +} + +@test "server/ServiceAccountSecret: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + diff --git a/values.schema.json b/values.schema.json index 2aefb06..f08a98e 100644 --- a/values.schema.json +++ b/values.schema.json @@ -985,6 +985,9 @@ "extraLabels": { "type": "object" }, + "createSecret": { + "type": "boolean" + }, "name": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 8538cd6..f70869a 100644 --- a/values.yaml +++ b/values.yaml @@ -917,6 +917,12 @@ server: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + # Create a Secret API object to store a non-expiring token for the service account. + # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets + # serviceAccount.create must be equal to 'true' in order to use this feature. + createSecret: false # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. From c7353d1aeaa7d1849f22efbf7a35f329708da527 Mon Sep 17 00:00:00 2001 From: Tanmay Pereira Naik <59953366+tanmay-pnaik@users.noreply.github.com> Date: Wed, 23 Aug 2023 00:46:41 +0530 Subject: [PATCH 043/113] docs: Update outdated vaultproject.io/docs/ links (#935) Signed-off-by: Tanmay Pereira Naik <59953366+tanmay-pnaik@users.noreply.github.com> --- README.md | 4 ++-- templates/NOTES.txt | 2 +- values.yaml | 24 ++++++++++++------------ 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 6e70143..256bd8b 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ cases of Vault on Kubernetes depending on the values provided. For full documentation on this Helm chart along with all the ways you can use Vault with Kubernetes, please see the -[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/). +[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s). ## Prerequisites @@ -39,5 +39,5 @@ $ helm install vault hashicorp/vault Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more +website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more detailed installation instructions. diff --git a/templates/NOTES.txt b/templates/NOTES.txt index 8e26712..60d99a4 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -4,7 +4,7 @@ Thank you for installing HashiCorp Vault! Now that you have deployed Vault, you should look over the docs on using Vault with Kubernetes available here: -https://www.vaultproject.io/docs/ +https://developer.hashicorp.com/vault/docs Your release is named {{ .Release.Name }}. To learn more about the release, try: diff --git a/values.yaml b/values.yaml index f70869a..b10b3f1 100644 --- a/values.yaml +++ b/values.yaml @@ -465,7 +465,7 @@ server: # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth - # method. https://www.vaultproject.io/docs/auth/kubernetes.html + # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes authDelegator: enabled: true @@ -712,7 +712,7 @@ server: # This configures the Vault Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. - # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more + # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more dataStorage: enabled: true # Size of the PVC created @@ -731,7 +731,7 @@ server: # logs. Once Vault is deployed, initialized, and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit - # See https://www.vaultproject.io/docs/audit/index.html to know more + # See https://developer.hashicorp.com/vault/docs/audit to know more auditStorage: enabled: false # Size of the PVC created @@ -750,7 +750,7 @@ server: # and no initialization. This is useful for experimenting with Vault without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. - # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more + # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more dev: enabled: false @@ -772,7 +772,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -815,12 +815,12 @@ server: replicas: 3 # Set the api_addr configuration for Vault HA - # See https://www.vaultproject.io/docs/configuration#api_addr + # See https://developer.hashicorp.com/vault/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null # Set the cluster_addr confuguration for Vault HA - # See https://www.vaultproject.io/docs/configuration#cluster_addr + # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 clusterAddr: null @@ -838,7 +838,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -865,7 +865,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -1152,7 +1152,7 @@ csi: debug: false # Pass arbitrary additional arguments to vault-csi-provider. - # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: [] @@ -1161,8 +1161,8 @@ csi: # the Vault configuration. There are a few examples included in the `config` sections above. # # For more information see: -# https://www.vaultproject.io/docs/configuration/telemetry -# https://www.vaultproject.io/docs/internals/telemetry +# https://developer.hashicorp.com/vault/docs/configuration/telemetry +# https://developer.hashicorp.com/vault/docs/internals/telemetry serverTelemetry: # Enable support for the Prometheus Operator. Currently, this chart does not support # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included From ea1c36922b8c807bb39deb3a14bef4123aecaf73 Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Wed, 23 Aug 2023 20:30:35 +0200 Subject: [PATCH 044/113] chore(test): use vault.fullname in Helm test (#912) --- templates/tests/server-test.yaml | 2 +- test/unit/server-test.bats | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 2c577aa..20e2e5a 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -9,7 +9,7 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: v1 kind: Pod metadata: - name: "{{ .Release.Name }}-server-test" + name: {{ template "vault.fullname" . }}-server-test namespace: {{ include "vault.namespace" . }} annotations: "helm.sh/hook": test diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index de82f84..314703a 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -37,6 +37,33 @@ load _helpers #-------------------------------------------------------------------- +@test "server/standalone-server-test-Pod: default metadata.name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name vault" { + cd `chart_dir` + local actual=$(helm template vault \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "vault-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name foo" { + cd `chart_dir` + local actual=$(helm template foo \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "foo-vault-server-test" ] +} + @test "server/standalone-server-test-Pod: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ From 377b68f13ba87e3c4e1f03bf7eaa3d9ab5f34dec Mon Sep 17 00:00:00 2001 From: Arend Lapere Date: Fri, 25 Aug 2023 00:14:19 +0200 Subject: [PATCH 045/113] Add support for dual stack clusters (#833) --- CHANGELOG.md | 3 ++ templates/server-ha-active-service.yaml | 8 ++++ templates/server-ha-standby-service.yaml | 8 ++++ templates/server-headless-service.yaml | 8 ++++ templates/server-service.yaml | 8 ++++ templates/ui-service.yaml | 8 ++++ test/unit/server-headless-service.bats | 42 +++++++++++++++++++++ test/unit/server-service.bats | 42 +++++++++++++++++++++ test/unit/ui-service.bats | 47 +++++++++++++++++++++++- values.schema.json | 18 +++++++++ values.yaml | 30 +++++++++++++++ 11 files changed, 221 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e59ade..6ddd8bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) + Bugs: * csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 2a3375a..3220158 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -27,6 +27,14 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 27fdfce..e5d662b 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -26,6 +26,14 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index 4df81e2..c0f4d34 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -22,6 +22,14 @@ metadata: annotations: {{ template "vault.service.annotations" .}} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} clusterIP: None publishNotReadyAddresses: true ports: diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 444b15e..c12e190 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -24,6 +24,14 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 261732b..9537084 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -20,6 +20,14 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{- template "vault.ui.annotations" . }} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.ui.serviceIPFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} + {{- end }} + {{- if .Values.ui.serviceIPFamilies }} + ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} selector: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 8a1f52f..df649be 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -53,4 +53,46 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] +} + +@test "server/headless-Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/headless-Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "server/headless-Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/headless-Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] } \ No newline at end of file diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index b84e5b1..040e9fa 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -467,3 +467,45 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "server/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] +} \ No newline at end of file diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 384098f..dce0e5e 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -383,5 +383,50 @@ load _helpers . | tee /dev/stderr | yq '.spec.externalTrafficPolicy' | tee /dev/stderr) [ "${actual}" = "null" ] - } + +@test "ui/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "ui/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --kube-version 1.22.0 \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --kube-version 1.22.0 \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index f08a98e..39f0e02 100644 --- a/values.schema.json +++ b/values.schema.json @@ -967,6 +967,14 @@ }, "standbyNodePort": { "type": "integer" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "ipFamilies": { + "type": [ + "array" + ] } } }, @@ -1143,6 +1151,16 @@ }, "targetPort": { "type": "integer" + }, + "serviceIPFamilyPolicy": { + "type": [ + "string" + ] + }, + "serviceIPFamilies": { + "type": [ + "array" + ] } } } diff --git a/values.yaml b/values.yaml index b10b3f1..c100c17 100644 --- a/values.yaml +++ b/values.yaml @@ -676,6 +676,21 @@ server: # or NodePort. #type: ClusterIP + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family policy, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + ipFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. + # Can be IPv4 and/or IPv6. + ipFamilies: [] + # Do not wait for pods to be ready before including them in the services' # targets. Does not apply to the headless service, which is used for # cluster-internal communication. @@ -979,6 +994,21 @@ ui: externalPort: 8200 targetPort: 8200 + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + serviceIPFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well + # Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. From c3b2b14ffd8266a0ffc0fad0bd93dbcad57a06ea Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 24 Aug 2023 15:16:24 -0700 Subject: [PATCH 046/113] changelog++ (#946) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ddd8bc..30f2850 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Bugs: Improvements: * global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) +* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) ## 0.25.0 (June 26, 2023) From 3387881451c7a8ff90485374190791965e0112a4 Mon Sep 17 00:00:00 2001 From: Milan Rafaj <10629777+eufebius@users.noreply.github.com> Date: Mon, 18 Sep 2023 17:53:00 +0200 Subject: [PATCH 047/113] feat: add hostAliases for statefulset (#955) --- templates/server-statefulset.yaml | 4 ++++ test/unit/server-statefulset.bats | 22 ++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 6 +++++- 4 files changed, 34 insertions(+), 1 deletion(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 519d421..f330927 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -61,6 +61,10 @@ spec: {{ template "vault.volumes" . }} - name: home emptyDir: {} + {{- if .Values.server.hostAliases }} + hostAliases: + {{ toYaml .Values.server.hostAliases | nindent 8}} + {{- end }} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | nindent 8}} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7dc01f5..de3ee2b 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1826,6 +1826,28 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# hostAliases + +@test "server/StatefulSet: server.hostAliases not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/StatefulSet: server.hostAliases is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostAliases[0]=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases[]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + #-------------------------------------------------------------------- # extraPorts diff --git a/values.schema.json b/values.schema.json index 39f0e02..d1c87e0 100644 --- a/values.schema.json +++ b/values.schema.json @@ -740,6 +740,9 @@ } } }, + "hostAliases": { + "type": "array" + }, "image": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index c100c17..78b41af 100644 --- a/values.yaml +++ b/values.yaml @@ -444,7 +444,11 @@ server: # - secretName: chart-example-tls # hosts: # - chart-example.local - + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - chart-example.local # OpenShift only - create a route to expose the service # By default the created route will be of type passthrough route: From b13201831d770e641687cd23a9b88512f52ce892 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 18 Sep 2023 13:17:00 -0700 Subject: [PATCH 048/113] changelog++ (#956) --- CHANGELOG.md | 1 + values.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30f2850..7c158f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Features: * server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) +* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) Bugs: * csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) diff --git a/values.yaml b/values.yaml index 78b41af..938a197 100644 --- a/values.yaml +++ b/values.yaml @@ -444,11 +444,13 @@ server: # - secretName: chart-example-tls # hosts: # - chart-example.local + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. hostAliases: [] # - ip: 127.0.0.1 # hostnames: # - chart-example.local + # OpenShift only - create a route to expose the service # By default the created route will be of type passthrough route: From d3d472f94859273020161cb297f78558903a6e41 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 10:10:15 -0500 Subject: [PATCH 049/113] Bump actions/checkout from 3.5.3 to 4.1.0 (#957) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/c85c95e3d7251135ab7dc9ce3241c5835cc595a9...8ade135a41bc03ea155e62e844d188df1ea18608) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/acceptance.yaml | 2 +- .github/workflows/tests.yaml | 4 ++-- .github/workflows/update-helm-charts-index.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 4c8720d..c9696da 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -8,7 +8,7 @@ jobs: kind-k8s-version: [1.22.17, 1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Setup test tools uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index ea3e7b5..cedc407 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -4,7 +4,7 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: @@ -12,7 +12,7 @@ jobs: env: CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Setup test tools uses: ./.github/actions/setup-test-tools - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 55cebb5..7d4cca7 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -11,7 +11,7 @@ jobs: update-helm-charts-index: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: verify Chart version matches tag version run: |- export TAG=${{ github.ref_name }} From 0f47d83f36814810ec4cd04d1ff020795ebe9693 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 10:14:19 -0500 Subject: [PATCH 050/113] Bump actions/setup-go from 4.0.1 to 4.1.0 (#938) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.1 to 4.1.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/fac708d6674e30b6ba41289acaab6d4b75aa0753...93397bea11091df50f3d7e59dc26a7711a8bcfbe) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index cedc407..25f344d 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Setup test tools uses: ./.github/actions/setup-test-tools - - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: '1.19.2' - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" From 7728f8c6509a19cd8e38e15c04f38a8b8f3f6224 Mon Sep 17 00:00:00 2001 From: tekicat <39802899+tekicat@users.noreply.github.com> Date: Tue, 26 Sep 2023 21:28:54 +0100 Subject: [PATCH 051/113] Allow additional annotations for standby and active services via config (#896) * Allow additional annotations for standby and active services via config Co-authored-by: Kyle Schochenmaier --- templates/_helpers.tpl | 27 ++++++++++++++++++ templates/server-ha-active-service.yaml | 3 +- templates/server-ha-standby-service.yaml | 3 +- test/unit/server-ha-active-service.bats | 25 ++++++++++++++++ test/unit/server-ha-standby-service.bats | 36 ++++++++++++++++++++++++ values.schema.json | 12 ++++++++ values.yaml | 12 ++++++-- 7 files changed, 114 insertions(+), 4 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index d76971c..8d4599c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -710,6 +710,33 @@ Sets extra vault server Service annotations {{- end }} {{- end -}} +{{/* +Sets extra vault server Service (active) annotations +*/}} +{{- define "vault.service.active.annotations" -}} + {{- if .Values.server.service.active.annotations }} + {{- $tp := typeOf .Values.server.service.active.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.active.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.active.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.standby.annotations" -}} + {{- if .Values.server.service.standby.annotations }} + {{- $tp := typeOf .Values.server.service.standby.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets PodSecurityPolicy annotations */}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 3220158..9d2abfb 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -22,7 +22,8 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} vault-active: "true" annotations: -{{ template "vault.service.annotations" .}} +{{- template "vault.service.active.annotations" . }} +{{- template "vault.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e5d662b..bae1e28 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -21,7 +21,8 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{- template "vault.service.standby.annotations" . }} +{{- template "vault.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index b7e2ec5..cf36430 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -13,6 +13,31 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/ha-active-Service: with active annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.active.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} +@test "server/ha-active-Service: with both annotations set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.active.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=vaultIsNotAwesome: false' \ + . | tee /dev/stderr | + yq -r '.metadata' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] + actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + [ "${actual}" = "false" ] +} @test "server/ha-active-Service: disable with ha.enabled false" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 5f2654e..bd04853 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -24,6 +24,42 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/ha-standby-Service: with standby annotations string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-standby-Service: with standby annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} +@test "server/ha-standby-Service: with both annotations set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=vaultIsNotAwesome: false' \ + . | tee /dev/stderr | + yq -r '.metadata' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] + actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + [ "${actual}" = "false" ] +} @test "server/ha-standby-Service: disable with ha.enabled false" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.schema.json b/values.schema.json index d1c87e0..6a8b350 100644 --- a/values.schema.json +++ b/values.schema.json @@ -922,6 +922,12 @@ "properties": { "enabled": { "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] } } }, @@ -956,6 +962,12 @@ "properties": { "enabled": { "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] } } }, diff --git a/values.yaml b/values.yaml index 938a197..8ee43f9 100644 --- a/values.yaml +++ b/values.yaml @@ -658,13 +658,21 @@ server: service: enabled: true # Enable or disable the vault-active service, which selects Vault pods that - # have labelled themselves as the cluster leader with `vault-active: "true"` + # have labeled themselves as the cluster leader with `vault-active: "true"`. active: enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the active service. + annotations: {} # Enable or disable the vault-standby service, which selects Vault pods that - # have labelled themselves as a cluster follower with `vault-active: "false"` + # have labeled themselves as a cluster follower with `vault-active: "false"`. standby: enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the standby service. + annotations: {} # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` # When disabled, services may select Vault pods not deployed from the chart. # Does not affect the headless vault-internal service with `ClusterIP: None` From e2990d291319b2097c9366918078263343173755 Mon Sep 17 00:00:00 2001 From: Kyle Schochenmaier Date: Tue, 26 Sep 2023 22:50:26 -0500 Subject: [PATCH 052/113] changelog++ (#959) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c158f1..321a5fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) * server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) +* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) Bugs: * csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) From 24739373fbe0b773474825f2f11581fcf8d72f73 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 13 Oct 2023 09:58:54 -0700 Subject: [PATCH 053/113] Update actions, k8s and vault versions, and changelog (#962) Pin github actions to the latest trusted versions, test with k8s 1.24-1.28, update vault and vault-k8s defaults to latest releases. --------- Co-authored-by: Tom Proctor --- .github/actions/setup-test-tools/action.yaml | 4 ++-- .github/workflows/acceptance.yaml | 6 +++--- .github/workflows/jira.yaml | 2 +- CHANGELOG.md | 7 +++++++ values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/actions/setup-test-tools/action.yaml b/.github/actions/setup-test-tools/action.yaml index 6da07b5..d294106 100644 --- a/.github/actions/setup-test-tools/action.yaml +++ b/.github/actions/setup-test-tools/action.yaml @@ -6,7 +6,7 @@ description: Install bats and python-yq runs: using: "composite" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: '16' - run: npm install -g bats@${BATS_VERSION} @@ -15,7 +15,7 @@ runs: BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.10' - run: pip install yq diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index c9696da..c64d572 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -5,18 +5,18 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.22.17, 1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] + kind-k8s-version: [1.24.15, 1.25.11, 1.26.6, 1.27.3, 1.28.0] runs-on: ubuntu-latest steps: - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Setup test tools uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0 + uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.19.0 + version: v0.20.0 - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index ad6237c..0f73ec3 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -14,4 +14,4 @@ jobs: JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} with: - teams-array: '["ecosystem", "foundations"]' + teams-array: '["ecosystem", "foundations-eco"]' diff --git a/CHANGELOG.md b/CHANGELOG.md index 321a5fe..6eea6ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,15 @@ ## Unreleased +Changes: +* Default `vault` version updated to 1.15.0 +* Default `vault-k8s` version updated to 1.3.0 +* Tested with Kubernetes versions 1.24-1.28 + Features: * server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) * server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) * server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) +* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923) Bugs: * csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) @@ -11,6 +17,7 @@ Bugs: Improvements: * global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) * server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) +* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943) ## 0.25.0 (June 26, 2023) diff --git a/values.openshift.yaml b/values.openshift.yaml index 6e575e4..a68641f 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -9,13 +9,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.2.1-ubi" + tag: "1.3.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.14.0-ubi" + tag: "1.15.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.14.0-ubi" + tag: "1.15.0-ubi" diff --git a/values.yaml b/values.yaml index 8ee43f9..5dcfbc2 100644 --- a/values.yaml +++ b/values.yaml @@ -68,7 +68,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.2.1" + tag: "1.3.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -76,7 +76,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.14.0" + tag: "1.15.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -1139,7 +1139,7 @@ csi: image: repository: "hashicorp/vault" - tag: "1.14.0" + tag: "1.15.0" pullPolicy: IfNotPresent logFormat: standard From 6f3f107ca53f73e91b010b8c35f9e53059f3ed33 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 26 Oct 2023 00:08:53 -0700 Subject: [PATCH 054/113] openshift/server: readiness probe passes when server uninitialized (#966) Changes the default server readiness probe to pass when the server is uninitialized, in order to pass the latest version of the chart-verifier test (see #954) for details. Also updates the chart-verifier used in our tests to 1.13.0 (latest). --- .github/workflows/tests.yaml | 4 ++-- CHANGELOG.md | 1 + values.openshift.yaml | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 25f344d..1a583b3 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -10,14 +10,14 @@ jobs: chart-verifier: runs-on: ubuntu-latest env: - CHART_VERIFIER_VERSION: '1.10.1' + CHART_VERIFIER_VERSION: '1.13.0' steps: - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Setup test tools uses: ./.github/actions/setup-test-tools - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.19.2' + go-version: '1.21.3' - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: bats --tap --timing ./test/chart permissions: diff --git a/CHANGELOG.md b/CHANGELOG.md index 6eea6ba..5b076a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Changes: * Default `vault` version updated to 1.15.0 * Default `vault-k8s` version updated to 1.3.0 * Tested with Kubernetes versions 1.24-1.28 +* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) Features: * server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) diff --git a/values.openshift.yaml b/values.openshift.yaml index a68641f..e02d6d1 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -19,3 +19,6 @@ server: image: repository: "registry.connect.redhat.com/hashicorp/vault" tag: "1.15.0-ubi" + + readinessProbe: + path: "/v1/sys/health?uninitcode=204" From f72df27d56698ea56b7392a7a83cfbcb0411006d Mon Sep 17 00:00:00 2001 From: Kyle Schochenmaier Date: Fri, 27 Oct 2023 15:18:07 -0500 Subject: [PATCH 055/113] prepare for 0.26.0 release (#967) * prepare for 0.26.0 release --- CHANGELOG.md | 7 +++++-- Chart.yaml | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 10 +++++----- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b076a1..e3a42ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,11 @@ ## Unreleased +## 0.26.0 (October 27, 2023) + Changes: -* Default `vault` version updated to 1.15.0 -* Default `vault-k8s` version updated to 1.3.0 +* Default `vault` version updated to 1.15.1 +* Default `vault-k8s` version updated to 1.3.1 +* Default `vault-csi-provider` version updated to 1.4.1 * Tested with Kubernetes versions 1.24-1.28 * server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) diff --git a/Chart.yaml b/Chart.yaml index 104b05f..e573370 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v2 name: vault -version: 0.25.0 -appVersion: 1.14.0 +version: 0.26.0 +appVersion: 1.15.1 kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/values.openshift.yaml b/values.openshift.yaml index e02d6d1..2dbe4df 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -9,16 +9,16 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.3.0-ubi" + tag: "1.3.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.0-ubi" + tag: "1.15.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.0-ubi" + tag: "1.15.1-ubi" readinessProbe: path: "/v1/sys/health?uninitcode=204" diff --git a/values.yaml b/values.yaml index 5dcfbc2..781b930 100644 --- a/values.yaml +++ b/values.yaml @@ -68,7 +68,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.3.0" + tag: "1.3.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -76,7 +76,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.15.0" + tag: "1.15.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -377,7 +377,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.14.0" + tag: "1.15.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -1054,7 +1054,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.4.0" + tag: "1.4.1" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1139,7 +1139,7 @@ csi: image: repository: "hashicorp/vault" - tag: "1.15.0" + tag: "1.15.1" pullPolicy: IfNotPresent logFormat: standard From 9b3ceaac995207fd137d67700c6ec066bb2c966d Mon Sep 17 00:00:00 2001 From: Floris Heringa Date: Mon, 30 Oct 2023 16:16:42 +0100 Subject: [PATCH 056/113] Fix check if server.ha.replicas is a number when set in values.yaml (#961) --- templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8d4599c..965c7f6 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -167,7 +167,7 @@ Set's the replica count based on the different modes configured by user {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} - {{- if kindIs "int64" .Values.server.ha.replicas -}} + {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} {{- .Values.server.ha.replicas -}} {{ else }} {{- 3 -}} From 36dafa02c09eb24afb07de9895ff734b8e3bfd6a Mon Sep 17 00:00:00 2001 From: Kyle Schochenmaier Date: Mon, 30 Oct 2023 14:26:38 -0500 Subject: [PATCH 057/113] Prepare for release 0.26.1 (#970) * Prepare for release 0.26.1 --- CHANGELOG.md | 5 +++++ Chart.yaml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e3a42ab..87ffb20 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ ## Unreleased +## 0.26.1 (October 30, 2023) + +Bugs: +* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961) + ## 0.26.0 (October 27, 2023) Changes: diff --git a/Chart.yaml b/Chart.yaml index e573370..0bf3f3c 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: vault -version: 0.26.0 +version: 0.26.1 appVersion: 1.15.1 kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart From 2bb6994dd99cdb39b48e56f37fbf304cdf0c8b70 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Thu, 9 Nov 2023 13:38:59 -0800 Subject: [PATCH 058/113] support exec in server liveness probe (#971) Co-authored-by: Theron Voran --- CHANGELOG.md | 4 ++++ templates/server-statefulset.yaml | 8 +++++++ test/unit/server-statefulset.bats | 35 +++++++++++++++++++++++++++++++ values.schema.json | 6 ++++++ values.yaml | 8 ++++++- 5 files changed, 60 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87ffb20..df193c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +Improvements: + +* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971) + ## 0.26.1 (October 30, 2023) Bugs: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index f330927..5d9afac 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -179,10 +179,18 @@ spec: {{- end }} {{- if .Values.server.livenessProbe.enabled }} livenessProbe: + {{- if .Values.server.livenessProbe.execCommand }} + exec: + command: + {{- range (.Values.server.livenessProbe.execCommand) }} + - {{ . | quote }} + {{- end }} + {{- else }} httpGet: path: {{ .Values.server.livenessProbe.path | quote }} port: {{ .Values.server.livenessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} + {{- end }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index de3ee2b..0f3da96 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1415,6 +1415,41 @@ load _helpers [ "${actual}" = "100" ] } +@test "server/standalone-StatefulSet: liveness exec disabled by default" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.exec' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(echo $object | + yq -r '.httpGet' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: liveness exec can be set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + --set='server.livenessProbe.execCommand={/bin/sh,-c,sleep}' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.exec.command[0]' | tee /dev/stderr) + [ "${actual}" = "/bin/sh" ] + + local actual=$(echo $object | + yq -r '.httpGet' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + #-------------------------------------------------------------------- # args @test "server/standalone-StatefulSet: add extraArgs" { diff --git a/values.schema.json b/values.schema.json index 6a8b350..3152f3d 100644 --- a/values.schema.json +++ b/values.schema.json @@ -818,6 +818,12 @@ "path": { "type": "string" }, + "port": { + "type": "integer" + }, + "execCommand": { + "type": "array" + }, "periodSeconds": { "type": "integer" }, diff --git a/values.yaml b/values.yaml index 781b930..1edd647 100644 --- a/values.yaml +++ b/values.yaml @@ -531,8 +531,14 @@ server: # Used to enable a livenessProbe for the pods livenessProbe: enabled: false + # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler. + execCommand: [] + # - /bin/sh + # - -c + # - /vault/userconfig/mylivenessscript/run.sh + # Path for the livenessProbe to use httpGet as the livenessProbe handler path: "/v1/sys/health?standbyok=true" - # Port number on which livenessProbe will be checked. + # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 From ad64f921b5985d7862f9c62909f14796e8a199c2 Mon Sep 17 00:00:00 2001 From: Aleix Murtra Date: Mon, 13 Nov 2023 20:55:33 +0100 Subject: [PATCH 059/113] Add persistentVolumeClaimRetentionPolicy variable to values.yaml (#965) This variable is used to set the persistentVolumeClaimRetentionPolicy value in the server-statefulset.yaml template, which is used to configure the retention policy for the PVCs used by the server statefulset. --- CHANGELOG.md | 4 ++ templates/server-statefulset.yaml | 3 ++ test/unit/server-statefulset.bats | 67 +++++++++++++++++++++++++++++++ values.schema.json | 11 +++++ values.yaml | 8 ++++ 5 files changed, 93 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index df193c2..552f345 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +Features: + +* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) + Improvements: * Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 5d9afac..0d8e604 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -24,6 +24,9 @@ spec: replicas: {{ template "vault.replicas" . }} updateStrategy: type: {{ .Values.server.updateStrategyType }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0f3da96..7ad95c2 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -221,6 +221,73 @@ load _helpers [ "${actual}" = "OnDelete" ] } +#-------------------------------------------------------------------- +# persistentVolumeClaimRetentionPolicy + +@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes < 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.22" \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenDeleted when kubernetes < 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.22" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenScaled when kubernetes < 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.22" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.23" \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: can set persistentVolumeClaimRetentionPolicy.whenDeleted when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.23" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) + [ "${actual}" = "Delete" ] +} + +@test "server/standalone-StatefulSet: can set persistentVolumeClaimRetentionPolicy.whenScaled when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.23" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) + [ "${actual}" = "Delete" ] +} + #-------------------------------------------------------------------- # replicas diff --git a/values.schema.json b/values.schema.json index 3152f3d..3d7b54b 100644 --- a/values.schema.json +++ b/values.schema.json @@ -619,6 +619,17 @@ } } }, + "persistentVolumeClaimRetentionPolicy": { + "type": "object", + "properties": { + "whenDeleted": { + "type": "string" + }, + "whenScaled": { + "type": "string" + } + } + }, "dev": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index 1edd647..a18912e 100644 --- a/values.yaml +++ b/values.yaml @@ -762,6 +762,14 @@ server: # Annotations to apply to the PVC annotations: {} + # Persistent Volume Claim (PVC) retention policy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + # Example: + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + persistentVolumeClaimRetentionPolicy: {} + # This configures the Vault Statefulset to create a PVC for audit # logs. Once Vault is deployed, initialized, and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to From 97166e5207891ac2143100859bafe27a88827ff0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 23:08:38 -0800 Subject: [PATCH 060/113] Bump actions/checkout from 4.1.0 to 4.1.1 (#963) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/acceptance.yaml | 2 +- .github/workflows/tests.yaml | 4 ++-- .github/workflows/update-helm-charts-index.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index c64d572..75de9c2 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -8,7 +8,7 @@ jobs: kind-k8s-version: [1.24.15, 1.25.11, 1.26.6, 1.27.3, 1.28.0] runs-on: ubuntu-latest steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 1a583b3..11c19de 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -4,7 +4,7 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: @@ -12,7 +12,7 @@ jobs: env: CHART_VERIFIER_VERSION: '1.13.0' steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools uses: ./.github/actions/setup-test-tools - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 7d4cca7..28016ab 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -11,7 +11,7 @@ jobs: update-helm-charts-index: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: verify Chart version matches tag version run: |- export TAG=${{ github.ref_name }} From e77dce38b265b72035f899bb7b611cc8ae82026c Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Thu, 16 Nov 2023 01:42:26 +0100 Subject: [PATCH 061/113] feat: ingress rules for server networkPolicy (#877) * feat: allow server netPol to specify podSelector * feat(test): add podSelector NetworkPolicy unittest * chore: introduce server.networkPolicy.ingress As suggested let users template the whole ingress object for the networkPolicy than only the podSelector. Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com> --------- Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com> --- templates/server-network-policy.yaml | 9 +-------- test/unit/server-network-policy.bats | 11 +++++++++++ values.yaml | 8 ++++++++ 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml index 62d4ae1..43dcdb1 100644 --- a/templates/server-network-policy.yaml +++ b/templates/server-network-policy.yaml @@ -16,14 +16,7 @@ spec: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP + ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} {{- if .Values.server.networkPolicy.egress }} egress: {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats index 1364321..1792685 100755 --- a/test/unit/server-network-policy.bats +++ b/test/unit/server-network-policy.bats @@ -21,6 +21,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/network-policy: ingress changed by server.networkPolicy.ingress" { + cd `chart_dir` + local actual=$(helm template \ + --set 'server.networkPolicy.enabled=true' \ + --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \ + --show-only templates/server-network-policy.yaml \ + . | tee /dev/stderr | + yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/network-policy: egress enabled by server.networkPolicy.egress" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.yaml b/values.yaml index a18912e..eaa35a3 100644 --- a/values.yaml +++ b/values.yaml @@ -647,6 +647,14 @@ server: # ports: # - protocol: TCP # port: 443 + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP # Priority class for server pods priorityClassName: "" From 3e16e05ba7132b1db567c6dcd37cc6a8ffa1d8fe Mon Sep 17 00:00:00 2001 From: Alan Tang Date: Thu, 16 Nov 2023 01:55:09 +0000 Subject: [PATCH 062/113] Add labels for PVC template (#969) --- CHANGELOG.md | 1 + templates/_helpers.tpl | 32 +++++++++++++++++++++ test/unit/server-statefulset.bats | 46 +++++++++++++++++++++++++++++++ values.schema.json | 12 ++++++++ values.yaml | 4 +++ 5 files changed, 95 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 552f345..8707088 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) +* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969) Improvements: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 965c7f6..8f77f92 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -289,6 +289,7 @@ storage might be desired by the user. - metadata: name: data {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} @@ -303,6 +304,7 @@ storage might be desired by the user. - metadata: name: audit {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} @@ -782,6 +784,21 @@ Sets VolumeClaim annotations for data volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for data volume +*/}} +{{- define "vault.dataVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.dataStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets VolumeClaim annotations for audit volume */}} @@ -797,6 +814,21 @@ Sets VolumeClaim annotations for audit volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for audit volume +*/}} +{{- define "vault.auditVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.auditStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Set's the container resources if the user has set any. */}} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7ad95c2..8acd9ee 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -2000,3 +2000,49 @@ load _helpers yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) [ "${actual}" = "8200" ] } + +#-------------------------------------------------------------------- +# labels +@test "server/standalone-StatefulSet: auditStorage volumeClaim labels string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.auditStorage.enabled=true' \ + --set 'server.auditStorage.labels=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: dataStorage volumeClaim labels string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.dataStorage.enabled=true' \ + --set 'server.dataStorage.labels=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: auditStorage volumeClaim labels yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.auditStorage.enabled=true' \ + --set 'server.auditStorage.labels.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: dataStorage volumeClaim labels yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.dataStorage.enabled=true' \ + --set 'server.dataStorage.labels.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.schema.json b/values.schema.json index 3d7b54b..81c51bd 100644 --- a/values.schema.json +++ b/values.schema.json @@ -559,6 +559,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "enabled": { "type": [ "boolean", @@ -599,6 +605,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "enabled": { "type": [ "boolean", diff --git a/values.yaml b/values.yaml index eaa35a3..e79995f 100644 --- a/values.yaml +++ b/values.yaml @@ -769,6 +769,8 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} # Persistent Volume Claim (PVC) retention policy # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention @@ -796,6 +798,8 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} # Run Vault in "dev" mode. This requires no further setup, no state management, # and no initialization. This is useful for experimenting with Vault without From 50f7439fb298d98a223d2fdf58ece2bad2d816bc Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 16 Nov 2023 15:47:57 -0600 Subject: [PATCH 063/113] Update to v0.27.0 (#978) --- CHANGELOG.md | 7 +++++++ Chart.yaml | 4 ++-- values.openshift.yaml | 4 ++-- values.schema.json | 3 +++ values.yaml | 8 ++++---- 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8707088..0e0cb0a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,16 @@ ## Unreleased +## 0.27.0 (November 16, 2023) + +Changes: + +* Default `vault` version updated to 1.15.2 + Features: * server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) * server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969) +* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877) Improvements: diff --git a/Chart.yaml b/Chart.yaml index 0bf3f3c..2b19ace 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v2 name: vault -version: 0.26.1 -appVersion: 1.15.1 +version: 0.27.0 +appVersion: 1.15.2 kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/values.openshift.yaml b/values.openshift.yaml index 2dbe4df..bafc5e6 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -13,12 +13,12 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.1-ubi" + tag: "1.15.2-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.1-ubi" + tag: "1.15.2-ubi" readinessProbe: path: "/v1/sys/health?uninitcode=204" diff --git a/values.schema.json b/values.schema.json index 81c51bd..9760657 100644 --- a/values.schema.json +++ b/values.schema.json @@ -872,6 +872,9 @@ }, "enabled": { "type": "boolean" + }, + "ingress": { + "type": "array" } } }, diff --git a/values.yaml b/values.yaml index e79995f..17f5ca5 100644 --- a/values.yaml +++ b/values.yaml @@ -76,7 +76,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.15.1" + tag: "1.15.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -377,7 +377,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.15.1" + tag: "1.15.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -649,7 +649,7 @@ server: # port: 443 ingress: - from: - - namespaceSelector: {} + - namespaceSelector: {} ports: - port: 8200 protocol: TCP @@ -1165,7 +1165,7 @@ csi: image: repository: "hashicorp/vault" - tag: "1.15.1" + tag: "1.15.2" pullPolicy: IfNotPresent logFormat: standard From 7a127f878a64effd48c6a7472df41ac3f7c3974b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Feb 2024 12:07:19 -0800 Subject: [PATCH 064/113] Bump actions/setup-go from 4.1.0 to 5.0.0 (#984) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.1.0 to 5.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/93397bea11091df50f3d7e59dc26a7711a8bcfbe...0c52d547c9bc32b1aa3301fd7a9cb496313a4491) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 11c19de..74d5a7d 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools uses: ./.github/actions/setup-test-tools - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: '1.21.3' - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" From 6930c378d22ce880e0a1e5e17229922c775c8363 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Mon, 11 Mar 2024 15:23:14 -0400 Subject: [PATCH 065/113] Test against k8s 1.29 (#1003) * Drop k8s 1.24 * Use latest kind version v0.22.0 --- .github/workflows/acceptance.yaml | 4 ++-- Makefile | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 75de9c2..2335c9f 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -5,7 +5,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.24.15, 1.25.11, 1.26.6, 1.27.3, 1.28.0] + kind-k8s-version: [1.25.16, 1.26.14, 1.27.11, 1.28.7, 1.29.2] runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -16,7 +16,7 @@ jobs: with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.20.0 + version: v0.22.0 - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/Makefile b/Makefile index 5600220..96503eb 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.26.3 +KIND_K8S_VERSION?=v1.29.2 # Generate json schema for chart values. See test/README.md for more details. values-schema: From d186b6ff298b071de9217ce9d1c0ed85eb53b097 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Mon, 18 Mar 2024 11:03:56 -0700 Subject: [PATCH 066/113] Add annotation on config change (#1001) When updating the Vault config (and corresponding) configmap, we now generate a checksum of the config and set it as an annotation on both the configmap and the Vault StatefulSet pod template. This allows the deployer to know what pods need to be restarted to pick up the a changed config. We still recommend using the standard upgrade [method for Vault on Kubernetes](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide#upgrading-vault-on-kubernetes), i.e., using the `OnDelete` strategy for the Vault StatefulSet, so updating the config and doing a `helm upgrade` should not trigger the pods to restart, and then deleting pods one at a time, starting with the standby pods. With `kubectl` and `jq`, you can check check which pods need to be updated by first getting the value of the current configmap checksum: ```shell kubectl get pods -o json | jq -r ".items[] | select(.metadata.annotations.\"config/checksum\" != $(kubectl get configmap vault-config -o json | jq '.metadata.annotations."config/checksum"') ) | .metadata.name" ``` Fixes #748. --------- Co-authored-by: Tom Proctor --- templates/_helpers.tpl | 32 ++++++++++++++++++++++++-- templates/server-config-configmap.yaml | 24 ++++--------------- test/docker/Test.dockerfile | 6 ++++- test/unit/server-configmap.bats | 19 +++++++++++++++ test/unit/server-statefulset.bats | 28 ++++++++++++++++++++++ values.yaml | 9 +++++++- 6 files changed, 95 insertions(+), 23 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8f77f92..7a22d04 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -457,9 +457,12 @@ Sets the injector deployment update strategy {{/* Sets extra pod annotations */}} -{{- define "vault.annotations" -}} - {{- if .Values.server.annotations }} +{{- define "vault.annotations" }} annotations: + {{- if .Values.server.includeConfigAnnotation }} + vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} + {{- end }} + {{- if .Values.server.annotations }} {{- $tp := typeOf .Values.server.annotations }} {{- if eq $tp "string" }} {{- tpl .Values.server.annotations . | nindent 8 }} @@ -1075,3 +1078,28 @@ Supported inputs are Values.ui {{- end -}} {{- end }} {{- end -}} + +{{/* +config file from values +*/}} +{{- define "vault.config" -}} + {{- if or (eq .mode "ha") (eq .mode "standalone") }} + {{- $type := typeOf (index .Values.server .mode).config }} + {{- if eq $type "string" }} + disable_mlock = true + {{- if eq .mode "standalone" }} + {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} + {{ tpl .Values.server.ha.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} + {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} + {{ end }} + {{- else }} + {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} + {{- else }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 5c66057..1fed2e6 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -18,27 +18,13 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.server.includeConfigAnnotation }} + annotations: + vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} +{{- end }} data: extraconfig-from-values.hcl: |- - {{- if or (eq .mode "ha") (eq .mode "standalone") }} - {{- $type := typeOf (index .Values.server .mode).config }} - {{- if eq $type "string" }} - disable_mlock = true - {{- if eq .mode "standalone" }} - {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} - {{ tpl .Values.server.ha.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} - {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} - {{ end }} - {{- else }} - {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} - {{- else }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} - {{- end }} - {{- end }} - {{- end }} + {{ template "vault.config" . }} {{- end }} {{- end }} {{- end }} diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 472a97a..69baa47 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -28,7 +28,11 @@ RUN apk update && apk add --no-cache --virtual .build-deps \ jq # yq -RUN pip install yq +RUN python3 -m venv venv && \ + . venv/bin/activate && \ + pip install yq && \ + ln -s $PWD/venv/bin/yq /usr/local/bin/yq && \ + deactivate # gcloud RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \ diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index eea7e70..dcb9076 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -139,3 +139,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ConfigMap: config checksum annotation defaults to off" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + . | tee /dev/stderr | + yq '.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ConfigMap: config checksum annotation can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'server.includeConfigAnnotation=true' \ + . | tee /dev/stderr | + yq '.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 8acd9ee..b2b8efe 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1681,6 +1681,34 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/standalone-StatefulSet: config checksum annotation defaults to off" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: config checksum annotation off does not set annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.metadata.annotations | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: config checksum annotation can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.includeConfigAnnotation=true' \ + . | tee /dev/stderr | + yq '.spec.template.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + #-------------------------------------------------------------------- # priorityClassName diff --git a/values.yaml b/values.yaml index 17f5ca5..a57b9de 100644 --- a/values.yaml +++ b/values.yaml @@ -668,6 +668,13 @@ server: # of the annotations to apply to the server pods annotations: {} + # Add an annotation to the server configmap and the statefulset pods, + # vaultproject.io/config-checksum, that is a hash of the Vault configuration. + # This can be used together with an OnDelete deployment strategy to help + # identify which pods still need to be deleted during a deployment to pick up + # any configuration changes. + configAnnotation: false + # Enables a headless service to be used by the Vault Statefulset service: enabled: true @@ -714,7 +721,7 @@ server: # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. ipFamilyPolicy: "" - + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. # Can be IPv4 and/or IPv6. ipFamilies: [] From e439b2891482e048a13aebd516cb415693f6464e Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 18 Mar 2024 21:55:51 -0700 Subject: [PATCH 067/113] injector: add get for nodes in clusterrole (#1005) Required for operator-lib leader logic --- CHANGELOG.md | 3 +++ templates/injector-clusterrole.yaml | 6 ++++++ test/unit/injector-clusterrole.bats | 30 +++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e0cb0a..97d2750 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Bugs: +* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005) + ## 0.27.0 (November 16, 2023) Changes: diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index d5682dd..df603f2 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -21,4 +21,10 @@ rules: - "list" - "watch" - "patch" +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +- apiGroups: [""] + resources: ["nodes"] + verbs: + - "get" +{{ end }} {{ end }} diff --git a/test/unit/injector-clusterrole.bats b/test/unit/injector-clusterrole.bats index 7c25f39..0956cce 100755 --- a/test/unit/injector-clusterrole.bats +++ b/test/unit/injector-clusterrole.bats @@ -20,3 +20,33 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ClusterRole: no nodes permissions when replicas=1" { + cd `chart_dir` + local rules=$(helm template \ + --show-only templates/injector-clusterrole.yaml \ + --set 'injector.replicas=1' \ + . | tee /dev/stderr | + yq '.rules' | tee /dev/stderr) + rules_length=$(echo "${rules}" | yq 'length') + [ "${rules_length}" = "1" ] + resources_length=$(echo "${rules}" | yq '.[0].resources | length') + [ "${resources_length}" = "1" ] + resource=$(echo "${rules}" | yq -r '.[0].resources[0]') + [ "${resource}" = "mutatingwebhookconfigurations" ] +} + +@test "injector/ClusterRole: nodes permissions when replicas=2" { + cd `chart_dir` + local rules=$(helm template \ + --show-only templates/injector-clusterrole.yaml \ + --set 'injector.replicas=2' \ + . | tee /dev/stderr | + yq '.rules' | tee /dev/stderr) + rules_length=$(echo "${rules}" | yq 'length') + [ "${rules_length}" = "2" ] + resources_length=$(echo "${rules}" | yq '.[1].resources | length') + [ "${resources_length}" = "1" ] + resource=$(echo "${rules}" | yq -r '.[1].resources[0]') + [ "${resource}" = "nodes" ] +} From dbfb243d03a5faf060fed655bab6e2fdd87c0b13 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Tue, 19 Mar 2024 16:07:57 -0400 Subject: [PATCH 068/113] Update code owners (#1006) - ignore scratch dir --- .gitignore | 1 + CODEOWNERS | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 2e23aca..95317a7 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ vaul-helm-dev-creds.json ./test/acceptance/values.yaml ./test/acceptance/values.yml .idea +scratch/ diff --git a/CODEOWNERS b/CODEOWNERS index af6a350..a765f7e 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @hashicorp/vault-ecosystem-foundations +* @hashicorp/vault-ecosystem From c5f92478285c58552111d3210172795653c15f81 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Mar 2024 18:26:53 -0700 Subject: [PATCH 069/113] Bump helm/kind-action from 1.8.0 to 1.9.0 (#999) Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/dda0770415bac9fc20092cacbc54aa298604d140...99576bfa6ddf9a8e612d83b513da5a75875caced) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/acceptance.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 2335c9f..7ae9186 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -12,7 +12,7 @@ jobs: - name: Setup test tools uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 + uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} From 5544941fffbe5720bdd9a05a8dc4a496872019ec Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 16 May 2024 12:04:32 +0200 Subject: [PATCH 070/113] begin changes to using openbao everywhere instead of vault also begin massive change over to using helm's official chart release and testing actions Signed-off-by: jessebot --- .github/workflows/acceptance.yaml | 2 +- .github/workflows/actionlint.yml | 14 - .github/workflows/jira.yaml | 17 - .github/workflows/lint-chart.yml | 47 +++ .github/workflows/release-chart.yml | 38 +++ .../workflows/update-helm-charts-index.yml | 40 --- Chart.yaml | 19 -- README.md | 31 +- .helmignore => charts/openbao/.helmignore | 0 charts/openbao/Chart.yaml | 20 ++ charts/openbao/README.md | 291 ++++++++++++++++++ .../openbao/templates}/NOTES.txt | 0 .../openbao/templates}/_helpers.tpl | 0 .../templates}/csi-agent-configmap.yaml | 0 .../openbao/templates}/csi-clusterrole.yaml | 0 .../templates}/csi-clusterrolebinding.yaml | 0 .../openbao/templates}/csi-daemonset.yaml | 0 .../openbao/templates}/csi-role.yaml | 0 .../openbao/templates}/csi-rolebinding.yaml | 0 .../templates}/csi-serviceaccount.yaml | 0 .../templates}/injector-certs-secret.yaml | 0 .../templates}/injector-clusterrole.yaml | 0 .../injector-clusterrolebinding.yaml | 0 .../templates}/injector-deployment.yaml | 0 .../templates}/injector-disruptionbudget.yaml | 0 .../templates}/injector-mutating-webhook.yaml | 0 .../templates}/injector-network-policy.yaml | 0 .../openbao/templates}/injector-psp-role.yaml | 0 .../templates}/injector-psp-rolebinding.yaml | 0 .../openbao/templates}/injector-psp.yaml | 0 .../openbao/templates}/injector-role.yaml | 0 .../templates}/injector-rolebinding.yaml | 0 .../openbao/templates}/injector-service.yaml | 0 .../templates}/injector-serviceaccount.yaml | 0 .../prometheus-prometheusrules.yaml | 0 .../templates}/prometheus-servicemonitor.yaml | 0 .../templates}/server-clusterrolebinding.yaml | 0 .../templates}/server-config-configmap.yaml | 0 .../templates}/server-discovery-role.yaml | 0 .../server-discovery-rolebinding.yaml | 0 .../templates}/server-disruptionbudget.yaml | 0 .../templates}/server-ha-active-service.yaml | 0 .../templates}/server-ha-standby-service.yaml | 0 .../templates}/server-headless-service.yaml | 0 .../openbao/templates}/server-ingress.yaml | 0 .../templates}/server-network-policy.yaml | 0 .../openbao/templates}/server-psp-role.yaml | 0 .../templates}/server-psp-rolebinding.yaml | 0 .../openbao/templates}/server-psp.yaml | 0 .../openbao/templates}/server-route.yaml | 0 .../openbao/templates}/server-service.yaml | 0 .../server-serviceaccount-secret.yaml | 0 .../templates}/server-serviceaccount.yaml | 0 .../templates}/server-statefulset.yaml | 0 .../openbao/templates}/tests/server-test.yaml | 0 .../openbao/templates}/ui-service.yaml | 0 .../openbao/values.openshift.yaml | 0 .../openbao/values.schema.json | 0 values.yaml => charts/openbao/values.yaml | 0 59 files changed, 410 insertions(+), 109 deletions(-) delete mode 100644 .github/workflows/actionlint.yml delete mode 100644 .github/workflows/jira.yaml create mode 100644 .github/workflows/lint-chart.yml create mode 100644 .github/workflows/release-chart.yml delete mode 100644 .github/workflows/update-helm-charts-index.yml delete mode 100644 Chart.yaml rename .helmignore => charts/openbao/.helmignore (100%) create mode 100644 charts/openbao/Chart.yaml create mode 100644 charts/openbao/README.md rename {templates => charts/openbao/templates}/NOTES.txt (100%) rename {templates => charts/openbao/templates}/_helpers.tpl (100%) rename {templates => charts/openbao/templates}/csi-agent-configmap.yaml (100%) rename {templates => charts/openbao/templates}/csi-clusterrole.yaml (100%) rename {templates => charts/openbao/templates}/csi-clusterrolebinding.yaml (100%) rename {templates => charts/openbao/templates}/csi-daemonset.yaml (100%) rename {templates => charts/openbao/templates}/csi-role.yaml (100%) rename {templates => charts/openbao/templates}/csi-rolebinding.yaml (100%) rename {templates => charts/openbao/templates}/csi-serviceaccount.yaml (100%) rename {templates => charts/openbao/templates}/injector-certs-secret.yaml (100%) rename {templates => charts/openbao/templates}/injector-clusterrole.yaml (100%) rename {templates => charts/openbao/templates}/injector-clusterrolebinding.yaml (100%) rename {templates => charts/openbao/templates}/injector-deployment.yaml (100%) rename {templates => charts/openbao/templates}/injector-disruptionbudget.yaml (100%) rename {templates => charts/openbao/templates}/injector-mutating-webhook.yaml (100%) rename {templates => charts/openbao/templates}/injector-network-policy.yaml (100%) rename {templates => charts/openbao/templates}/injector-psp-role.yaml (100%) rename {templates => charts/openbao/templates}/injector-psp-rolebinding.yaml (100%) rename {templates => charts/openbao/templates}/injector-psp.yaml (100%) rename {templates => charts/openbao/templates}/injector-role.yaml (100%) rename {templates => charts/openbao/templates}/injector-rolebinding.yaml (100%) rename {templates => charts/openbao/templates}/injector-service.yaml (100%) rename {templates => charts/openbao/templates}/injector-serviceaccount.yaml (100%) rename {templates => charts/openbao/templates}/prometheus-prometheusrules.yaml (100%) rename {templates => charts/openbao/templates}/prometheus-servicemonitor.yaml (100%) rename {templates => charts/openbao/templates}/server-clusterrolebinding.yaml (100%) rename {templates => charts/openbao/templates}/server-config-configmap.yaml (100%) rename {templates => charts/openbao/templates}/server-discovery-role.yaml (100%) rename {templates => charts/openbao/templates}/server-discovery-rolebinding.yaml (100%) rename {templates => charts/openbao/templates}/server-disruptionbudget.yaml (100%) rename {templates => charts/openbao/templates}/server-ha-active-service.yaml (100%) rename {templates => charts/openbao/templates}/server-ha-standby-service.yaml (100%) rename {templates => charts/openbao/templates}/server-headless-service.yaml (100%) rename {templates => charts/openbao/templates}/server-ingress.yaml (100%) rename {templates => charts/openbao/templates}/server-network-policy.yaml (100%) rename {templates => charts/openbao/templates}/server-psp-role.yaml (100%) rename {templates => charts/openbao/templates}/server-psp-rolebinding.yaml (100%) rename {templates => charts/openbao/templates}/server-psp.yaml (100%) rename {templates => charts/openbao/templates}/server-route.yaml (100%) rename {templates => charts/openbao/templates}/server-service.yaml (100%) rename {templates => charts/openbao/templates}/server-serviceaccount-secret.yaml (100%) rename {templates => charts/openbao/templates}/server-serviceaccount.yaml (100%) rename {templates => charts/openbao/templates}/server-statefulset.yaml (100%) rename {templates => charts/openbao/templates}/tests/server-test.yaml (100%) rename {templates => charts/openbao/templates}/ui-service.yaml (100%) rename values.openshift.yaml => charts/openbao/values.openshift.yaml (100%) rename values.schema.json => charts/openbao/values.schema.json (100%) rename values.yaml => charts/openbao/values.yaml (100%) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 7ae9186..2a204e3 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -5,7 +5,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.25.16, 1.26.14, 1.27.11, 1.28.7, 1.29.2] + kind-k8s-version: [1.27.11, 1.28.7, 1.29.2] runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml deleted file mode 100644 index ec209f5..0000000 --- a/.github/workflows/actionlint.yml +++ /dev/null @@ -1,14 +0,0 @@ -# If the repository is public, be sure to change to GitHub hosted runners -name: Lint GitHub Actions Workflows -on: - push: - paths: - - .github/workflows/**.yml - pull_request: - paths: - - .github/workflows/**.yml -permissions: - contents: read -jobs: - actionlint: - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml deleted file mode 100644 index 0f73ec3..0000000 --- a/.github/workflows/jira.yaml +++ /dev/null @@ -1,17 +0,0 @@ -name: Jira Sync -on: - issues: - types: [opened, closed, deleted, reopened] - pull_request_target: - types: [opened, closed, reopened] - issue_comment: # Also triggers when commenting on a PR from the conversation view - types: [created] -jobs: - sync: - uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main - secrets: - JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - with: - teams-array: '["ecosystem", "foundations-eco"]' diff --git a/.github/workflows/lint-chart.yml b/.github/workflows/lint-chart.yml new file mode 100644 index 0000000..dc826b1 --- /dev/null +++ b/.github/workflows/lint-chart.yml @@ -0,0 +1,47 @@ +name: Lint and Test Chart + +on: + pull_request: + paths: + - 'charts/**' + +permissions: + contents: read + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: "0" + + - name: Install Helm + uses: azure/setup-helm@v4 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run chart-testing (lint) + id: lint + if: steps.list-changed.outputs.changed == 'true' + run: ct lint --target-branch ${{ github.event.repository.default_branch }} + + - name: Create kind cluster + uses: helm/kind-action@v1.10.0 + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + id: install + if: steps.list-changed.outputs.changed == 'true' + run: ct install --target-branch ${{ github.event.repository.default_branch }} diff --git a/.github/workflows/release-chart.yml b/.github/workflows/release-chart.yml new file mode 100644 index 0000000..e4c3f84 --- /dev/null +++ b/.github/workflows/release-chart.yml @@ -0,0 +1,38 @@ +name: Release + +on: + push: + branches: + - main + paths: + - 'charts/**' + +jobs: + release: + environment: helm-release + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3.5 + id: helm-install + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Run chart-releaser + id: helm-release + uses: helm/chart-releaser-action@v1.6.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + CR_GENERATE_RELEASE_NOTES: true diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml deleted file mode 100644 index 28016ab..0000000 --- a/.github/workflows/update-helm-charts-index.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: update-helm-charts-index -on: - push: - tags: - - 'v[0-9]+.[0-9]+.[0-9]+' - -permissions: - contents: read - -jobs: - update-helm-charts-index: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: verify Chart version matches tag version - run: |- - export TAG=${{ github.ref_name }} - git_tag="${TAG#v}" - chart_tag=$(yq -r '.version' Chart.yaml) - if [ "${git_tag}" != "${chart_tag}" ]; then - echo "chart version (${chart_tag}) did not match git version (${git_tag})" - exit 1 - fi - - name: update helm-charts index - id: update - env: - GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }} - run: |- - gh workflow run publish-charts.yml \ - --repo hashicorp/helm-charts \ - --ref main \ - -f SOURCE_TAG="${{ github.ref_name }}" \ - -f SOURCE_REPO="${{ github.repository }}" - - uses: hashicorp/actions-slack-status@v1 - if: ${{always()}} - with: - success-message: "vault-helm charts index update triggered successfully. View the run ." - failure-message: "vault-helm charts index update trigger failed." - status: ${{job.status}} - slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}} diff --git a/Chart.yaml b/Chart.yaml deleted file mode 100644 index 2b19ace..0000000 --- a/Chart.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -apiVersion: v2 -name: vault -version: 0.27.0 -appVersion: 1.15.2 -kubeVersion: ">= 1.20.0-0" -description: Official HashiCorp Vault Chart -home: https://www.vaultproject.io -icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png -keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] -sources: - - https://github.com/hashicorp/vault - - https://github.com/hashicorp/vault-helm - - https://github.com/hashicorp/vault-k8s - - https://github.com/hashicorp/vault-csi-provider -annotations: - charts.openshift.io/name: HashiCorp Vault diff --git a/README.md b/README.md index 256bd8b..30043e2 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,12 @@ -# Vault Helm Chart +# OpenBao Helm Chart -> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If -you believe you have found a security issue in Vault Helm, _please responsibly disclose_ -by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). +> :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If +you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_ +by contacting us at [](mailto:). -This repository contains the official HashiCorp Helm chart for installing -and configuring Vault on Kubernetes. This chart supports multiple use -cases of Vault on Kubernetes depending on the values provided. +This repository contains the OpenBao Helm chart for installing +and configuring OpenBao on Kubernetes. This chart supports multiple use +cases of OpenBao on Kubernetes depending on the values provided. For full documentation on this Helm chart along with all the ways you can use Vault with Kubernetes, please see the @@ -20,24 +20,19 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: - * **Helm 3.6+** - * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. + * **Helm 3.12+** - Earliest verison tested + * **Kubernetes 1.28+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. ## Usage -To install the latest version of this chart, add the Hashicorp helm repository -and run `helm install`: +To install the latest version of this chart, add the Hashicorp helm repository and run `helm install`: ```console -$ helm repo add hashicorp https://helm.releases.hashicorp.com -"hashicorp" has been added to your repositories +helm repo add openbao https://openbao.github.io/openbao-helm -$ helm install vault hashicorp/vault +helm install openbao openbao/openbao ``` -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more -detailed installation instructions. +Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions. diff --git a/.helmignore b/charts/openbao/.helmignore similarity index 100% rename from .helmignore rename to charts/openbao/.helmignore diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml new file mode 100644 index 0000000..163c7b6 --- /dev/null +++ b/charts/openbao/Chart.yaml @@ -0,0 +1,20 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: v2 +name: openbao +version: 0.1.0 +appVersion: v2.0.0-alpha20240329 +kubeVersion: ">= 1.27.0-0" +description: Official openbao Chart +home: https://github.com/openbao/openbao-helm +icon: https://avatars.githubusercontent.com/u/152585220?s=200&v=4 +keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] +sources: + - https://github.com/openbao/openbao-helm +annotations: + charts.openshift.io/name: Openbao + +maintainers: + - name: jessebot + url: https://github.com/jessebot diff --git a/charts/openbao/README.md b/charts/openbao/README.md new file mode 100644 index 0000000..735beee --- /dev/null +++ b/charts/openbao/README.md @@ -0,0 +1,291 @@ +# openbao + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) + +Official openbao Chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| jessebot | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.27.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| csi.agent.enabled | bool | `true` | | +| csi.agent.extraArgs | list | `[]` | | +| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | | +| csi.agent.image.repository | string | `"hashicorp/vault"` | | +| csi.agent.image.tag | string | `"1.15.2"` | | +| csi.agent.logFormat | string | `"standard"` | | +| csi.agent.logLevel | string | `"info"` | | +| csi.agent.resources | object | `{}` | | +| csi.daemonSet.annotations | object | `{}` | | +| csi.daemonSet.extraLabels | object | `{}` | | +| csi.daemonSet.kubeletRootDir | string | `"/var/lib/kubelet"` | | +| csi.daemonSet.providersDir | string | `"/etc/kubernetes/secrets-store-csi-providers"` | | +| csi.daemonSet.securityContext.container | object | `{}` | | +| csi.daemonSet.securityContext.pod | object | `{}` | | +| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | | +| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | | +| csi.debug | bool | `false` | | +| csi.enabled | bool | `false` | | +| csi.extraArgs | list | `[]` | | +| csi.hmacSecretName | string | `""` | | +| csi.image.pullPolicy | string | `"IfNotPresent"` | | +| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | | +| csi.image.tag | string | `"1.4.1"` | | +| csi.livenessProbe.failureThreshold | int | `2` | | +| csi.livenessProbe.initialDelaySeconds | int | `5` | | +| csi.livenessProbe.periodSeconds | int | `5` | | +| csi.livenessProbe.successThreshold | int | `1` | | +| csi.livenessProbe.timeoutSeconds | int | `3` | | +| csi.pod.affinity | object | `{}` | | +| csi.pod.annotations | object | `{}` | | +| csi.pod.extraLabels | object | `{}` | | +| csi.pod.nodeSelector | object | `{}` | | +| csi.pod.tolerations | list | `[]` | | +| csi.priorityClassName | string | `""` | | +| csi.readinessProbe.failureThreshold | int | `2` | | +| csi.readinessProbe.initialDelaySeconds | int | `5` | | +| csi.readinessProbe.periodSeconds | int | `5` | | +| csi.readinessProbe.successThreshold | int | `1` | | +| csi.readinessProbe.timeoutSeconds | int | `3` | | +| csi.resources | object | `{}` | | +| csi.serviceAccount.annotations | object | `{}` | | +| csi.serviceAccount.extraLabels | object | `{}` | | +| csi.volumeMounts | string | `nil` | | +| csi.volumes | string | `nil` | | +| global.enabled | bool | `true` | | +| global.externalVaultAddr | string | `""` | | +| global.imagePullSecrets | list | `[]` | | +| global.namespace | string | `""` | | +| global.openshift | bool | `false` | | +| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | | +| global.psp.enable | bool | `false` | | +| global.serverTelemetry.prometheusOperator | bool | `false` | | +| global.tlsDisable | bool | `true` | | +| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | +| injector.agentDefaults.cpuLimit | string | `"500m"` | | +| injector.agentDefaults.cpuRequest | string | `"250m"` | | +| injector.agentDefaults.memLimit | string | `"128Mi"` | | +| injector.agentDefaults.memRequest | string | `"64Mi"` | | +| injector.agentDefaults.template | string | `"map"` | | +| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | | +| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | | +| injector.agentImage.repository | string | `"hashicorp/vault"` | | +| injector.agentImage.tag | string | `"1.15.2"` | | +| injector.annotations | object | `{}` | | +| injector.authPath | string | `"auth/kubernetes"` | | +| injector.certs.caBundle | string | `""` | | +| injector.certs.certName | string | `"tls.crt"` | | +| injector.certs.keyName | string | `"tls.key"` | | +| injector.certs.secretName | string | `nil` | | +| injector.enabled | string | `"-"` | | +| injector.externalVaultAddr | string | `""` | | +| injector.extraEnvironmentVars | object | `{}` | | +| injector.extraLabels | object | `{}` | | +| injector.failurePolicy | string | `"Ignore"` | | +| injector.hostNetwork | bool | `false` | | +| injector.image.pullPolicy | string | `"IfNotPresent"` | | +| injector.image.repository | string | `"hashicorp/vault-k8s"` | | +| injector.image.tag | string | `"1.3.1"` | | +| injector.leaderElector.enabled | bool | `true` | | +| injector.livenessProbe.failureThreshold | int | `2` | | +| injector.livenessProbe.initialDelaySeconds | int | `5` | | +| injector.livenessProbe.periodSeconds | int | `2` | | +| injector.livenessProbe.successThreshold | int | `1` | | +| injector.livenessProbe.timeoutSeconds | int | `5` | | +| injector.logFormat | string | `"standard"` | | +| injector.logLevel | string | `"info"` | | +| injector.metrics.enabled | bool | `false` | | +| injector.namespaceSelector | object | `{}` | | +| injector.nodeSelector | object | `{}` | | +| injector.objectSelector | object | `{}` | | +| injector.podDisruptionBudget | object | `{}` | | +| injector.port | int | `8080` | | +| injector.priorityClassName | string | `""` | | +| injector.readinessProbe.failureThreshold | int | `2` | | +| injector.readinessProbe.initialDelaySeconds | int | `5` | | +| injector.readinessProbe.periodSeconds | int | `2` | | +| injector.readinessProbe.successThreshold | int | `1` | | +| injector.readinessProbe.timeoutSeconds | int | `5` | | +| injector.replicas | int | `1` | | +| injector.resources | object | `{}` | | +| injector.revokeOnShutdown | bool | `false` | | +| injector.securityContext.container | object | `{}` | | +| injector.securityContext.pod | object | `{}` | | +| injector.service.annotations | object | `{}` | | +| injector.serviceAccount.annotations | object | `{}` | | +| injector.startupProbe.failureThreshold | int | `12` | | +| injector.startupProbe.initialDelaySeconds | int | `5` | | +| injector.startupProbe.periodSeconds | int | `5` | | +| injector.startupProbe.successThreshold | int | `1` | | +| injector.startupProbe.timeoutSeconds | int | `5` | | +| injector.strategy | object | `{}` | | +| injector.tolerations | list | `[]` | | +| injector.topologySpreadConstraints | list | `[]` | | +| injector.webhook.annotations | object | `{}` | | +| injector.webhook.failurePolicy | string | `"Ignore"` | | +| injector.webhook.matchPolicy | string | `"Exact"` | | +| injector.webhook.namespaceSelector | object | `{}` | | +| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"vault.name\" . }}-agent-injector\n"` | | +| injector.webhook.timeoutSeconds | int | `30` | | +| injector.webhookAnnotations | object | `{}` | | +| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | | +| server.annotations | object | `{}` | | +| server.auditStorage.accessMode | string | `"ReadWriteOnce"` | | +| server.auditStorage.annotations | object | `{}` | | +| server.auditStorage.enabled | bool | `false` | | +| server.auditStorage.labels | object | `{}` | | +| server.auditStorage.mountPath | string | `"/vault/audit"` | | +| server.auditStorage.size | string | `"10Gi"` | | +| server.auditStorage.storageClass | string | `nil` | | +| server.authDelegator.enabled | bool | `true` | | +| server.configAnnotation | bool | `false` | | +| server.dataStorage.accessMode | string | `"ReadWriteOnce"` | | +| server.dataStorage.annotations | object | `{}` | | +| server.dataStorage.enabled | bool | `true` | | +| server.dataStorage.labels | object | `{}` | | +| server.dataStorage.mountPath | string | `"/vault/data"` | | +| server.dataStorage.size | string | `"10Gi"` | | +| server.dataStorage.storageClass | string | `nil` | | +| server.dev.devRootToken | string | `"root"` | | +| server.dev.enabled | bool | `false` | | +| server.enabled | string | `"-"` | | +| server.enterpriseLicense.secretKey | string | `"license"` | | +| server.enterpriseLicense.secretName | string | `""` | | +| server.extraArgs | string | `""` | | +| server.extraContainers | string | `nil` | | +| server.extraEnvironmentVars | object | `{}` | | +| server.extraInitContainers | string | `nil` | | +| server.extraLabels | object | `{}` | | +| server.extraPorts | string | `nil` | | +| server.extraSecretEnvironmentVars | list | `[]` | | +| server.extraVolumes | list | `[]` | | +| server.ha.apiAddr | string | `nil` | | +| server.ha.clusterAddr | string | `nil` | | +| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"vault\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.ha.disruptionBudget.enabled | bool | `true` | | +| server.ha.disruptionBudget.maxUnavailable | string | `nil` | | +| server.ha.enabled | bool | `false` | | +| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/vault/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | | +| server.ha.raft.enabled | bool | `false` | | +| server.ha.raft.setNodeId | bool | `false` | | +| server.ha.replicas | int | `3` | | +| server.hostAliases | list | `[]` | | +| server.hostNetwork | bool | `false` | | +| server.image.pullPolicy | string | `"IfNotPresent"` | | +| server.image.repository | string | `"hashicorp/vault"` | | +| server.image.tag | string | `"1.15.2"` | | +| server.ingress.activeService | bool | `true` | | +| server.ingress.annotations | object | `{}` | | +| server.ingress.enabled | bool | `false` | | +| server.ingress.extraPaths | list | `[]` | | +| server.ingress.hosts[0].host | string | `"chart-example.local"` | | +| server.ingress.hosts[0].paths | list | `[]` | | +| server.ingress.ingressClassName | string | `""` | | +| server.ingress.labels | object | `{}` | | +| server.ingress.pathType | string | `"Prefix"` | | +| server.ingress.tls | list | `[]` | | +| server.livenessProbe.enabled | bool | `false` | | +| server.livenessProbe.execCommand | list | `[]` | | +| server.livenessProbe.failureThreshold | int | `2` | | +| server.livenessProbe.initialDelaySeconds | int | `60` | | +| server.livenessProbe.path | string | `"/v1/sys/health?standbyok=true"` | | +| server.livenessProbe.periodSeconds | int | `5` | | +| server.livenessProbe.port | int | `8200` | | +| server.livenessProbe.successThreshold | int | `1` | | +| server.livenessProbe.timeoutSeconds | int | `3` | | +| server.logFormat | string | `""` | | +| server.logLevel | string | `""` | | +| server.networkPolicy.egress | list | `[]` | | +| server.networkPolicy.enabled | bool | `false` | | +| server.networkPolicy.ingress[0].from[0].namespaceSelector | object | `{}` | | +| server.networkPolicy.ingress[0].ports[0].port | int | `8200` | | +| server.networkPolicy.ingress[0].ports[0].protocol | string | `"TCP"` | | +| server.networkPolicy.ingress[0].ports[1].port | int | `8201` | | +| server.networkPolicy.ingress[0].ports[1].protocol | string | `"TCP"` | | +| server.nodeSelector | object | `{}` | | +| server.persistentVolumeClaimRetentionPolicy | object | `{}` | | +| server.postStart | list | `[]` | | +| server.preStopSleepSeconds | int | `5` | | +| server.priorityClassName | string | `""` | | +| server.readinessProbe.enabled | bool | `true` | | +| server.readinessProbe.failureThreshold | int | `2` | | +| server.readinessProbe.initialDelaySeconds | int | `5` | | +| server.readinessProbe.periodSeconds | int | `5` | | +| server.readinessProbe.port | int | `8200` | | +| server.readinessProbe.successThreshold | int | `1` | | +| server.readinessProbe.timeoutSeconds | int | `3` | | +| server.resources | object | `{}` | | +| server.route.activeService | bool | `true` | | +| server.route.annotations | object | `{}` | | +| server.route.enabled | bool | `false` | | +| server.route.host | string | `"chart-example.local"` | | +| server.route.labels | object | `{}` | | +| server.route.tls.termination | string | `"passthrough"` | | +| server.service.active.annotations | object | `{}` | | +| server.service.active.enabled | bool | `true` | | +| server.service.annotations | object | `{}` | | +| server.service.enabled | bool | `true` | | +| server.service.externalTrafficPolicy | string | `"Cluster"` | | +| server.service.instanceSelector.enabled | bool | `true` | | +| server.service.ipFamilies | list | `[]` | | +| server.service.ipFamilyPolicy | string | `""` | | +| server.service.port | int | `8200` | | +| server.service.publishNotReadyAddresses | bool | `true` | | +| server.service.standby.annotations | object | `{}` | | +| server.service.standby.enabled | bool | `true` | | +| server.service.targetPort | int | `8200` | | +| server.serviceAccount.annotations | object | `{}` | | +| server.serviceAccount.create | bool | `true` | | +| server.serviceAccount.createSecret | bool | `false` | | +| server.serviceAccount.extraLabels | object | `{}` | | +| server.serviceAccount.name | string | `""` | | +| server.serviceAccount.serviceDiscovery.enabled | bool | `true` | | +| server.shareProcessNamespace | bool | `false` | | +| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.standalone.enabled | string | `"-"` | | +| server.statefulSet.annotations | object | `{}` | | +| server.statefulSet.securityContext.container | object | `{}` | | +| server.statefulSet.securityContext.pod | object | `{}` | | +| server.terminationGracePeriodSeconds | int | `10` | | +| server.tolerations | list | `[]` | | +| server.topologySpreadConstraints | list | `[]` | | +| server.updateStrategyType | string | `"OnDelete"` | | +| server.volumeMounts | string | `nil` | | +| server.volumes | string | `nil` | | +| serverTelemetry.prometheusRules.enabled | bool | `false` | | +| serverTelemetry.prometheusRules.rules | list | `[]` | | +| serverTelemetry.prometheusRules.selectors | object | `{}` | | +| serverTelemetry.serviceMonitor.enabled | bool | `false` | | +| serverTelemetry.serviceMonitor.interval | string | `"30s"` | | +| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | | +| serverTelemetry.serviceMonitor.selectors | object | `{}` | | +| ui.activeVaultPodOnly | bool | `false` | | +| ui.annotations | object | `{}` | | +| ui.enabled | bool | `false` | | +| ui.externalPort | int | `8200` | | +| ui.externalTrafficPolicy | string | `"Cluster"` | | +| ui.publishNotReadyAddresses | bool | `true` | | +| ui.serviceIPFamilies | list | `[]` | | +| ui.serviceIPFamilyPolicy | string | `""` | | +| ui.serviceNodePort | string | `nil` | | +| ui.serviceType | string | `"ClusterIP"` | | +| ui.targetPort | int | `8200` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/templates/NOTES.txt b/charts/openbao/templates/NOTES.txt similarity index 100% rename from templates/NOTES.txt rename to charts/openbao/templates/NOTES.txt diff --git a/templates/_helpers.tpl b/charts/openbao/templates/_helpers.tpl similarity index 100% rename from templates/_helpers.tpl rename to charts/openbao/templates/_helpers.tpl diff --git a/templates/csi-agent-configmap.yaml b/charts/openbao/templates/csi-agent-configmap.yaml similarity index 100% rename from templates/csi-agent-configmap.yaml rename to charts/openbao/templates/csi-agent-configmap.yaml diff --git a/templates/csi-clusterrole.yaml b/charts/openbao/templates/csi-clusterrole.yaml similarity index 100% rename from templates/csi-clusterrole.yaml rename to charts/openbao/templates/csi-clusterrole.yaml diff --git a/templates/csi-clusterrolebinding.yaml b/charts/openbao/templates/csi-clusterrolebinding.yaml similarity index 100% rename from templates/csi-clusterrolebinding.yaml rename to charts/openbao/templates/csi-clusterrolebinding.yaml diff --git a/templates/csi-daemonset.yaml b/charts/openbao/templates/csi-daemonset.yaml similarity index 100% rename from templates/csi-daemonset.yaml rename to charts/openbao/templates/csi-daemonset.yaml diff --git a/templates/csi-role.yaml b/charts/openbao/templates/csi-role.yaml similarity index 100% rename from templates/csi-role.yaml rename to charts/openbao/templates/csi-role.yaml diff --git a/templates/csi-rolebinding.yaml b/charts/openbao/templates/csi-rolebinding.yaml similarity index 100% rename from templates/csi-rolebinding.yaml rename to charts/openbao/templates/csi-rolebinding.yaml diff --git a/templates/csi-serviceaccount.yaml b/charts/openbao/templates/csi-serviceaccount.yaml similarity index 100% rename from templates/csi-serviceaccount.yaml rename to charts/openbao/templates/csi-serviceaccount.yaml diff --git a/templates/injector-certs-secret.yaml b/charts/openbao/templates/injector-certs-secret.yaml similarity index 100% rename from templates/injector-certs-secret.yaml rename to charts/openbao/templates/injector-certs-secret.yaml diff --git a/templates/injector-clusterrole.yaml b/charts/openbao/templates/injector-clusterrole.yaml similarity index 100% rename from templates/injector-clusterrole.yaml rename to charts/openbao/templates/injector-clusterrole.yaml diff --git a/templates/injector-clusterrolebinding.yaml b/charts/openbao/templates/injector-clusterrolebinding.yaml similarity index 100% rename from templates/injector-clusterrolebinding.yaml rename to charts/openbao/templates/injector-clusterrolebinding.yaml diff --git a/templates/injector-deployment.yaml b/charts/openbao/templates/injector-deployment.yaml similarity index 100% rename from templates/injector-deployment.yaml rename to charts/openbao/templates/injector-deployment.yaml diff --git a/templates/injector-disruptionbudget.yaml b/charts/openbao/templates/injector-disruptionbudget.yaml similarity index 100% rename from templates/injector-disruptionbudget.yaml rename to charts/openbao/templates/injector-disruptionbudget.yaml diff --git a/templates/injector-mutating-webhook.yaml b/charts/openbao/templates/injector-mutating-webhook.yaml similarity index 100% rename from templates/injector-mutating-webhook.yaml rename to charts/openbao/templates/injector-mutating-webhook.yaml diff --git a/templates/injector-network-policy.yaml b/charts/openbao/templates/injector-network-policy.yaml similarity index 100% rename from templates/injector-network-policy.yaml rename to charts/openbao/templates/injector-network-policy.yaml diff --git a/templates/injector-psp-role.yaml b/charts/openbao/templates/injector-psp-role.yaml similarity index 100% rename from templates/injector-psp-role.yaml rename to charts/openbao/templates/injector-psp-role.yaml diff --git a/templates/injector-psp-rolebinding.yaml b/charts/openbao/templates/injector-psp-rolebinding.yaml similarity index 100% rename from templates/injector-psp-rolebinding.yaml rename to charts/openbao/templates/injector-psp-rolebinding.yaml diff --git a/templates/injector-psp.yaml b/charts/openbao/templates/injector-psp.yaml similarity index 100% rename from templates/injector-psp.yaml rename to charts/openbao/templates/injector-psp.yaml diff --git a/templates/injector-role.yaml b/charts/openbao/templates/injector-role.yaml similarity index 100% rename from templates/injector-role.yaml rename to charts/openbao/templates/injector-role.yaml diff --git a/templates/injector-rolebinding.yaml b/charts/openbao/templates/injector-rolebinding.yaml similarity index 100% rename from templates/injector-rolebinding.yaml rename to charts/openbao/templates/injector-rolebinding.yaml diff --git a/templates/injector-service.yaml b/charts/openbao/templates/injector-service.yaml similarity index 100% rename from templates/injector-service.yaml rename to charts/openbao/templates/injector-service.yaml diff --git a/templates/injector-serviceaccount.yaml b/charts/openbao/templates/injector-serviceaccount.yaml similarity index 100% rename from templates/injector-serviceaccount.yaml rename to charts/openbao/templates/injector-serviceaccount.yaml diff --git a/templates/prometheus-prometheusrules.yaml b/charts/openbao/templates/prometheus-prometheusrules.yaml similarity index 100% rename from templates/prometheus-prometheusrules.yaml rename to charts/openbao/templates/prometheus-prometheusrules.yaml diff --git a/templates/prometheus-servicemonitor.yaml b/charts/openbao/templates/prometheus-servicemonitor.yaml similarity index 100% rename from templates/prometheus-servicemonitor.yaml rename to charts/openbao/templates/prometheus-servicemonitor.yaml diff --git a/templates/server-clusterrolebinding.yaml b/charts/openbao/templates/server-clusterrolebinding.yaml similarity index 100% rename from templates/server-clusterrolebinding.yaml rename to charts/openbao/templates/server-clusterrolebinding.yaml diff --git a/templates/server-config-configmap.yaml b/charts/openbao/templates/server-config-configmap.yaml similarity index 100% rename from templates/server-config-configmap.yaml rename to charts/openbao/templates/server-config-configmap.yaml diff --git a/templates/server-discovery-role.yaml b/charts/openbao/templates/server-discovery-role.yaml similarity index 100% rename from templates/server-discovery-role.yaml rename to charts/openbao/templates/server-discovery-role.yaml diff --git a/templates/server-discovery-rolebinding.yaml b/charts/openbao/templates/server-discovery-rolebinding.yaml similarity index 100% rename from templates/server-discovery-rolebinding.yaml rename to charts/openbao/templates/server-discovery-rolebinding.yaml diff --git a/templates/server-disruptionbudget.yaml b/charts/openbao/templates/server-disruptionbudget.yaml similarity index 100% rename from templates/server-disruptionbudget.yaml rename to charts/openbao/templates/server-disruptionbudget.yaml diff --git a/templates/server-ha-active-service.yaml b/charts/openbao/templates/server-ha-active-service.yaml similarity index 100% rename from templates/server-ha-active-service.yaml rename to charts/openbao/templates/server-ha-active-service.yaml diff --git a/templates/server-ha-standby-service.yaml b/charts/openbao/templates/server-ha-standby-service.yaml similarity index 100% rename from templates/server-ha-standby-service.yaml rename to charts/openbao/templates/server-ha-standby-service.yaml diff --git a/templates/server-headless-service.yaml b/charts/openbao/templates/server-headless-service.yaml similarity index 100% rename from templates/server-headless-service.yaml rename to charts/openbao/templates/server-headless-service.yaml diff --git a/templates/server-ingress.yaml b/charts/openbao/templates/server-ingress.yaml similarity index 100% rename from templates/server-ingress.yaml rename to charts/openbao/templates/server-ingress.yaml diff --git a/templates/server-network-policy.yaml b/charts/openbao/templates/server-network-policy.yaml similarity index 100% rename from templates/server-network-policy.yaml rename to charts/openbao/templates/server-network-policy.yaml diff --git a/templates/server-psp-role.yaml b/charts/openbao/templates/server-psp-role.yaml similarity index 100% rename from templates/server-psp-role.yaml rename to charts/openbao/templates/server-psp-role.yaml diff --git a/templates/server-psp-rolebinding.yaml b/charts/openbao/templates/server-psp-rolebinding.yaml similarity index 100% rename from templates/server-psp-rolebinding.yaml rename to charts/openbao/templates/server-psp-rolebinding.yaml diff --git a/templates/server-psp.yaml b/charts/openbao/templates/server-psp.yaml similarity index 100% rename from templates/server-psp.yaml rename to charts/openbao/templates/server-psp.yaml diff --git a/templates/server-route.yaml b/charts/openbao/templates/server-route.yaml similarity index 100% rename from templates/server-route.yaml rename to charts/openbao/templates/server-route.yaml diff --git a/templates/server-service.yaml b/charts/openbao/templates/server-service.yaml similarity index 100% rename from templates/server-service.yaml rename to charts/openbao/templates/server-service.yaml diff --git a/templates/server-serviceaccount-secret.yaml b/charts/openbao/templates/server-serviceaccount-secret.yaml similarity index 100% rename from templates/server-serviceaccount-secret.yaml rename to charts/openbao/templates/server-serviceaccount-secret.yaml diff --git a/templates/server-serviceaccount.yaml b/charts/openbao/templates/server-serviceaccount.yaml similarity index 100% rename from templates/server-serviceaccount.yaml rename to charts/openbao/templates/server-serviceaccount.yaml diff --git a/templates/server-statefulset.yaml b/charts/openbao/templates/server-statefulset.yaml similarity index 100% rename from templates/server-statefulset.yaml rename to charts/openbao/templates/server-statefulset.yaml diff --git a/templates/tests/server-test.yaml b/charts/openbao/templates/tests/server-test.yaml similarity index 100% rename from templates/tests/server-test.yaml rename to charts/openbao/templates/tests/server-test.yaml diff --git a/templates/ui-service.yaml b/charts/openbao/templates/ui-service.yaml similarity index 100% rename from templates/ui-service.yaml rename to charts/openbao/templates/ui-service.yaml diff --git a/values.openshift.yaml b/charts/openbao/values.openshift.yaml similarity index 100% rename from values.openshift.yaml rename to charts/openbao/values.openshift.yaml diff --git a/values.schema.json b/charts/openbao/values.schema.json similarity index 100% rename from values.schema.json rename to charts/openbao/values.schema.json diff --git a/values.yaml b/charts/openbao/values.yaml similarity index 100% rename from values.yaml rename to charts/openbao/values.yaml From 00ed536f648a9f8232399d809642f9b8697cf78b Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 16 May 2024 12:17:06 +0200 Subject: [PATCH 071/113] add official openbao security email Signed-off-by: jessebot --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 30043e2..aedb403 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,12 @@ > :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_ -by contacting us at [](mailto:). +by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org). This repository contains the OpenBao Helm chart for installing and configuring OpenBao on Kubernetes. This chart supports multiple use cases of OpenBao on Kubernetes depending on the values provided. -For full documentation on this Helm chart along with all the ways you can -use Vault with Kubernetes, please see the -[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s). - ## Prerequisites To use the charts here, [Helm](https://helm.sh/) must be configured for your From 302fdc8a22b9e86289ef23e0d8a7fecced54469e Mon Sep 17 00:00:00 2001 From: JesseBot Date: Thu, 16 May 2024 14:27:32 +0200 Subject: [PATCH 072/113] Update charts/openbao/Chart.yaml - fix chart description OpenBao casing Signed-off-by: JesseBot --- charts/openbao/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index 163c7b6..a8453d6 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -6,7 +6,7 @@ name: openbao version: 0.1.0 appVersion: v2.0.0-alpha20240329 kubeVersion: ">= 1.27.0-0" -description: Official openbao Chart +description: Official OpenBao Chart home: https://github.com/openbao/openbao-helm icon: https://avatars.githubusercontent.com/u/152585220?s=200&v=4 keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] From c16fc99e7c7e6fb9feb94ba9d800b922f716e283 Mon Sep 17 00:00:00 2001 From: JesseBot Date: Thu, 16 May 2024 22:57:52 +0200 Subject: [PATCH 073/113] Update charts/openbao/Chart.yaml - update the maintainer to be OpenBao Signed-off-by: JesseBot --- charts/openbao/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index a8453d6..545a203 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -16,5 +16,5 @@ annotations: charts.openshift.io/name: Openbao maintainers: - - name: jessebot - url: https://github.com/jessebot +- name: OpenBao + url: https://openbao.org From ed58ce3e78b5f8f44241d4a683e5f82aab6a635a Mon Sep 17 00:00:00 2001 From: JesseBot Date: Thu, 16 May 2024 22:59:17 +0200 Subject: [PATCH 074/113] Update charts/openbao/Chart.yaml - use default branding image Signed-off-by: JesseBot --- charts/openbao/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index 545a203..e69c4e9 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -8,7 +8,7 @@ appVersion: v2.0.0-alpha20240329 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart home: https://github.com/openbao/openbao-helm -icon: https://avatars.githubusercontent.com/u/152585220?s=200&v=4 +icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] sources: - https://github.com/openbao/openbao-helm From 915f7c845c57cc418e8885d7dea8bed320d3b370 Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 18 May 2024 13:52:10 +0200 Subject: [PATCH 075/113] update base vault images to point at quay.io/openbao/openbao; add more helm docs Signed-off-by: jessebot --- charts/openbao/Chart.yaml | 2 +- charts/openbao/README.md | 109 +++++++++++++++++++----------------- charts/openbao/values.yaml | 110 ++++++++++++++++++++++--------------- 3 files changed, 126 insertions(+), 95 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index e69c4e9..3f31515 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: openbao -version: 0.1.0 +version: 0.2.0 appVersion: v2.0.0-alpha20240329 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart diff --git a/charts/openbao/README.md b/charts/openbao/README.md index 735beee..d85bf0f 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -1,8 +1,8 @@ # openbao -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) -Official openbao Chart +Official OpenBao Chart **Homepage:** @@ -10,7 +10,7 @@ Official openbao Chart | Name | Email | Url | | ---- | ------ | --- | -| jessebot | | | +| OpenBao | | | ## Source Code @@ -26,9 +26,10 @@ Kubernetes: `>= 1.27.0-0` |-----|------|---------|-------------| | csi.agent.enabled | bool | `true` | | | csi.agent.extraArgs | list | `[]` | | -| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | | -| csi.agent.image.repository | string | `"hashicorp/vault"` | | -| csi.agent.image.tag | string | `"1.15.2"` | | +| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | +| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image | +| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image | +| csi.agent.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image | | csi.agent.logFormat | string | `"standard"` | | | csi.agent.logLevel | string | `"info"` | | | csi.agent.resources | object | `{}` | | @@ -41,12 +42,13 @@ Kubernetes: `>= 1.27.0-0` | csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | | | csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | | | csi.debug | bool | `false` | | -| csi.enabled | bool | `false` | | +| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount Vault secrets into volumes similar to the Vault Agent injector, and you can also sync those secrets into Kubernetes secrets. | | csi.extraArgs | list | `[]` | | | csi.hmacSecretName | string | `""` | | -| csi.image.pullPolicy | string | `"IfNotPresent"` | | -| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | | -| csi.image.tag | string | `"1.4.1"` | | +| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" | +| csi.image.registry | string | `"docker.io"` | image registry to use for csi image | +| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image | +| csi.image.tag | string | `"1.4.1"` | image tag to use for csi image | | csi.livenessProbe.failureThreshold | int | `2` | | | csi.livenessProbe.initialDelaySeconds | int | `5` | | | csi.livenessProbe.periodSeconds | int | `5` | | @@ -66,17 +68,17 @@ Kubernetes: `>= 1.27.0-0` | csi.resources | object | `{}` | | | csi.serviceAccount.annotations | object | `{}` | | | csi.serviceAccount.extraLabels | object | `{}` | | -| csi.volumeMounts | string | `nil` | | -| csi.volumes | string | `nil` | | -| global.enabled | bool | `true` | | -| global.externalVaultAddr | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.namespace | string | `""` | | -| global.openshift | bool | `false` | | -| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | | -| global.psp.enable | bool | `false` | | -| global.serverTelemetry.prometheusOperator | bool | `false` | | -| global.tlsDisable | bool | `true` | | +| csi.volumeMounts | string | `nil` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| csi.volumes | string | `nil` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. | +| global.externalVaultAddr | string | `""` | External vault server address for the injector and CSI provider to use. Setting this will disable deployment of a vault server. | +| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. | +| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. | +| global.openshift | bool | `false` | If deploying to OpenShift | +| global.psp | object | `{"annotations":"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n","enable":false}` | Create PodSecurityPolicy for pods | +| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. | +| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. | +| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport | | injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | | injector.agentDefaults.cpuLimit | string | `"500m"` | | | injector.agentDefaults.cpuRequest | string | `"250m"` | | @@ -85,43 +87,47 @@ Kubernetes: `>= 1.27.0-0` | injector.agentDefaults.template | string | `"map"` | | | injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | | | injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | | -| injector.agentImage.repository | string | `"hashicorp/vault"` | | -| injector.agentImage.tag | string | `"1.15.2"` | | +| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the Vault image to use for the Vault Agent containers. This should be set to the official Vault image. Vault 1.3.1+ is required. | +| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | +| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image | +| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image | +| injector.agentImage.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image | | injector.annotations | object | `{}` | | | injector.authPath | string | `"auth/kubernetes"` | | | injector.certs.caBundle | string | `""` | | | injector.certs.certName | string | `"tls.crt"` | | | injector.certs.keyName | string | `"tls.key"` | | | injector.certs.secretName | string | `nil` | | -| injector.enabled | string | `"-"` | | -| injector.externalVaultAddr | string | `""` | | +| injector.enabled | string | `"-"` | True if you want to enable vault agent injection. @default: global.enabled | +| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. | | injector.extraEnvironmentVars | object | `{}` | | | injector.extraLabels | object | `{}` | | | injector.failurePolicy | string | `"Ignore"` | | | injector.hostNetwork | bool | `false` | | -| injector.image.pullPolicy | string | `"IfNotPresent"` | | -| injector.image.repository | string | `"hashicorp/vault-k8s"` | | -| injector.image.tag | string | `"1.3.1"` | | -| injector.leaderElector.enabled | bool | `true` | | -| injector.livenessProbe.failureThreshold | int | `2` | | -| injector.livenessProbe.initialDelaySeconds | int | `5` | | -| injector.livenessProbe.periodSeconds | int | `2` | | -| injector.livenessProbe.successThreshold | int | `1` | | -| injector.livenessProbe.timeoutSeconds | int | `5` | | -| injector.logFormat | string | `"standard"` | | -| injector.logLevel | string | `"info"` | | -| injector.metrics.enabled | bool | `false` | | +| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" | +| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image | +| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image | +| injector.image.tag | string | `"1.3.1"` | image tag to use for k8s image | +| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. | +| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up | +| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates | +| injector.livenessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe | +| injector.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed | +| injector.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | +| injector.logFormat | string | `"standard"` | Configures the log format of the injector. Supported log formats: "standard", "json". | +| injector.logLevel | string | `"info"` | Configures the log verbosity of the injector. Supported log levels include: trace, debug, info, warn, error | +| injector.metrics | object | `{"enabled":false}` | If true, will enable a node exporter metrics endpoint at /metrics. | | injector.namespaceSelector | object | `{}` | | | injector.nodeSelector | object | `{}` | | | injector.objectSelector | object | `{}` | | | injector.podDisruptionBudget | object | `{}` | | -| injector.port | int | `8080` | | +| injector.port | int | `8080` | Configures the port the injector should listen on | | injector.priorityClassName | string | `""` | | -| injector.readinessProbe.failureThreshold | int | `2` | | -| injector.readinessProbe.initialDelaySeconds | int | `5` | | -| injector.readinessProbe.periodSeconds | int | `2` | | -| injector.readinessProbe.successThreshold | int | `1` | | -| injector.readinessProbe.timeoutSeconds | int | `5` | | +| injector.readinessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up | +| injector.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates | +| injector.readinessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe | +| injector.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed | +| injector.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | | injector.replicas | int | `1` | | | injector.resources | object | `{}` | | | injector.revokeOnShutdown | bool | `false` | | @@ -129,11 +135,11 @@ Kubernetes: `>= 1.27.0-0` | injector.securityContext.pod | object | `{}` | | | injector.service.annotations | object | `{}` | | | injector.serviceAccount.annotations | object | `{}` | | -| injector.startupProbe.failureThreshold | int | `12` | | -| injector.startupProbe.initialDelaySeconds | int | `5` | | -| injector.startupProbe.periodSeconds | int | `5` | | -| injector.startupProbe.successThreshold | int | `1` | | -| injector.startupProbe.timeoutSeconds | int | `5` | | +| injector.startupProbe.failureThreshold | int | `12` | When a probe fails, Kubernetes will try failureThreshold times before giving up | +| injector.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates | +| injector.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | +| injector.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed | +| injector.startupProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | | injector.strategy | object | `{}` | | | injector.tolerations | list | `[]` | | | injector.topologySpreadConstraints | list | `[]` | | @@ -187,9 +193,10 @@ Kubernetes: `>= 1.27.0-0` | server.ha.replicas | int | `3` | | | server.hostAliases | list | `[]` | | | server.hostNetwork | bool | `false` | | -| server.image.pullPolicy | string | `"IfNotPresent"` | | -| server.image.repository | string | `"hashicorp/vault"` | | -| server.image.tag | string | `"1.15.2"` | | +| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" | +| server.image.registry | string | `"quay.io"` | image registry to use for server image | +| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image | +| server.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for server image | | server.ingress.activeService | bool | `true` | | | server.ingress.annotations | object | `{}` | | | server.ingress.enabled | bool | `false` | | diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index a57b9de..45d52a5 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -4,33 +4,33 @@ # Available parameters and their default values for the Vault chart. global: - # enabled is the master enabled switch. Setting this to true or false + # -- enabled is the master enabled switch. Setting this to true or false # will enable or disable all the components within this chart by default. enabled: true - # The namespace to deploy to. Defaults to the `helm` installation namespace. + # -- The namespace to deploy to. Defaults to the `helm` installation namespace. namespace: "" - # Image pull secret to use for registry authentication. + # -- Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] # imagePullSecrets: # - name: image-pull-secret - # TLS for end-to-end encrypted transport + # -- TLS for end-to-end encrypted transport tlsDisable: true - # External vault server address for the injector and CSI provider to use. + # -- External vault server address for the injector and CSI provider to use. # Setting this will disable deployment of a vault server. externalVaultAddr: "" - # If deploying to OpenShift + # -- If deploying to OpenShift openshift: false - # Create PodSecurityPolicy for pods + # -- Create PodSecurityPolicy for pods psp: enable: false - # Annotation for PodSecurityPolicy. + # -- Annotation for PodSecurityPolicy. # This is a multi-line templated string map, and can also be set as YAML. annotations: | seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default @@ -39,44 +39,54 @@ global: apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default serverTelemetry: - # Enable integration with the Prometheus Operator + # -- Enable integration with the Prometheus Operator # See the top level serverTelemetry section below before enabling this feature. prometheusOperator: false injector: - # True if you want to enable vault agent injection. - # @default: global.enabled + # -- True if you want to enable vault agent injection. @default: global.enabled enabled: "-" replicas: 1 - # Configures the port the injector should listen on + # -- Configures the port the injector should listen on port: 8080 - # If multiple replicas are specified, by default a leader will be determined + # -- If multiple replicas are specified, by default a leader will be determined # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - # If true, will enable a node exporter metrics endpoint at /metrics. + # -- If true, will enable a node exporter metrics endpoint at /metrics. metrics: enabled: false - # Deprecated: Please use global.externalVaultAddr instead. + # -- Deprecated: Please use global.externalVaultAddr instead. externalVaultAddr: "" # image sets the repo and tag of the vault-k8s image to use for the injector. image: + # -- image registry to use for k8s image + registry: "docker.io" + # -- image repo to use for k8s image repository: "hashicorp/vault-k8s" + # -- image tag to use for k8s image tag: "1.3.1" + # -- image pull policy to use for k8s image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # agentImage sets the repo and tag of the Vault image to use for the Vault Agent + # -- agentImage sets the repo and tag of the Vault image to use for the Vault Agent # containers. This should be set to the official Vault image. Vault 1.3.1+ is # required. agentImage: - repository: "hashicorp/vault" - tag: "1.15.2" + # -- image registry to use for agent image + registry: "quay.io" + # -- image repo to use for agent image + repository: "openbao/openbao" + # -- image tag to use for agent image + tag: "2.0.0-alpha20240329" + # -- image pull policy to use for agent image. if tag is "latest", set to "Always" + pullPolicy: IfNotPresent # The default values for the injected Vault Agent containers. agentDefaults: @@ -100,49 +110,49 @@ injector: # Used to define custom livenessProbe settings livenessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 - # Number of seconds after the container has started before probe initiates + # -- Number of seconds after the container has started before probe initiates initialDelaySeconds: 5 - # How often (in seconds) to perform the probe + # -- How often (in seconds) to perform the probe periodSeconds: 2 - # Minimum consecutive successes for the probe to be considered successful after having failed + # -- Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 - # Number of seconds after which the probe times out. + # -- Number of seconds after which the probe times out. timeoutSeconds: 5 # Used to define custom readinessProbe settings readinessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 - # Number of seconds after the container has started before probe initiates + # -- Number of seconds after the container has started before probe initiates initialDelaySeconds: 5 - # How often (in seconds) to perform the probe + # -- How often (in seconds) to perform the probe periodSeconds: 2 - # Minimum consecutive successes for the probe to be considered successful after having failed + # -- Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 - # Number of seconds after which the probe times out. + # -- Number of seconds after which the probe times out. timeoutSeconds: 5 # Used to define custom startupProbe settings startupProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 12 - # Number of seconds after the container has started before probe initiates + # -- Number of seconds after the container has started before probe initiates initialDelaySeconds: 5 - # How often (in seconds) to perform the probe + # -- How often (in seconds) to perform the probe periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed + # -- Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 - # Number of seconds after which the probe times out. + # -- Number of seconds after which the probe times out. timeoutSeconds: 5 # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" - # Configures the log verbosity of the injector. + # -- Configures the log verbosity of the injector. # Supported log levels include: trace, debug, info, warn, error logLevel: "info" - # Configures the log format of the injector. Supported log formats: "standard", "json". + # -- Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" # Configures all Vault Agent sidecars to revoke their token when shutting down @@ -376,9 +386,13 @@ server: # By default no direct resource request is made. image: - repository: "hashicorp/vault" - tag: "1.15.2" - # Overrides the default Image Pull Policy + # -- image registry to use for server image + registry: "quay.io" + # -- image repo to use for server image + repository: "openbao/openbao" + # -- image tag to use for server image + tag: "2.0.0-alpha20240329" + # -- image pull policy to use for server image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent # Configure the Update Strategy Type for the StatefulSet @@ -1075,7 +1089,7 @@ ui: # secrets-store-csi-driver-provider-vault csi: - # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # -- True if you want to install a secrets-store-csi-driver-provider-vault daemonset. # # Requires installing the secrets-store-csi-driver separately, see: # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver @@ -1086,11 +1100,16 @@ csi: enabled: false image: + # -- image registry to use for csi image + registry: "docker.io" + # -- image repo to use for csi image repository: "hashicorp/vault-csi-provider" + # -- image tag to use for csi image tag: "1.4.1" + # -- image pull policy to use for csi image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # volumes is a list of volumes made available to all containers. These are rendered + # -- volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. volumes: null @@ -1098,7 +1117,7 @@ csi: # secret: # secretName: vault-tls - # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # -- volumeMounts is a list of volumeMounts for the main server container. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. volumeMounts: null @@ -1171,8 +1190,13 @@ csi: extraArgs: [] image: - repository: "hashicorp/vault" - tag: "1.15.2" + # -- image registry to use for agent image + registry: "quay.io" + # -- image repo to use for agent image + repository: "openbao/openbao" + # -- image tag to use for agent image + tag: "2.0.0-alpha20240329" + # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent logFormat: standard From cbf6f461e2a8838d4a80b4366d3ea83d83f29d5a Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 18 May 2024 14:00:47 +0200 Subject: [PATCH 076/113] actually template out the image.registry for each image map reference Signed-off-by: jessebot --- charts/openbao/templates/csi-daemonset.yaml | 2 +- charts/openbao/templates/injector-deployment.yaml | 2 +- charts/openbao/templates/server-statefulset.yaml | 2 +- charts/openbao/templates/tests/server-test.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/openbao/templates/csi-daemonset.yaml b/charts/openbao/templates/csi-daemonset.yaml index 1436ff9..c144af5 100644 --- a/charts/openbao/templates/csi-daemonset.yaml +++ b/charts/openbao/templates/csi-daemonset.yaml @@ -51,7 +51,7 @@ spec: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} {{ template "csi.daemonSet.securityContext.container" . }} - image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" imagePullPolicy: {{ .Values.csi.image.pullPolicy }} args: - --endpoint=/provider/vault.sock diff --git a/charts/openbao/templates/injector-deployment.yaml b/charts/openbao/templates/injector-deployment.yaml index 822e8e4..242dca6 100644 --- a/charts/openbao/templates/injector-deployment.yaml +++ b/charts/openbao/templates/injector-deployment.yaml @@ -50,7 +50,7 @@ spec: containers: - name: sidecar-injector {{ template "injector.resources" . }} - image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" + image: "{{ .Values.injector.image.registry | default "docker.io" }}/{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" {{- template "injector.securityContext.container" . }} env: diff --git a/charts/openbao/templates/server-statefulset.yaml b/charts/openbao/templates/server-statefulset.yaml index 0d8e604..94d5bab 100644 --- a/charts/openbao/templates/server-statefulset.yaml +++ b/charts/openbao/templates/server-statefulset.yaml @@ -75,7 +75,7 @@ spec: containers: - name: vault {{ template "vault.resources" . }} - image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} imagePullPolicy: {{ .Values.server.image.pullPolicy }} command: - "/bin/sh" diff --git a/charts/openbao/templates/tests/server-test.yaml b/charts/openbao/templates/tests/server-test.yaml index 20e2e5a..325ac8e 100644 --- a/charts/openbao/templates/tests/server-test.yaml +++ b/charts/openbao/templates/tests/server-test.yaml @@ -17,7 +17,7 @@ spec: {{- include "imagePullSecrets" . | nindent 2 }} containers: - name: {{ .Release.Name }}-server-test - image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR From cb464ff6501c7c7448ee2cf53843e3d96d90bc65 Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 18 May 2024 14:05:54 +0200 Subject: [PATCH 077/113] fix linter issues with values.yaml to please chart tesitng linter ref: https://github.com/openbao/openbao-helm/actions/runs/9139677624/job/25132235295?pr=8 Signed-off-by: jessebot --- charts/openbao/values.yaml | 60 +++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 45d52a5..f9c67ca 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -723,7 +723,7 @@ server: # Configures the service type for the main Vault service. Can be ClusterIP # or NodePort. - #type: ClusterIP + # type: ClusterIP # The IP family and IP families options are to set the behaviour in a dual-stack environment. # Omitting these values will let the service fall back to whatever the CNI dictates the defaults @@ -753,12 +753,12 @@ server: # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #nodePort: 30000 + # nodePort: 30000 # When HA mode is enabled # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #activeNodePort: 30001 + # activeNodePort: 30001 # When HA mode is enabled # If type is set to "NodePort", a specific nodePort value can be configured, @@ -1076,7 +1076,7 @@ ui: # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy externalTrafficPolicy: Cluster - #loadBalancerSourceRanges: + # loadBalancerSourceRanges: # - 10.0.0.0/16 # - 1.78.23.3/32 @@ -1309,32 +1309,32 @@ serverTelemetry: scrapeTimeout: 10s prometheusRules: - # The Prometheus operator *must* be installed before enabling this feature, - # if not the chart will fail to install due to missing CustomResourceDefinitions - # provided by the operator. + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. - # Deploy the PrometheusRule custom resource for AlertManager based alerts. - # Requires that AlertManager is properly deployed. - enabled: false + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false - # Selector labels to add to the PrometheusRules. - # When empty, defaults to: - # release: prometheus - selectors: {} + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} - # Some example rules. - rules: [] - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 500ms on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - # for: 5m - # labels: - # severity: warning - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 1s on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - # for: 5m - # labels: - # severity: critical + # Some example rules. + rules: [] + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical From 7ad371f159140ec998f15c045fba6309a26aaf44 Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 18 May 2024 14:07:19 +0200 Subject: [PATCH 078/113] fix missing space in comment Signed-off-by: jessebot --- charts/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index f9c67ca..2d8ec8f 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -763,7 +763,7 @@ server: # When HA mode is enabled # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #standbyNodePort: 30002 + # standbyNodePort: 30002 # Port on which Vault server is listening port: 8200 From be6fa5a195a6c92625112efc48cef1556d2112f5 Mon Sep 17 00:00:00 2001 From: Nathan Phelps Date: Fri, 17 May 2024 10:00:44 -0400 Subject: [PATCH 079/113] Issue 6: Changed some of the Hashicorp Vault refences in the docs to OpenBao. Signed-off-by: Nathan Phelps --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- CODEOWNERS | 1 - CONTRIBUTING.md | 29 ++++++++++++++-------------- README.md | 2 +- charts/openbao/README.md | 8 +++----- charts/openbao/templates/NOTES.txt | 6 +++--- test/README.md | 8 +++----- 7 files changed, 26 insertions(+), 30 deletions(-) delete mode 100644 CODEOWNERS diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index cb69c51..c45b6a4 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -11,7 +11,7 @@ assignees: '' For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker. -Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault Helm, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). +Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_ by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org). --> diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index a765f7e..0000000 --- a/CODEOWNERS +++ /dev/null @@ -1 +0,0 @@ -* @hashicorp/vault-ecosystem diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ad31ac9..44aa9e6 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,8 +1,8 @@ -# Contributing to Vault Helm +# Contributing to OpenBao Helm -**Please note:** We take Vault's security and our users' trust very seriously. -If you believe you have found a security issue in Vault, please responsibly -disclose by contacting us at security@hashicorp.com. +**Please note:** We take OpenBao's security and our users' trust very seriously. +If you believe you have found a security issue in OpenBao, please responsibly +disclose by contacting us at openbao-security@lists.lfedge.org. **First:** if you're unsure or afraid of _anything_, just ask or submit the issue or pull request anyways. You won't be yelled at for giving it your best @@ -12,14 +12,15 @@ rules to get in the way of that. That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure that your contribution -won't clash or be obviated by Vault's normal direction. A great way to do this -is via the [Vault Discussion Forum][1]. +won't clash or be obviated by OpenBao's normal direction. A great way to do this +is via the [Linux Foundation Element chat server][1], or [mailing list][2]. This document will cover what we're looking for in terms of reporting issues. By addressing all the points we're looking for, it raises the chances we can quickly merge or address your contributions. -[1]: https://discuss.hashicorp.com/c/vault +[1]: https://chat.lfx.linuxfoundation.org +[2]: https://lists.lfedge.org/g/openbao ## Issues @@ -33,14 +34,14 @@ quickly merge or address your contributions. * Provide steps to reproduce the issue, and if possible include the expected results as well as the actual results. Please provide text, not screen shots! -* Respond as promptly as possible to any questions made by the Vault +* Respond as promptly as possible to any questions made by the OpenBao team to your issue. Stale issues will be closed periodically. ### Issue Lifecycle 1. The issue is reported. -2. The issue is verified and categorized by a Vault Helm collaborator. +2. The issue is verified and categorized by a OpenBao Helm collaborator. Categorization is done via tags. For example, bugs are marked as "bugs". 3. Unless it is critical, the issue may be left for a period of time (sometimes @@ -70,25 +71,25 @@ The following are the instructions for running bats tests using a Docker contain #### Prerequisites * Docker installed -* `vault-helm` checked out locally +* `openbao-helm` checked out locally #### Test -**Note:** the following commands should be run from the `vault-helm` directory. +**Note:** the following commands should be run from the `openbao-helm` directory. First, build the Docker image for running the tests: ```shell -docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t openbao-helm-test ``` Next, execute the tests with the following commands: ```shell -docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit ``` It's possible to only run specific bats tests using regular expressions. For example, the following will run only tests with "injector" in the name: ```shell -docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector" ``` ### Test Manually diff --git a/README.md b/README.md index aedb403..69c3aa8 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ The versions required are: ## Usage -To install the latest version of this chart, add the Hashicorp helm repository and run `helm install`: +To install the latest version of this chart, add the OpenBao helm repository and run `helm install`: ```console helm repo add openbao https://openbao.github.io/openbao-helm diff --git a/charts/openbao/README.md b/charts/openbao/README.md index d85bf0f..645ad0c 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -8,9 +8,9 @@ Official OpenBao Chart ## Maintainers -| Name | Email | Url | -| ---- | ------ | --- | -| OpenBao | | | +| Name | Email | Url | +|---------|------------------------------------|-----------------------| +| OpenBao | https://lists.lfedge.org/g/openbao | | ## Source Code @@ -171,8 +171,6 @@ Kubernetes: `>= 1.27.0-0` | server.dev.devRootToken | string | `"root"` | | | server.dev.enabled | bool | `false` | | | server.enabled | string | `"-"` | | -| server.enterpriseLicense.secretKey | string | `"license"` | | -| server.enterpriseLicense.secretName | string | `""` | | | server.extraArgs | string | `""` | | | server.extraContainers | string | `nil` | | | server.extraEnvironmentVars | object | `{}` | | diff --git a/charts/openbao/templates/NOTES.txt b/charts/openbao/templates/NOTES.txt index 60d99a4..89985f4 100644 --- a/charts/openbao/templates/NOTES.txt +++ b/charts/openbao/templates/NOTES.txt @@ -1,10 +1,10 @@ -Thank you for installing HashiCorp Vault! +Thank you for installing OpenBao! -Now that you have deployed Vault, you should look over the docs on using +Now that you have deployed OpenBao, you should look over the docs on using Vault with Kubernetes available here: -https://developer.hashicorp.com/vault/docs +https://openbao.org/docs/ Your release is named {{ .Release.Name }}. To learn more about the release, try: diff --git a/test/README.md b/test/README.md index 951a061..066914d 100644 --- a/test/README.md +++ b/test/README.md @@ -1,11 +1,9 @@ -# Vault Helm Tests +# OpenBao Helm Tests -## Running Vault Helm Acceptance tests +## Running OpenBao Helm Acceptance tests The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster. -Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license. - ### Running in a GKE cluster * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project. @@ -49,7 +47,7 @@ editing will be required, since several properties accept multiple data types. ## Helm test -Vault Helm also contains a simple helm test under +OpenBao Helm also contains a simple helm test under [templates/tests/](../templates/tests/) that may be run against a helm release: helm test From e5973aeff350cc438768ff39f88390309211ea98 Mon Sep 17 00:00:00 2001 From: Nathan Phelps Date: Mon, 20 May 2024 17:26:03 -0400 Subject: [PATCH 080/113] Issue 6: Removed Enterprise licensing references out of the chart's value configuration. Signed-off-by: Nathan Phelps --- charts/openbao/values.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 2d8ec8f..48a2157 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -369,18 +369,6 @@ server: # See vault.mode in _helpers.tpl for implementation details. enabled: "-" - # [Enterprise Only] This value refers to a Kubernetes secret that you have - # created that contains your enterprise license. If you are not using an - # enterprise image or if you plan to introduce the license key via another - # route, then leave secretName blank ("") or set it to null. - # Requires Vault Enterprise 1.8 or later. - enterpriseLicense: - # The name of the Kubernetes secret that holds the enterprise license. The - # secret must be in the same namespace that Vault is installed into. - secretName: "" - # The key within the Kubernetes secret that holds the enterprise license. - secretKey: "license" - # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. From c4b831e7342b0f863ce558578e03240fc4c42852 Mon Sep 17 00:00:00 2001 From: Nathan Phelps Date: Mon, 20 May 2024 17:31:37 -0400 Subject: [PATCH 081/113] Issue 6: Updated the chart version to 0.3.0. Signed-off-by: Nathan Phelps --- charts/openbao/Chart.yaml | 2 +- charts/openbao/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index 3f31515..6f34713 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: openbao -version: 0.2.0 +version: 0.3.0 appVersion: v2.0.0-alpha20240329 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart diff --git a/charts/openbao/README.md b/charts/openbao/README.md index 645ad0c..9769a3e 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -1,6 +1,6 @@ # openbao -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) Official OpenBao Chart From 675c249026821ddb45306a34e4df1352858e8fb9 Mon Sep 17 00:00:00 2001 From: Nathan Phelps Date: Mon, 20 May 2024 17:37:03 -0400 Subject: [PATCH 082/113] Issue 6: Removing Enterprise references from chart template helper. Signed-off-by: Nathan Phelps --- charts/openbao/templates/_helpers.tpl | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/charts/openbao/templates/_helpers.tpl b/charts/openbao/templates/_helpers.tpl index 7a22d04..e1bc286 100644 --- a/charts/openbao/templates/_helpers.tpl +++ b/charts/openbao/templates/_helpers.tpl @@ -201,12 +201,6 @@ extra volumes the user may have specified (such as a secret with TLS). {{- if .Values.server.volumes }} {{- toYaml .Values.server.volumes | nindent 8}} {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: vault-license - secret: - secretName: {{ .Values.server.enterpriseLicense.secretName }} - defaultMode: 0440 - {{- end }} {{- end -}} {{/* @@ -270,11 +264,6 @@ based on the mode configured. {{- if .Values.server.volumeMounts }} {{- toYaml .Values.server.volumeMounts | nindent 12}} {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: vault-license - mountPath: /vault/license - readOnly: true - {{- end }} {{- end -}} {{/* From b59b6e55bb124e6486f861feeb15c2428096634b Mon Sep 17 00:00:00 2001 From: Nathan Phelps Date: Mon, 20 May 2024 17:39:52 -0400 Subject: [PATCH 083/113] Issue 6: Removed Enterprise reference from chart's server-statefulset template. Signed-off-by: Nathan Phelps --- charts/openbao/templates/server-statefulset.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/openbao/templates/server-statefulset.yaml b/charts/openbao/templates/server-statefulset.yaml index 94d5bab..997d3f1 100644 --- a/charts/openbao/templates/server-statefulset.yaml +++ b/charts/openbao/templates/server-statefulset.yaml @@ -137,10 +137,6 @@ spec: - name: VAULT_LOG_FORMAT value: "{{ .Values.server.logFormat }}" {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: VAULT_LICENSE_PATH - value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} - {{- end }} {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} From 2c9d04005908a45eea48fe5422ae48c44e72b72c Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 21 May 2024 08:19:45 +0200 Subject: [PATCH 084/113] update the openbao helm chart test that runs after install to no longer use the vault command Signed-off-by: jessebot --- charts/openbao/Chart.yaml | 2 +- charts/openbao/README.md | 8 ++++---- charts/openbao/templates/tests/server-test.yaml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index 6f34713..72ed3c7 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: openbao -version: 0.3.0 +version: 0.4.0 appVersion: v2.0.0-alpha20240329 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart diff --git a/charts/openbao/README.md b/charts/openbao/README.md index 9769a3e..bd3fda0 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -1,6 +1,6 @@ # openbao -![Version: 0.3.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) Official OpenBao Chart @@ -8,9 +8,9 @@ Official OpenBao Chart ## Maintainers -| Name | Email | Url | -|---------|------------------------------------|-----------------------| -| OpenBao | https://lists.lfedge.org/g/openbao | | +| Name | Email | Url | +| ---- | ------ | --- | +| OpenBao | | | ## Source Code diff --git a/charts/openbao/templates/tests/server-test.yaml b/charts/openbao/templates/tests/server-test.yaml index 325ac8e..f5ef064 100644 --- a/charts/openbao/templates/tests/server-test.yaml +++ b/charts/openbao/templates/tests/server-test.yaml @@ -27,18 +27,18 @@ spec: - /bin/sh - -c - | - echo "Checking for sealed info in 'vault status' output" + echo "Checking for sealed info in 'openbao status' output" ATTEMPTS=10 n=0 until [ "$n" -ge $ATTEMPTS ] do echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break + openbao status -format yaml | grep -E '^sealed: (true|false)' && break n=$((n+1)) sleep 5 done if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" + echo "timed out looking for sealed info in 'openbao status' output" exit 1 fi From 754c4ee94d555553e128fbef718f196be6be1bfa Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 21 May 2024 08:27:40 +0200 Subject: [PATCH 085/113] the command is bao not openbao :facepalm: Signed-off-by: jessebot --- charts/openbao/templates/tests/server-test.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/openbao/templates/tests/server-test.yaml b/charts/openbao/templates/tests/server-test.yaml index f5ef064..0282262 100644 --- a/charts/openbao/templates/tests/server-test.yaml +++ b/charts/openbao/templates/tests/server-test.yaml @@ -27,18 +27,18 @@ spec: - /bin/sh - -c - | - echo "Checking for sealed info in 'openbao status' output" + echo "Checking for sealed info in 'bao status' output" ATTEMPTS=10 n=0 until [ "$n" -ge $ATTEMPTS ] do echo "Attempt" $n... - openbao status -format yaml | grep -E '^sealed: (true|false)' && break + bao status -format yaml | grep -E '^sealed: (true|false)' && break n=$((n+1)) sleep 5 done if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'openbao status' output" + echo "timed out looking for sealed info in 'bao status' output" exit 1 fi From d6a7dce06ca34fe86252079f56cae143872563dd Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 21 May 2024 09:00:14 +0200 Subject: [PATCH 086/113] we now use /openbao/config instead of /vault/config ref: https://github.com/openbao/openbao/blob/8283776683fe3d1e956d4ad968b790db833229bc/Dockerfile#L45 also change types from null to [] to be more explicit and regenerate docs Signed-off-by: jessebot --- charts/openbao/README.md | 8 ++++---- charts/openbao/templates/_helpers.tpl | 6 +++--- charts/openbao/values.yaml | 12 ++++++------ 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/charts/openbao/README.md b/charts/openbao/README.md index bd3fda0..35a4ea1 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -171,12 +171,12 @@ Kubernetes: `>= 1.27.0-0` | server.dev.devRootToken | string | `"root"` | | | server.dev.enabled | bool | `false` | | | server.enabled | string | `"-"` | | -| server.extraArgs | string | `""` | | +| server.extraArgs | string | `""` | extraArgs is a string containing additional Vault server arguments. | | server.extraContainers | string | `nil` | | | server.extraEnvironmentVars | object | `{}` | | -| server.extraInitContainers | string | `nil` | | +| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. | | server.extraLabels | object | `{}` | | -| server.extraPorts | string | `nil` | | +| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. | | server.extraSecretEnvironmentVars | list | `[]` | | | server.extraVolumes | list | `[]` | | | server.ha.apiAddr | string | `nil` | | @@ -261,7 +261,7 @@ Kubernetes: `>= 1.27.0-0` | server.serviceAccount.extraLabels | object | `{}` | | | server.serviceAccount.name | string | `""` | | | server.serviceAccount.serviceDiscovery.enabled | bool | `true` | | -| server.shareProcessNamespace | bool | `false` | | +| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between Vault and the extraContainers This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation | | server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | | server.standalone.enabled | string | `"-"` | | | server.statefulSet.annotations | object | `{}` | | diff --git a/charts/openbao/templates/_helpers.tpl b/charts/openbao/templates/_helpers.tpl index e1bc286..ececc84 100644 --- a/charts/openbao/templates/_helpers.tpl +++ b/charts/openbao/templates/_helpers.tpl @@ -211,14 +211,14 @@ for users looking to use this chart with Consul Helm. {{- define "vault.args" -}} {{ if or (eq .mode "standalone") (eq .mode "ha") }} - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; + cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} + /usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} {{ else if eq .mode "dev" }} - | /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} @@ -1091,4 +1091,4 @@ config file from values {{- end }} {{- end }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 48a2157..6273a1b 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -477,10 +477,10 @@ server: authDelegator: enabled: true - # extraInitContainers is a list of init containers. Specified as a YAML list. + # -- extraInitContainers is a list of init containers. Specified as a YAML list. # This is useful if you need to run a script to provision TLS certificates or # write out configuration files in a dynamic way. - extraInitContainers: null + extraInitContainers: [] # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, # # which is defined in the volumes value. # - name: oauthapp @@ -499,16 +499,16 @@ server: # extraContainers is a list of sidecar containers. Specified as a YAML list. extraContainers: null - # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers + # -- shareProcessNamespace enables process namespace sharing between Vault and the extraContainers # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation shareProcessNamespace: false - # extraArgs is a string containing additional Vault server arguments. + # -- extraArgs is a string containing additional Vault server arguments. extraArgs: "" - # extraPorts is a list of extra ports. Specified as a YAML list. + # -- extraPorts is a list of extra ports. Specified as a YAML list. # This is useful if you need to add additional ports to the statefulset in dynamic way. - extraPorts: null + extraPorts: [] # - containerPort: 8300 # name: http-monitoring From a139a100bf88d3de3eca694ca89df0aaeb73348c Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 21 May 2024 09:04:08 +0200 Subject: [PATCH 087/113] attempt to fix helm install in bats tests Signed-off-by: jessebot --- test/acceptance/_helpers.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index 490cdeb..deee438 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -8,7 +8,7 @@ name_prefix() { # chart_dir returns the directory for the chart chart_dir() { - echo ${BATS_TEST_DIRNAME}/../.. + echo ${BATS_TEST_DIRNAME}/../../charts/openbao } # helm_install installs the vault chart. This will source overridable @@ -144,7 +144,7 @@ wait_for_complete_job() { # string length. kubectl get job $1 -o json | \ jq -r 'select( - .status.succeeded == 1 + .status.succeeded == 1 ) | .metadata.namespace + "/" + .metadata.name' } From 5278ab9ced8485854054e64564464fba66103e22 Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 21 May 2024 11:00:46 +0200 Subject: [PATCH 088/113] update email for chart and regenerate docs Signed-off-by: jessebot --- charts/openbao/Chart.yaml | 1 + charts/openbao/README.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index 72ed3c7..d3eaa19 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -17,4 +17,5 @@ annotations: maintainers: - name: OpenBao + email: https://lists.lfedge.org/g/openbao url: https://openbao.org diff --git a/charts/openbao/README.md b/charts/openbao/README.md index 35a4ea1..5715d60 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -10,7 +10,7 @@ Official OpenBao Chart | Name | Email | Url | | ---- | ------ | --- | -| OpenBao | | | +| OpenBao | | | ## Source Code From 534811b617ffe3f6ce985aff171ff5c6c66a118d Mon Sep 17 00:00:00 2001 From: JesseBot Date: Tue, 21 May 2024 17:52:35 +0200 Subject: [PATCH 089/113] Update charts/openbao/Chart.yaml - fix email to be valid email address Signed-off-by: JesseBot --- charts/openbao/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index d3eaa19..9151e4c 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -17,5 +17,5 @@ annotations: maintainers: - name: OpenBao - email: https://lists.lfedge.org/g/openbao + email: openbao-security@lists.lfedge.org url: https://openbao.org From 18652008f4279832dfd9674a2a83feb8ac6d9c46 Mon Sep 17 00:00:00 2001 From: jessebot Date: Wed, 22 May 2024 18:34:43 +0200 Subject: [PATCH 090/113] fix openshift values to use openbao docker images Signed-off-by: jessebot --- charts/openbao/values.openshift.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/openbao/values.openshift.yaml b/charts/openbao/values.openshift.yaml index bafc5e6..2d0e84b 100644 --- a/charts/openbao/values.openshift.yaml +++ b/charts/openbao/values.openshift.yaml @@ -12,13 +12,15 @@ injector: tag: "1.3.1-ubi" agentImage: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.2-ubi" + registry: "quay.io" + repository: "openbao/openbao" + tag: "v2.0.0-alpha20240329-ubi" server: image: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.2-ubi" + registry: "quay.io" + repository: "openbao/openbao" + tag: "v2.0.0-alpha20240329-ubi" readinessProbe: path: "/v1/sys/health?uninitcode=204" From 7b8c26e1ce6fe6b493b7f4c3288a42ccb36c31ce Mon Sep 17 00:00:00 2001 From: jessebot Date: Wed, 22 May 2024 18:42:21 +0200 Subject: [PATCH 091/113] update keywords for Chart.yaml to include openbao Signed-off-by: jessebot --- charts/openbao/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index 9151e4c..febe394 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -9,7 +9,7 @@ kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart home: https://github.com/openbao/openbao-helm icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg -keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] +keywords: ["vault", "openbao", "security", "encryption", "secrets", "management", "automation", "infrastructure"] sources: - https://github.com/openbao/openbao-helm annotations: From 4f8924d1d78867fa980bf52e51515f08f23f1bd1 Mon Sep 17 00:00:00 2001 From: jessebot Date: Wed, 22 May 2024 20:33:41 +0200 Subject: [PATCH 092/113] replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot --- test/acceptance/_helpers.bash | 2 +- test/acceptance/csi.bats | 18 ++++---- test/acceptance/helm-test.bats | 2 +- test/acceptance/injector-leader-elector.bats | 2 +- test/acceptance/injector-test/bootstrap.sh | 24 +++++----- test/acceptance/injector.bats | 16 +++---- test/acceptance/server-dev.bats | 6 +-- test/acceptance/server-ha-enterprise-dr.bats | 44 +++++++++---------- .../acceptance/server-ha-enterprise-perf.bats | 44 +++++++++---------- test/acceptance/server-ha-raft.bats | 26 +++++------ test/acceptance/server-ha.bats | 12 ++--- test/acceptance/server-telemetry.bats | 12 ++--- test/acceptance/server.bats | 18 ++++---- test/unit/server-statefulset.bats | 2 +- 14 files changed, 114 insertions(+), 114 deletions(-) diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index deee438..def7d7c 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -52,7 +52,7 @@ wait_for_sealed_vault() { POD_NAME=$1 check() { - sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') + sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed') if [ "$sealed_status" == "true" ]; then return 0 fi diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index aa6edc4..7f18f33 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -22,7 +22,7 @@ load _helpers --set enableSecretRotation=true \ --set rotationPollInterval=5s # Install Vault and Vault provider - helm install vault \ + helm install openbao \ --wait --timeout=5m \ --namespace=acceptance \ --set="server.dev.enabled=true" \ @@ -31,20 +31,20 @@ load _helpers --set="csi.agent.logLevel=debug" \ --set="injector.enabled=false" \ . - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider # Set up k8s auth and a kv secret. - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - - kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes - kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ + cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - + kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes + kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' - kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ + kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ policies=kv-policy \ ttl=20m - kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 + kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml @@ -75,7 +75,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm --namespace=acceptance delete vault + helm --namespace=acceptance delete openbao helm --namespace=acceptance delete secrets-store-csi-driver kubectl delete --all pvc kubectl delete namespace acceptance diff --git a/test/acceptance/helm-test.bats b/test/acceptance/helm-test.bats index c5f9553..04717e5 100644 --- a/test/acceptance/helm-test.bats +++ b/test/acceptance/helm-test.bats @@ -20,7 +20,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 0f91e02..8605d17 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -45,7 +45,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance fi diff --git a/test/acceptance/injector-test/bootstrap.sh b/test/acceptance/injector-test/bootstrap.sh index 96f1617..0d844fe 100755 --- a/test/acceptance/injector-test/bootstrap.sh +++ b/test/acceptance/injector-test/bootstrap.sh @@ -5,40 +5,40 @@ OUTPUT=/tmp/output.txt -vault operator init -n 1 -t 1 >> ${OUTPUT?} +bao operator init -n 1 -t 1 >> ${OUTPUT?} unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g") root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g") -vault operator unseal ${unseal?} +bao operator unseal ${unseal?} -vault login -no-print ${root?} +bao login -no-print ${root?} -vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl +bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl -vault auth enable kubernetes +bao auth enable kubernetes -vault write auth/kubernetes/config \ +bao write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt -vault write auth/kubernetes/role/db-backup \ +bao write auth/kubernetes/role/db-backup \ bound_service_account_names=pgdump \ bound_service_account_namespaces=acceptance \ policies=db-backup \ ttl=1h -vault secrets enable database +bao secrets enable database -vault write database/config/postgresql \ +bao write database/config/postgresql \ plugin_name=postgresql-database-plugin \ allowed_roles="db-backup" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \ - username="vault" \ - password="vault" + username="openbao" \ + password="openbao" -vault write database/roles/db-backup \ +bao write database/roles/db-backup \ db_name=postgresql \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \ diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index e7fb393..a2e8a18 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -4,7 +4,7 @@ load _helpers @test "injector: testing deployment" { cd `chart_dir` - + kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance @@ -15,7 +15,7 @@ load _helpers kubectl create secret generic test \ --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ - --from-file ./test/acceptance/injector-test/bootstrap.sh + --from-file ./test/acceptance/injector-test/bootstrap.sh kubectl label secret test app=vault-agent-demo @@ -26,17 +26,17 @@ load _helpers wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") - kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" + kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" sleep 5 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') - [ "${init_status}" == "true" ] + [ "${init_status}" == "true" ] kubectl create -f ./test/acceptance/injector-test/job.yaml @@ -48,9 +48,9 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc - kubectl delete secret test + kubectl delete secret test kubectl delete job pgdump kubectl delete deployment postgres kubectl delete namespace acceptance diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats index 0619c28..72002af 100644 --- a/test/acceptance/server-dev.bats +++ b/test/acceptance/server-dev.bats @@ -43,11 +43,11 @@ load _helpers [ "${ports}" == "8201" ] # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -57,7 +57,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 264be67..1fed7e6 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -17,13 +17,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-east-0 - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${primary_token}" != "" ] @@ -31,7 +31,7 @@ load _helpers local primary_root=$(echo ${init} | jq -r '.root_token') [ "${primary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} + kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token} wait_for_ready "$(name_prefix)-east-0" sleep 10 @@ -42,30 +42,30 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-east-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} + kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root} - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 + kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json) + local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/dr/primary/secondary-token id=secondary -format=json) [ "${secondary}" != "" ] local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') @@ -84,13 +84,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-west-0 - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${secondary_token}" != "" ] @@ -98,7 +98,7 @@ load _helpers local secondary_root=$(echo ${init} | jq -r '.root_token') [ "${secondary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token} wait_for_ready "$(name_prefix)-west-0" sleep 10 @@ -109,28 +109,28 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-west-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} + kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root} - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/dr/secondary/enable token=${secondary_replica_token} sleep 10 @@ -141,7 +141,7 @@ load _helpers then kubectl delete pod "${pod?}" wait_for_running "${pod?}" - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 15025c9..5d0742f 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -17,13 +17,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-east-0 - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${primary_token}" != "" ] @@ -31,7 +31,7 @@ load _helpers local primary_root=$(echo ${init} | jq -r '.root_token') [ "${primary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} + kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token} wait_for_ready "$(name_prefix)-east-0" sleep 30 @@ -42,30 +42,30 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-east-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} + kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root} - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 + kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json) + local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/performance/primary/secondary-token id=secondary -format=json) [ "${secondary}" != "" ] local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') @@ -84,13 +84,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-west-0 - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${secondary_token}" != "" ] @@ -98,7 +98,7 @@ load _helpers local secondary_root=$(echo ${init} | jq -r '.root_token') [ "${secondary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token} wait_for_ready "$(name_prefix)-west-0" sleep 30 @@ -109,28 +109,28 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-west-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} + kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root} - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/performance/secondary/enable token=${secondary_replica_token} sleep 30 @@ -139,7 +139,7 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-west-0" ]] then - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index f06ca87..c6c1ef4 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -13,7 +13,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -59,43 +59,43 @@ load _helpers # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - + local root=$(echo ${init} | jq -r '.root_token') [ "${root}" != "" ] - kubectl exec -ti vault-0 -- vault operator unseal ${token} + kubectl exec -ti openbao-0 -- bao operator unseal ${token} wait_for_ready "$(name_prefix)-0" sleep 5 # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do if [[ ${pod?} != "$(name_prefix)-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${token} wait_for_ready "${pod}" fi done # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-0" -- vault login ${root} + kubectl exec "$(name_prefix)-0" -- bao login ${root} - local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] } @@ -112,9 +112,9 @@ teardown() { then # If the test failed, print some debug output if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then - kubectl logs -l app.kubernetes.io/name=vault + kubectl logs -l app.kubernetes.io/name=openbao fi - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 6876e0f..ecfcbce 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -12,7 +12,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -58,7 +58,7 @@ load _helpers # Vault Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] @@ -66,17 +66,17 @@ load _helpers local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -113,7 +113,7 @@ teardown() { kubectl logs -l app=consul kubectl logs -l app.kubernetes.io/name=vault fi - helm delete vault + helm delete openbao helm delete consul kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats index a7c4e0d..2251732 100644 --- a/test/acceptance/server-telemetry.bats +++ b/test/acceptance/server-telemetry.bats @@ -29,29 +29,29 @@ load _helpers # Vault Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - # unfortunately it can take up to 2 minutes for the vault prometheus job to appear + # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear # TODO: investigate how reduce this. local job_labels local tries=0 diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 1e944a0..58639bf 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -15,7 +15,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -40,7 +40,7 @@ load _helpers local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath') - [ "${mountPath}" == "/vault/data" ] + [ "${mountPath}" == "/openbao/data" ] # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | @@ -72,27 +72,27 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -102,7 +102,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b2b8efe..8b92c05 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1240,7 +1240,7 @@ load _helpers --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr) - [ "${actual}" = "vault status -tls-skip-verify" ] + [ "${actual}" = "bao status -tls-skip-verify" ] } @test "server/standalone-StatefulSet: readinessProbe configurable" { From f15d0f69f979a53968db44edba0d9889722a4da0 Mon Sep 17 00:00:00 2001 From: jessebot Date: Wed, 22 May 2024 20:35:26 +0200 Subject: [PATCH 093/113] remove enterprise tests Signed-off-by: jessebot --- test/acceptance/server-ha-enterprise-dr.bats | 166 ------------------ .../acceptance/server-ha-enterprise-perf.bats | 164 ----------------- 2 files changed, 330 deletions(-) delete mode 100644 test/acceptance/server-ha-enterprise-dr.bats delete mode 100644 test/acceptance/server-ha-enterprise-perf.bats diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats deleted file mode 100644 index 1fed7e6..0000000 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ /dev/null @@ -1,166 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "server/ha-enterprise-raft: testing DR deployment" { - cd `chart_dir` - - helm install "$(name_prefix)-east" \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ - --set='injector.enabled=false' \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-east-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-east-0 - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - bao operator init -format=json -n 1 -t 1) - - local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${primary_token}" != "" ] - - local primary_root=$(echo ${init} | jq -r '.root_token') - [ "${primary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token} - wait_for_ready "$(name_prefix)-east-0" - - sleep 10 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-east-0" ]] - then - kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/dr/primary/secondary-token id=secondary -format=json) - [ "${secondary}" != "" ] - - local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') - [ "${secondary_replica_token}" != "" ] - - # Install vault-west - helm install "$(name_prefix)-west" \ - --set='injector.enabled=false' \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-west-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-west-0 - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - bao operator init -format=json -n 1 -t 1) - - local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${secondary_token}" != "" ] - - local secondary_root=$(echo ${init} | jq -r '.root_token') - [ "${secondary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token} - wait_for_ready "$(name_prefix)-west-0" - - sleep 10 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/dr/secondary/enable token=${secondary_replica_token} - - sleep 10 - - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl delete pod "${pod?}" - wait_for_running "${pod?}" - kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done -} - -setup() { - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance - kubectl config set-context --current --namespace=acceptance - kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI -} - -#cleanup -teardown() { - if [[ ${CLEANUP:-true} == "true" ]] - then - helm delete vault-east - helm delete vault-west - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true - fi -} diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats deleted file mode 100644 index 5d0742f..0000000 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ /dev/null @@ -1,164 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "server/ha-enterprise-raft: testing performance replica deployment" { - cd `chart_dir` - - helm install "$(name_prefix)-east" \ - --set='injector.enabled=false' \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-east-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-east-0 - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - bao operator init -format=json -n 1 -t 1) - - local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${primary_token}" != "" ] - - local primary_root=$(echo ${init} | jq -r '.root_token') - [ "${primary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token} - wait_for_ready "$(name_prefix)-east-0" - - sleep 30 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-east-0" ]] - then - kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/performance/primary/secondary-token id=secondary -format=json) - [ "${secondary}" != "" ] - - local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') - [ "${secondary_replica_token}" != "" ] - - # Install vault-west - helm install "$(name_prefix)-west" \ - --set='injector.enabled=false' \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-west-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-west-0 - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - bao operator init -format=json -n 1 -t 1) - - local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${secondary_token}" != "" ] - - local secondary_root=$(echo ${init} | jq -r '.root_token') - [ "${secondary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token} - wait_for_ready "$(name_prefix)-west-0" - - sleep 30 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/performance/secondary/enable token=${secondary_replica_token} - - sleep 30 - - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done -} - -setup() { - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance - kubectl config set-context --current --namespace=acceptance - kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI -} - -#cleanup -teardown() { - if [[ ${CLEANUP:-true} == "true" ]] - then - helm delete vault-east - helm delete vault-west - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true - fi -} From b473c07acc7a7356e84b9b5f3946bb066d3d5d85 Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 28 May 2024 13:52:10 +0200 Subject: [PATCH 094/113] update more vault to openbao everywhere Signed-off-by: jessebot --- CONTRIBUTING.md | 4 +- Makefile | 9 +- charts/openbao/README.md | 36 ++-- charts/openbao/templates/NOTES.txt | 2 +- charts/openbao/templates/_helpers.tpl | 122 ++++++------ .../templates/csi-agent-configmap.yaml | 12 +- charts/openbao/templates/csi-clusterrole.yaml | 6 +- .../templates/csi-clusterrolebinding.yaml | 12 +- charts/openbao/templates/csi-daemonset.yaml | 26 +-- charts/openbao/templates/csi-role.yaml | 10 +- charts/openbao/templates/csi-rolebinding.yaml | 14 +- .../openbao/templates/csi-serviceaccount.yaml | 8 +- .../templates/injector-certs-secret.yaml | 10 +- .../templates/injector-clusterrole.yaml | 6 +- .../injector-clusterrolebinding.yaml | 12 +- .../templates/injector-deployment.yaml | 22 +-- .../templates/injector-disruptionbudget.yaml | 10 +- .../templates/injector-mutating-webhook.yaml | 10 +- .../templates/injector-network-policy.yaml | 8 +- .../openbao/templates/injector-psp-role.yaml | 10 +- .../templates/injector-psp-rolebinding.yaml | 12 +- charts/openbao/templates/injector-psp.yaml | 8 +- charts/openbao/templates/injector-role.yaml | 8 +- .../templates/injector-rolebinding.yaml | 14 +- .../openbao/templates/injector-service.yaml | 10 +- .../templates/injector-serviceaccount.yaml | 8 +- .../templates/prometheus-prometheusrules.yaml | 8 +- .../templates/prometheus-servicemonitor.yaml | 20 +- .../templates/server-clusterrolebinding.yaml | 14 +- .../templates/server-config-configmap.yaml | 14 +- .../templates/server-discovery-role.yaml | 10 +- .../server-discovery-rolebinding.yaml | 16 +- .../templates/server-disruptionbudget.yaml | 14 +- .../templates/server-ha-active-service.yaml | 26 +-- .../templates/server-ha-standby-service.yaml | 24 +-- .../templates/server-headless-service.yaml | 22 +-- charts/openbao/templates/server-ingress.yaml | 16 +- .../templates/server-network-policy.yaml | 6 +- charts/openbao/templates/server-psp-role.yaml | 10 +- .../templates/server-psp-rolebinding.yaml | 12 +- charts/openbao/templates/server-psp.yaml | 8 +- charts/openbao/templates/server-route.yaml | 12 +- charts/openbao/templates/server-service.yaml | 20 +- .../server-serviceaccount-secret.yaml | 14 +- .../templates/server-serviceaccount.yaml | 12 +- .../openbao/templates/server-statefulset.yaml | 94 ++++----- .../openbao/templates/tests/server-test.yaml | 10 +- charts/openbao/templates/ui-service.yaml | 22 +-- charts/openbao/values.schema.json | 15 +- charts/openbao/values.yaml | 178 +++++++++--------- test/acceptance/_helpers.bash | 16 +- ...ml => openbao-kv-secretproviderclass.yaml} | 6 +- .../{vault-policy.hcl => openbao-policy.hcl} | 0 test/acceptance/csi.bats | 14 +- test/acceptance/injector-test/job.yaml | 2 +- .../injector-test/pg-deployment.yaml | 12 +- test/acceptance/injector.bats | 2 +- test/acceptance/server-ha-raft.bats | 4 +- test/acceptance/server-ha.bats | 8 +- test/acceptance/server-telemetry.bats | 8 +- test/acceptance/server-test/telemetry.yaml | 2 +- test/acceptance/server.bats | 2 +- test/chart/verifier.bats | 2 +- test/terraform/main.tf | 2 +- test/terraform/variables.tf | 2 +- test/unit/csi-agent-configmap.bats | 16 +- test/unit/csi-clusterrole.bats | 2 +- test/unit/csi-clusterrolebinding.bats | 4 +- test/unit/csi-daemonset.bats | 10 +- test/unit/csi-role.bats | 2 +- test/unit/csi-rolebinding.bats | 2 +- test/unit/csi-serviceaccount.bats | 2 +- test/unit/injector-deployment.bats | 22 +-- test/unit/injector-psp.bats | 8 +- test/unit/injector-service.bats | 4 +- test/unit/injector-serviceaccount.bats | 4 +- test/unit/prometheus-prometheusrules.bats | 2 +- test/unit/server-clusterrolebinding.bats | 2 +- test/unit/server-configmap.bats | 2 +- test/unit/server-dev-statefulset.bats | 6 +- test/unit/server-ha-active-service.bats | 20 +- test/unit/server-ha-disruptionbudget.bats | 2 +- test/unit/server-ha-standby-service.bats | 28 +-- test/unit/server-ha-statefulset.bats | 18 +- test/unit/server-ingress.bats | 14 +- test/unit/server-psp.bats | 24 +-- test/unit/server-route.bats | 12 +- test/unit/server-service.bats | 14 +- test/unit/server-serviceaccount-secret.bats | 4 +- test/unit/server-serviceaccount.bats | 8 +- test/unit/server-statefulset.bats | 116 +++--------- test/unit/server-test.bats | 6 +- test/unit/ui-service.bats | 16 +- 93 files changed, 695 insertions(+), 763 deletions(-) rename test/acceptance/csi-test/{vault-kv-secretproviderclass.yaml => openbao-kv-secretproviderclass.yaml} (77%) rename test/acceptance/csi-test/{vault-policy.hcl => openbao-policy.hcl} (100%) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 44aa9e6..b6ab34c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -86,7 +86,7 @@ Next, execute the tests with the following commands: ```shell docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit ``` -It's possible to only run specific bats tests using regular expressions. +It's possible to only run specific bats tests using regular expressions. For example, the following will run only tests with "injector" in the name: ```shell docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector" @@ -123,7 +123,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to start from a clean slate. **Note:** There is a Terraform configuration in the -[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory +[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory that can be used to quickly bring up a GKE cluster and configure `kubectl` and `helm` locally. This can be used to quickly spin up a test cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes diff --git a/Makefile b/Makefile index 96503eb..9873633 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ -TEST_IMAGE?=vault-helm-test -GOOGLE_CREDENTIALS?=vault-helm-test.json -CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 +TEST_IMAGE?=openbao-helm-test +GOOGLE_CREDENTIALS?=openbao-helm-test.json +CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance @@ -11,7 +11,7 @@ UNIT_TESTS_FILTER?='.*' LOCAL_ACCEPTANCE_TESTS?=false # kind cluster name -KIND_CLUSTER_NAME?=vault-helm +KIND_CLUSTER_NAME?=openbao-helm # kind k8s version KIND_K8S_VERSION?=v1.29.2 @@ -40,7 +40,6 @@ else -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ -e KUBECONFIG=/helm-test/.kube/config \ - -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ -w /helm-test \ $(TEST_IMAGE) \ make acceptance diff --git a/charts/openbao/README.md b/charts/openbao/README.md index 5715d60..f956ca2 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -10,7 +10,7 @@ Official OpenBao Chart | Name | Email | Url | | ---- | ------ | --- | -| OpenBao | | | +| OpenBao | | | ## Source Code @@ -42,7 +42,7 @@ Kubernetes: `>= 1.27.0-0` | csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | | | csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | | | csi.debug | bool | `false` | | -| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount Vault secrets into volumes similar to the Vault Agent injector, and you can also sync those secrets into Kubernetes secrets. | +| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. | | csi.extraArgs | list | `[]` | | | csi.hmacSecretName | string | `""` | | | csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" | @@ -68,10 +68,10 @@ Kubernetes: `>= 1.27.0-0` | csi.resources | object | `{}` | | | csi.serviceAccount.annotations | object | `{}` | | | csi.serviceAccount.extraLabels | object | `{}` | | -| csi.volumeMounts | string | `nil` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | -| csi.volumes | string | `nil` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | | global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. | -| global.externalVaultAddr | string | `""` | External vault server address for the injector and CSI provider to use. Setting this will disable deployment of a vault server. | +| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. | | global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. | | global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. | | global.openshift | bool | `false` | If deploying to OpenShift | @@ -79,7 +79,7 @@ Kubernetes: `>= 1.27.0-0` | global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. | | global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. | | global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport | -| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | +| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | | injector.agentDefaults.cpuLimit | string | `"500m"` | | | injector.agentDefaults.cpuRequest | string | `"250m"` | | | injector.agentDefaults.memLimit | string | `"128Mi"` | | @@ -87,7 +87,7 @@ Kubernetes: `>= 1.27.0-0` | injector.agentDefaults.template | string | `"map"` | | | injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | | | injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | | -| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the Vault image to use for the Vault Agent containers. This should be set to the official Vault image. Vault 1.3.1+ is required. | +| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. | | injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | | injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image | | injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image | @@ -98,7 +98,7 @@ Kubernetes: `>= 1.27.0-0` | injector.certs.certName | string | `"tls.crt"` | | | injector.certs.keyName | string | `"tls.key"` | | | injector.certs.secretName | string | `nil` | | -| injector.enabled | string | `"-"` | True if you want to enable vault agent injection. @default: global.enabled | +| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled | | injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. | | injector.extraEnvironmentVars | object | `{}` | | | injector.extraLabels | object | `{}` | | @@ -147,16 +147,16 @@ Kubernetes: `>= 1.27.0-0` | injector.webhook.failurePolicy | string | `"Ignore"` | | | injector.webhook.matchPolicy | string | `"Exact"` | | | injector.webhook.namespaceSelector | object | `{}` | | -| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"vault.name\" . }}-agent-injector\n"` | | +| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"openbao.name\" . }}-agent-injector\n"` | | | injector.webhook.timeoutSeconds | int | `30` | | | injector.webhookAnnotations | object | `{}` | | -| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | | +| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | | | server.annotations | object | `{}` | | | server.auditStorage.accessMode | string | `"ReadWriteOnce"` | | | server.auditStorage.annotations | object | `{}` | | | server.auditStorage.enabled | bool | `false` | | | server.auditStorage.labels | object | `{}` | | -| server.auditStorage.mountPath | string | `"/vault/audit"` | | +| server.auditStorage.mountPath | string | `"/openbao/audit"` | | | server.auditStorage.size | string | `"10Gi"` | | | server.auditStorage.storageClass | string | `nil` | | | server.authDelegator.enabled | bool | `true` | | @@ -165,13 +165,13 @@ Kubernetes: `>= 1.27.0-0` | server.dataStorage.annotations | object | `{}` | | | server.dataStorage.enabled | bool | `true` | | | server.dataStorage.labels | object | `{}` | | -| server.dataStorage.mountPath | string | `"/vault/data"` | | +| server.dataStorage.mountPath | string | `"/openbao/data"` | | | server.dataStorage.size | string | `"10Gi"` | | | server.dataStorage.storageClass | string | `nil` | | | server.dev.devRootToken | string | `"root"` | | | server.dev.enabled | bool | `false` | | | server.enabled | string | `"-"` | | -| server.extraArgs | string | `""` | extraArgs is a string containing additional Vault server arguments. | +| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. | | server.extraContainers | string | `nil` | | | server.extraEnvironmentVars | object | `{}` | | | server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. | @@ -181,11 +181,11 @@ Kubernetes: `>= 1.27.0-0` | server.extraVolumes | list | `[]` | | | server.ha.apiAddr | string | `nil` | | | server.ha.clusterAddr | string | `nil` | | -| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"vault\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"openbao\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | | server.ha.disruptionBudget.enabled | bool | `true` | | | server.ha.disruptionBudget.maxUnavailable | string | `nil` | | | server.ha.enabled | bool | `false` | | -| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/vault/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | | +| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | | | server.ha.raft.enabled | bool | `false` | | | server.ha.raft.setNodeId | bool | `false` | | | server.ha.replicas | int | `3` | | @@ -261,8 +261,8 @@ Kubernetes: `>= 1.27.0-0` | server.serviceAccount.extraLabels | object | `{}` | | | server.serviceAccount.name | string | `""` | | | server.serviceAccount.serviceDiscovery.enabled | bool | `true` | | -| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between Vault and the extraContainers This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation | -| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation | +| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | | server.standalone.enabled | string | `"-"` | | | server.statefulSet.annotations | object | `{}` | | | server.statefulSet.securityContext.container | object | `{}` | | @@ -280,7 +280,7 @@ Kubernetes: `>= 1.27.0-0` | serverTelemetry.serviceMonitor.interval | string | `"30s"` | | | serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | | | serverTelemetry.serviceMonitor.selectors | object | `{}` | | -| ui.activeVaultPodOnly | bool | `false` | | +| ui.activeOpenbaoPodOnly | bool | `false` | | | ui.annotations | object | `{}` | | | ui.enabled | bool | `false` | | | ui.externalPort | int | `8200` | | diff --git a/charts/openbao/templates/NOTES.txt b/charts/openbao/templates/NOTES.txt index 89985f4..c89dbd2 100644 --- a/charts/openbao/templates/NOTES.txt +++ b/charts/openbao/templates/NOTES.txt @@ -2,7 +2,7 @@ Thank you for installing OpenBao! Now that you have deployed OpenBao, you should look over the docs on using -Vault with Kubernetes available here: +OpenBao with Kubernetes available here: https://openbao.org/docs/ diff --git a/charts/openbao/templates/_helpers.tpl b/charts/openbao/templates/_helpers.tpl index ececc84..2650db5 100644 --- a/charts/openbao/templates/_helpers.tpl +++ b/charts/openbao/templates/_helpers.tpl @@ -9,7 +9,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "vault.fullname" -}} +{{- define "openbao.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -25,28 +25,28 @@ be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "vault.chart" -}} +{{- define "openbao.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Expand the name of the chart. */}} -{{- define "vault.name" -}} +{{- define "openbao.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Allow the release namespace to be overridden */}} -{{- define "vault.namespace" -}} +{{- define "openbao.namespace" -}} {{- default .Release.Namespace .Values.global.namespace -}} {{- end -}} {{/* Compute if the csi driver is enabled. */}} -{{- define "vault.csiEnabled" -}} +{{- define "openbao.csiEnabled" -}} {{- $_ := set . "csiEnabled" (or (eq (.Values.csi.enabled | toString) "true") (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -55,7 +55,7 @@ Compute if the csi driver is enabled. {{/* Compute if the injector is enabled. */}} -{{- define "vault.injectorEnabled" -}} +{{- define "openbao.injectorEnabled" -}} {{- $_ := set . "injectorEnabled" (or (eq (.Values.injector.enabled | toString) "true") (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -64,7 +64,7 @@ Compute if the injector is enabled. {{/* Compute if the server is enabled. */}} -{{- define "vault.serverEnabled" -}} +{{- define "openbao.serverEnabled" -}} {{- $_ := set . "serverEnabled" (or (eq (.Values.server.enabled | toString) "true") (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -73,7 +73,7 @@ Compute if the server is enabled. {{/* Compute if the server serviceaccount is enabled. */}} -{{- define "vault.serverServiceAccountEnabled" -}} +{{- define "openbao.serverServiceAccountEnabled" -}} {{- $_ := set . "serverServiceAccountEnabled" (and (eq (.Values.server.serviceAccount.create | toString) "true" ) @@ -85,7 +85,7 @@ Compute if the server serviceaccount is enabled. {{/* Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. */}} -{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- define "openbao.serverServiceAccountSecretCreationEnabled" -}} {{- $_ := set . "serverServiceAccountSecretCreationEnabled" (and (eq (.Values.server.serviceAccount.create | toString) "true") @@ -96,7 +96,7 @@ Compute if the server serviceaccount should have a token created and mounted to {{/* Compute if the server auth delegator serviceaccount is enabled. */}} -{{- define "vault.serverAuthDelegator" -}} +{{- define "openbao.serverAuthDelegator" -}} {{- $_ := set . "serverAuthDelegator" (and (eq (.Values.server.authDelegator.enabled | toString) "true" ) @@ -110,15 +110,15 @@ Compute if the server auth delegator serviceaccount is enabled. {{/* Compute if the server service is enabled. */}} -{{- define "vault.serverServiceEnabled" -}} -{{- template "vault.serverEnabled" . -}} +{{- define "openbao.serverServiceEnabled" -}} +{{- template "openbao.serverEnabled" . -}} {{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} {{- end -}} {{/* Compute if the ui is enabled. */}} -{{- define "vault.uiEnabled" -}} +{{- define "openbao.uiEnabled" -}} {{- $_ := set . "uiEnabled" (or (eq (.Values.ui.enabled | toString) "true") (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -129,7 +129,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. Add a special case for replicas=1, where it should default to 0 as well. */}} -{{- define "vault.pdb.maxUnavailable" -}} +{{- define "openbao.pdb.maxUnavailable" -}} {{- if eq (int .Values.server.ha.replicas) 1 -}} {{ 0 }} {{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} @@ -143,8 +143,8 @@ Add a special case for replicas=1, where it should default to 0 as well. Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} -{{- define "vault.mode" -}} - {{- template "vault.serverEnabled" . -}} +{{- define "openbao.mode" -}} + {{- template "openbao.serverEnabled" . -}} {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} @@ -163,7 +163,7 @@ template logic. {{/* Set's the replica count based on the different modes configured by user */}} -{{- define "vault.replicas" -}} +{{- define "openbao.replicas" -}} {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} @@ -182,11 +182,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user defined a custom configuration. Additionally iterates over any extra volumes the user may have specified (such as a secret with TLS). */}} -{{- define "vault.volumes" -}} +{{- define "openbao.volumes" -}} {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config configMap: - name: {{ template "vault.fullname" . }}-config + name: {{ template "openbao.fullname" . }}-config {{ end }} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} @@ -204,11 +204,11 @@ extra volumes the user may have specified (such as a secret with TLS). {{- end -}} {{/* -Set's the args for custom command to render the Vault configuration +Set's the args for custom command to render the OpenBao configuration file with IP addresses to make the out of box experience easier for users looking to use this chart with Consul Helm. */}} -{{- define "vault.args" -}} +{{- define "openbao.args" -}} {{ if or (eq .mode "standalone") (eq .mode "ha") }} - | cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; @@ -221,14 +221,14 @@ for users looking to use this chart with Consul Helm. /usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} {{ else if eq .mode "dev" }} - | - /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} + /usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }} {{ end }} {{- end -}} {{/* Set's additional environment variables based on the mode. */}} -{{- define "vault.envs" -}} +{{- define "openbao.envs" -}} {{ if eq .mode "dev" }} - name: VAULT_DEV_ROOT_TOKEN_ID value: {{ .Values.server.dev.devRootToken }} @@ -241,7 +241,7 @@ Set's additional environment variables based on the mode. Set's which additional volumes should be mounted to the container based on the mode configured. */}} -{{- define "vault.mounts" -}} +{{- define "openbao.mounts" -}} {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} - name: audit mountPath: {{ .Values.server.auditStorage.mountPath }} @@ -254,12 +254,12 @@ based on the mode configured. {{ end }} {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config - mountPath: /vault/config + mountPath: /openbao/config {{ end }} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} readOnly: true - mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }} {{- end }} {{- if .Values.server.volumeMounts }} {{- toYaml .Values.server.volumeMounts | nindent 12}} @@ -271,14 +271,14 @@ Set's up the volumeClaimTemplates when data or audit storage is required. HA might not use data storage since Consul is likely it's backend, however, audit storage might be desired by the user. */}} -{{- define "vault.volumeclaims" -}} +{{- define "openbao.volumeclaims" -}} {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} volumeClaimTemplates: {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} - metadata: name: data - {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} - {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} + {{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} @@ -292,8 +292,8 @@ storage might be desired by the user. {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} - metadata: name: audit - {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} - {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} + {{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} @@ -310,7 +310,7 @@ storage might be desired by the user. {{/* Set's the affinity for pod placement when running in standalone and HA modes. */}} -{{- define "vault.affinity" -}} +{{- define "openbao.affinity" -}} {{- if and (ne .mode "dev") .Values.server.affinity }} affinity: {{ $tp := typeOf .Values.server.affinity }} @@ -340,7 +340,7 @@ Sets the injector affinity for pod placement {{/* Sets the topologySpreadConstraints when running in standalone and HA modes. */}} -{{- define "vault.topologySpreadConstraints" -}} +{{- define "openbao.topologySpreadConstraints" -}} {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} topologySpreadConstraints: {{ $tp := typeOf .Values.server.topologySpreadConstraints }} @@ -371,7 +371,7 @@ Sets the injector topologySpreadConstraints for pod placement {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} -{{- define "vault.tolerations" -}} +{{- define "openbao.tolerations" -}} {{- if and (ne .mode "dev") .Values.server.tolerations }} tolerations: {{- $tp := typeOf .Values.server.tolerations }} @@ -401,7 +401,7 @@ Sets the injector toleration for pod placement {{/* Set's the node selector for pod placement when running in standalone and HA modes. */}} -{{- define "vault.nodeselector" -}} +{{- define "openbao.nodeselector" -}} {{- if and (ne .mode "dev") .Values.server.nodeSelector }} nodeSelector: {{- $tp := typeOf .Values.server.nodeSelector }} @@ -446,10 +446,10 @@ Sets the injector deployment update strategy {{/* Sets extra pod annotations */}} -{{- define "vault.annotations" }} +{{- define "openbao.annotations" }} annotations: {{- if .Values.server.includeConfigAnnotation }} - vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} + openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }} {{- end }} {{- if .Values.server.annotations }} {{- $tp := typeOf .Values.server.annotations }} @@ -555,7 +555,7 @@ securityContext for the statefulset pod template. {{- end -}} {{/* -securityContext for the statefulset vault container +securityContext for the statefulset openbao container */}} {{- define "server.statefulSet.securityContext.container" -}} {{- if .Values.server.statefulSet.securityContext.container }} @@ -622,7 +622,7 @@ Set's the injector webhook objectSelector {{/* Sets extra ui service annotations */}} -{{- define "vault.ui.annotations" -}} +{{- define "openbao.ui.annotations" -}} {{- if .Values.ui.annotations }} annotations: {{- $tp := typeOf .Values.ui.annotations }} @@ -637,9 +637,9 @@ Sets extra ui service annotations {{/* Create the name of the service account to use */}} -{{- define "vault.serviceAccount.name" -}} +{{- define "openbao.serviceAccount.name" -}} {{- if .Values.server.serviceAccount.create -}} - {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} + {{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }} {{- else -}} {{ default "default" .Values.server.serviceAccount.name }} {{- end -}} @@ -648,7 +648,7 @@ Create the name of the service account to use {{/* Sets extra service account annotations */}} -{{- define "vault.serviceAccount.annotations" -}} +{{- define "openbao.serviceAccount.annotations" -}} {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} annotations: {{- $tp := typeOf .Values.server.serviceAccount.annotations }} @@ -663,7 +663,7 @@ Sets extra service account annotations {{/* Sets extra ingress annotations */}} -{{- define "vault.ingress.annotations" -}} +{{- define "openbao.ingress.annotations" -}} {{- if .Values.server.ingress.annotations }} annotations: {{- $tp := typeOf .Values.server.ingress.annotations }} @@ -678,7 +678,7 @@ Sets extra ingress annotations {{/* Sets extra route annotations */}} -{{- define "vault.route.annotations" -}} +{{- define "openbao.route.annotations" -}} {{- if .Values.server.route.annotations }} annotations: {{- $tp := typeOf .Values.server.route.annotations }} @@ -691,9 +691,9 @@ Sets extra route annotations {{- end -}} {{/* -Sets extra vault server Service annotations +Sets extra openbao server Service annotations */}} -{{- define "vault.service.annotations" -}} +{{- define "openbao.service.annotations" -}} {{- if .Values.server.service.annotations }} {{- $tp := typeOf .Values.server.service.annotations }} {{- if eq $tp "string" }} @@ -705,9 +705,9 @@ Sets extra vault server Service annotations {{- end -}} {{/* -Sets extra vault server Service (active) annotations +Sets extra openbao server Service (active) annotations */}} -{{- define "vault.service.active.annotations" -}} +{{- define "openbao.service.active.annotations" -}} {{- if .Values.server.service.active.annotations }} {{- $tp := typeOf .Values.server.service.active.annotations }} {{- if eq $tp "string" }} @@ -718,9 +718,9 @@ Sets extra vault server Service (active) annotations {{- end }} {{- end -}} {{/* -Sets extra vault server Service annotations +Sets extra openbao server Service annotations */}} -{{- define "vault.service.standby.annotations" -}} +{{- define "openbao.service.standby.annotations" -}} {{- if .Values.server.service.standby.annotations }} {{- $tp := typeOf .Values.server.service.standby.annotations }} {{- if eq $tp "string" }} @@ -734,7 +734,7 @@ Sets extra vault server Service annotations {{/* Sets PodSecurityPolicy annotations */}} -{{- define "vault.psp.annotations" -}} +{{- define "openbao.psp.annotations" -}} {{- if .Values.global.psp.annotations }} annotations: {{- $tp := typeOf .Values.global.psp.annotations }} @@ -749,7 +749,7 @@ Sets PodSecurityPolicy annotations {{/* Sets extra statefulset annotations */}} -{{- define "vault.statefulSet.annotations" -}} +{{- define "openbao.statefulSet.annotations" -}} {{- if .Values.server.statefulSet.annotations }} annotations: {{- $tp := typeOf .Values.server.statefulSet.annotations }} @@ -764,7 +764,7 @@ Sets extra statefulset annotations {{/* Sets VolumeClaim annotations for data volume */}} -{{- define "vault.dataVolumeClaim.annotations" -}} +{{- define "openbao.dataVolumeClaim.annotations" -}} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} annotations: {{- $tp := typeOf .Values.server.dataStorage.annotations }} @@ -779,7 +779,7 @@ Sets VolumeClaim annotations for data volume {{/* Sets VolumeClaim labels for data volume */}} -{{- define "vault.dataVolumeClaim.labels" -}} +{{- define "openbao.dataVolumeClaim.labels" -}} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} labels: {{- $tp := typeOf .Values.server.dataStorage.labels }} @@ -794,7 +794,7 @@ Sets VolumeClaim labels for data volume {{/* Sets VolumeClaim annotations for audit volume */}} -{{- define "vault.auditVolumeClaim.annotations" -}} +{{- define "openbao.auditVolumeClaim.annotations" -}} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} annotations: {{- $tp := typeOf .Values.server.auditStorage.annotations }} @@ -809,7 +809,7 @@ Sets VolumeClaim annotations for audit volume {{/* Sets VolumeClaim labels for audit volume */}} -{{- define "vault.auditVolumeClaim.labels" -}} +{{- define "openbao.auditVolumeClaim.labels" -}} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} labels: {{- $tp := typeOf .Values.server.auditStorage.labels }} @@ -824,7 +824,7 @@ Sets VolumeClaim labels for audit volume {{/* Set's the container resources if the user has set any. */}} -{{- define "vault.resources" -}} +{{- define "openbao.resources" -}} {{- if .Values.server.resources -}} resources: {{ toYaml .Values.server.resources | indent 12}} @@ -983,7 +983,7 @@ Sets extra CSI service account annotations {{/* Inject extra environment vars in the format key:value, if populated */}} -{{- define "vault.extraEnvironmentVars" -}} +{{- define "openbao.extraEnvironmentVars" -}} {{- if .extraEnvironmentVars -}} {{- range $key, $value := .extraEnvironmentVars }} - name: {{ printf "%s" $key | replace "." "_" | upper | quote }} @@ -995,7 +995,7 @@ Inject extra environment vars in the format key:value, if populated {{/* Inject extra environment populated by secrets, if populated */}} -{{- define "vault.extraSecretEnvironmentVars" -}} +{{- define "openbao.extraSecretEnvironmentVars" -}} {{- if .extraSecretEnvironmentVars -}} {{- range .extraSecretEnvironmentVars }} - name: {{ .envName }} @@ -1008,7 +1008,7 @@ Inject extra environment populated by secrets, if populated {{- end -}} {{/* Scheme for health check and local endpoint */}} -{{- define "vault.scheme" -}} +{{- define "openbao.scheme" -}} {{- if .Values.global.tlsDisable -}} {{ "http" }} {{- else -}} @@ -1071,7 +1071,7 @@ Supported inputs are Values.ui {{/* config file from values */}} -{{- define "vault.config" -}} +{{- define "openbao.config" -}} {{- if or (eq .mode "ha") (eq .mode "standalone") }} {{- $type := typeOf (index .Values.server .mode).config }} {{- if eq $type "string" }} diff --git a/charts/openbao/templates/csi-agent-configmap.yaml b/charts/openbao/templates/csi-agent-configmap.yaml index 18cdb04..5455b09 100644 --- a/charts/openbao/templates/csi-agent-configmap.yaml +++ b/charts/openbao/templates/csi-agent-configmap.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "vault.fullname" . }}-csi-provider-agent-config - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider-agent-config + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} data: @@ -21,7 +21,7 @@ data: {{- if .Values.global.externalVaultAddr }} "address" = "{{ .Values.global.externalVaultAddr }}" {{- else }} - "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" + "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}" {{- end }} } diff --git a/charts/openbao/templates/csi-clusterrole.yaml b/charts/openbao/templates/csi-clusterrole.yaml index 6d979ea..a3fbb61 100644 --- a/charts/openbao/templates/csi-clusterrole.yaml +++ b/charts/openbao/templates/csi-clusterrole.yaml @@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/csi-clusterrolebinding.yaml b/charts/openbao/templates/csi-clusterrolebinding.yaml index 506ec94..3c7847a 100644 --- a/charts/openbao/templates/csi-clusterrolebinding.yaml +++ b/charts/openbao/templates/csi-clusterrolebinding.yaml @@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} {{- end }} diff --git a/charts/openbao/templates/csi-daemonset.yaml b/charts/openbao/templates/csi-daemonset.yaml index c144af5..f3d2284 100644 --- a/charts/openbao/templates/csi-daemonset.yaml +++ b/charts/openbao/templates/csi-daemonset.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.csi.daemonSet.extraLabels -}} @@ -27,12 +27,12 @@ spec: {{- end }} selector: matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Values.csi.pod.extraLabels -}} {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} @@ -43,12 +43,12 @@ spec: {{- if .Values.csi.priorityClassName }} priorityClassName: {{ .Values.csi.priorityClassName }} {{- end }} - serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} {{- template "csi.pod.nodeselector" . }} {{- template "csi.pod.affinity" . }} containers: - - name: {{ include "vault.name" . }}-csi-provider + - name: {{ include "openbao.name" . }}-csi-provider {{ template "csi.resources" . }} {{ template "csi.daemonSet.securityContext.container" . }} image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" @@ -59,7 +59,7 @@ spec: {{- if .Values.csi.hmacSecretName }} - --hmac-secret-name={{ .Values.csi.hmacSecretName }} {{- else }} - - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key {{- end }} {{- if .Values.csi.extraArgs }} {{- toYaml .Values.csi.extraArgs | nindent 12 }} @@ -71,7 +71,7 @@ spec: {{- else if .Values.global.externalVaultAddr }} value: "{{ .Values.global.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} volumeMounts: - name: providervol @@ -102,12 +102,12 @@ spec: successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - - name: {{ include "vault.name" . }}-agent + - name: {{ include "openbao.name" . }}-agent image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} {{ template "csi.agent.resources" . }} command: - - vault + - bao args: - agent - -config=/etc/vault/config.hcl @@ -145,7 +145,7 @@ spec: {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - name: agent-config configMap: - name: {{ template "vault.fullname" . }}-csi-provider-agent-config + name: {{ template "openbao.fullname" . }}-csi-provider-agent-config - name: agent-unix-socket emptyDir: medium: Memory diff --git a/charts/openbao/templates/csi-role.yaml b/charts/openbao/templates/csi-role.yaml index 17e1918..a7554a6 100644 --- a/charts/openbao/templates/csi-role.yaml +++ b/charts/openbao/templates/csi-role.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-csi-provider-role - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider-role + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -22,7 +22,7 @@ rules: {{- if .Values.csi.hmacSecretName }} - {{ .Values.csi.hmacSecretName }} {{- else }} - - {{ include "vault.name" . }}-csi-provider-hmac-key + - {{ include "openbao.name" . }}-csi-provider-hmac-key {{- end }} # 'create' permissions cannot be restricted by resource name: # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources diff --git a/charts/openbao/templates/csi-rolebinding.yaml b/charts/openbao/templates/csi-rolebinding.yaml index 3d3b981..c46096e 100644 --- a/charts/openbao/templates/csi-rolebinding.yaml +++ b/charts/openbao/templates/csi-rolebinding.yaml @@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-csi-provider-rolebinding - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "vault.fullname" . }}-csi-provider-role + name: {{ template "openbao.fullname" . }}-csi-provider-role subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} {{- end }} diff --git a/charts/openbao/templates/csi-serviceaccount.yaml b/charts/openbao/templates/csi-serviceaccount.yaml index 6327a7b..2f5d346 100644 --- a/charts/openbao/templates/csi-serviceaccount.yaml +++ b/charts/openbao/templates/csi-serviceaccount.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.csi.serviceAccount.extraLabels -}} diff --git a/charts/openbao/templates/injector-certs-secret.yaml b/charts/openbao/templates/injector-certs-secret.yaml index f6995af..b5de48b 100644 --- a/charts/openbao/templates/injector-certs-secret.yaml +++ b/charts/openbao/templates/injector-certs-secret.yaml @@ -3,17 +3,17 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: - name: vault-injector-certs - namespace: {{ include "vault.namespace" . }} + name: openbao-injector-certs + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/openbao/templates/injector-clusterrole.yaml b/charts/openbao/templates/injector-clusterrole.yaml index df603f2..10ea35c 100644 --- a/charts/openbao/templates/injector-clusterrole.yaml +++ b/charts/openbao/templates/injector-clusterrole.yaml @@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/injector-clusterrolebinding.yaml b/charts/openbao/templates/injector-clusterrolebinding.yaml index 82cbce0..353ee8a 100644 --- a/charts/openbao/templates/injector-clusterrolebinding.yaml +++ b/charts/openbao/templates/injector-clusterrolebinding.yaml @@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-agent-injector-binding + name: {{ template "openbao.fullname" . }}-agent-injector-binding labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} {{ end }} diff --git a/charts/openbao/templates/injector-deployment.yaml b/charts/openbao/templates/injector-deployment.yaml index 242dca6..7d1cd5b 100644 --- a/charts/openbao/templates/injector-deployment.yaml +++ b/charts/openbao/templates/injector-deployment.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} component: webhook @@ -20,14 +20,14 @@ spec: replicas: {{ .Values.injector.replicas }} selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{ template "injector.strategy" . }} template: metadata: labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- if .Values.injector.extraLabels -}} @@ -42,7 +42,7 @@ spec: {{- if .Values.injector.priorityClassName }} priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} - serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector" {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} @@ -64,7 +64,7 @@ spec: {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} @@ -77,9 +77,9 @@ spec: value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" {{- else }} - name: AGENT_INJECT_TLS_AUTO - value: {{ template "vault.fullname" . }}-agent-injector-cfg + value: {{ template "openbao.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc + value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} @@ -125,7 +125,7 @@ spec: - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" {{- end }} - {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} + {{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: fieldRef: diff --git a/charts/openbao/templates/injector-disruptionbudget.yaml b/charts/openbao/templates/injector-disruptionbudget.yaml index 2b2a61c..08749bd 100644 --- a/charts/openbao/templates/injector-disruptionbudget.yaml +++ b/charts/openbao/templates/injector-disruptionbudget.yaml @@ -7,18 +7,18 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} component: webhook spec: selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} diff --git a/charts/openbao/templates/injector-mutating-webhook.yaml b/charts/openbao/templates/injector-mutating-webhook.yaml index b1de1ee..8ffd267 100644 --- a/charts/openbao/templates/injector-mutating-webhook.yaml +++ b/charts/openbao/templates/injector-mutating-webhook.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 @@ -12,9 +12,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1 {{- end }} kind: MutatingWebhookConfiguration metadata: - name: {{ template "vault.fullname" . }}-agent-injector-cfg + name: {{ template "openbao.fullname" . }}-agent-injector-cfg labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- template "injector.webhookAnnotations" . }} @@ -27,8 +27,8 @@ webhooks: admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-svc + namespace: {{ include "openbao.namespace" . }} path: "/mutate" caBundle: {{ .Values.injector.certs.caBundle | quote }} rules: diff --git a/charts/openbao/templates/injector-network-policy.yaml b/charts/openbao/templates/injector-network-policy.yaml index 4c3b087..95df49e 100644 --- a/charts/openbao/templates/injector-network-policy.yaml +++ b/charts/openbao/templates/injector-network-policy.yaml @@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} spec: podSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook ingress: diff --git a/charts/openbao/templates/injector-psp-role.yaml b/charts/openbao/templates/injector-psp-role.yaml index a07f8f6..3f42450 100644 --- a/charts/openbao/templates/injector-psp-role.yaml +++ b/charts/openbao/templates/injector-psp-role.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -20,6 +20,6 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "vault.fullname" . }}-agent-injector + - {{ template "openbao.fullname" . }}-agent-injector {{- end }} {{- end }} diff --git a/charts/openbao/templates/injector-psp-rolebinding.yaml b/charts/openbao/templates/injector-psp-rolebinding.yaml index 3c97e8d..62a609c 100644 --- a/charts/openbao/templates/injector-psp-rolebinding.yaml +++ b/charts/openbao/templates/injector-psp-rolebinding.yaml @@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-psp + name: {{ template "openbao.fullname" . }}-agent-injector-psp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/openbao/templates/injector-psp.yaml b/charts/openbao/templates/injector-psp.yaml index 0eca9a8..5c1c58f 100644 --- a/charts/openbao/templates/injector-psp.yaml +++ b/charts/openbao/templates/injector-psp.yaml @@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} +{{- template "openbao.psp.annotations" . }} spec: privileged: false # Required to prevent escalations to root. diff --git a/charts/openbao/templates/injector-role.yaml b/charts/openbao/templates/injector-role.yaml index b2ad0c7..2e29aa7 100644 --- a/charts/openbao/templates/injector-role.yaml +++ b/charts/openbao/templates/injector-role.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/injector-rolebinding.yaml b/charts/openbao/templates/injector-rolebinding.yaml index 6ad25ca..8e460c4 100644 --- a/charts/openbao/templates/injector-rolebinding.yaml +++ b/charts/openbao/templates/injector-rolebinding.yaml @@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/openbao/templates/injector-service.yaml b/charts/openbao/templates/injector-service.yaml index 1479cd1..1a7467c 100644 --- a/charts/openbao/templates/injector-service.yaml +++ b/charts/openbao/templates/injector-service.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-svc + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "injector.service.annotations" . }} @@ -21,7 +21,7 @@ spec: port: 443 targetPort: {{ .Values.injector.port }} selector: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- end }} diff --git a/charts/openbao/templates/injector-serviceaccount.yaml b/charts/openbao/templates/injector-serviceaccount.yaml index 2f91c3d..a411788 100644 --- a/charts/openbao/templates/injector-serviceaccount.yaml +++ b/charts/openbao/templates/injector-serviceaccount.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "injector.serviceAccount.annotations" . }} diff --git a/charts/openbao/templates/prometheus-prometheusrules.yaml b/charts/openbao/templates/prometheus-prometheusrules.yaml index 7e58a0e..f3d30b1 100644 --- a/charts/openbao/templates/prometheus-prometheusrules.yaml +++ b/charts/openbao/templates/prometheus-prometheusrules.yaml @@ -10,10 +10,10 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} @@ -25,7 +25,7 @@ metadata: {{- end }} spec: groups: - - name: {{ include "vault.fullname" . }} + - name: {{ include "openbao.fullname" . }} rules: {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} {{- end }} diff --git a/charts/openbao/templates/prometheus-servicemonitor.yaml b/charts/openbao/templates/prometheus-servicemonitor.yaml index 25d30a4..c5a8ff5 100644 --- a/charts/openbao/templates/prometheus-servicemonitor.yaml +++ b/charts/openbao/templates/prometheus-servicemonitor.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} @@ -25,18 +25,18 @@ metadata: spec: selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- if eq .mode "ha" }} - vault-active: "true" + openbao-active: "true" {{- else }} - vault-internal: "true" + openbao-internal: "true" {{- end }} endpoints: - - port: {{ include "vault.scheme" . }} + - port: {{ include "openbao.scheme" . }} interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} - scheme: {{ include "vault.scheme" . | lower }} + scheme: {{ include "openbao.scheme" . | lower }} path: /v1/sys/metrics params: format: @@ -45,5 +45,5 @@ spec: insecureSkipVerify: true namespaceSelector: matchNames: - - {{ include "vault.namespace" . }} + - {{ include "openbao.namespace" . }} {{ end }} diff --git a/charts/openbao/templates/server-clusterrolebinding.yaml b/charts/openbao/templates/server-clusterrolebinding.yaml index 14ec838..0f851ec 100644 --- a/charts/openbao/templates/server-clusterrolebinding.yaml +++ b/charts/openbao/templates/server-clusterrolebinding.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.serverAuthDelegator" . }} +{{ template "openbao.serverAuthDelegator" . }} {{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 @@ -12,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-server-binding + name: {{ template "openbao.fullname" . }}-server-binding labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: @@ -24,6 +24,6 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} -{{ end }} \ No newline at end of file + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} +{{ end }} diff --git a/charts/openbao/templates/server-config-configmap.yaml b/charts/openbao/templates/server-config-configmap.yaml index 1fed2e6..585ae7a 100644 --- a/charts/openbao/templates/server-config-configmap.yaml +++ b/charts/openbao/templates/server-config-configmap.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if ne .mode "dev" -}} @@ -11,20 +11,20 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "vault.fullname" . }}-config - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-config + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.server.includeConfigAnnotation }} annotations: - vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} + vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }} {{- end }} data: extraconfig-from-values.hcl: |- - {{ template "vault.config" . }} + {{ template "openbao.config" . }} {{- end }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-discovery-role.yaml b/charts/openbao/templates/server-discovery-role.yaml index 0cbdefa..082ff99 100644 --- a/charts/openbao/templates/server-discovery-role.yaml +++ b/charts/openbao/templates/server-discovery-role.yaml @@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: {{ include "vault.namespace" . }} - name: {{ template "vault.fullname" . }}-discovery-role + namespace: {{ include "openbao.namespace" . }} + name: {{ template "openbao.fullname" . }}-discovery-role labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/server-discovery-rolebinding.yaml b/charts/openbao/templates/server-discovery-rolebinding.yaml index 87b0f61..5d3f95e 100644 --- a/charts/openbao/templates/server-discovery-rolebinding.yaml +++ b/charts/openbao/templates/server-discovery-rolebinding.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} @@ -14,21 +14,21 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-discovery-rolebinding + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "vault.fullname" . }}-discovery-role + name: {{ template "openbao.fullname" . }}-discovery-role subjects: - kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} {{ end }} {{ end }} {{ end }} diff --git a/charts/openbao/templates/server-disruptionbudget.yaml b/charts/openbao/templates/server-disruptionbudget.yaml index bbe9eb2..7e6660a 100644 --- a/charts/openbao/templates/server-disruptionbudget.yaml +++ b/charts/openbao/templates/server-disruptionbudget.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" -}} {{- if .serverEnabled -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} @@ -12,18 +12,18 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} spec: - maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} + maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }} selector: matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- end -}} diff --git a/charts/openbao/templates/server-ha-active-service.yaml b/charts/openbao/templates/server-ha-active-service.yaml index 9d2abfb..334ac30 100644 --- a/charts/openbao/templates/server-ha-active-service.yaml +++ b/charts/openbao/templates/server-ha-active-service.yaml @@ -3,27 +3,27 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.active.enabled | toString) "true" }} -# Service for active Vault pod +# Service for active OpenBao pod apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-active - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-active + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-active: "true" + openbao-active: "true" annotations: -{{- template "vault.service.active.annotations" . }} -{{- template "vault.service.annotations" . }} +{{- template "openbao.service.active.annotations" . }} +{{- template "openbao.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} @@ -42,7 +42,7 @@ spec: {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -52,12 +52,12 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} component: server - vault-active: "true" + openbao-active: "true" {{- end }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-ha-standby-service.yaml b/charts/openbao/templates/server-ha-standby-service.yaml index bae1e28..9b1ad4d 100644 --- a/charts/openbao/templates/server-ha-standby-service.yaml +++ b/charts/openbao/templates/server-ha-standby-service.yaml @@ -3,26 +3,26 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.standby.enabled | toString) "true" }} -# Service for standby Vault pod +# Service for standby OpenBao pod apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-standby - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-standby + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{- template "vault.service.standby.annotations" . }} -{{- template "vault.service.annotations" . }} +{{- template "openbao.service.standby.annotations" . }} +{{- template "openbao.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} @@ -41,7 +41,7 @@ spec: {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -51,12 +51,12 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} component: server - vault-active: "false" + openbao-active: "false" {{- end }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-headless-service.yaml b/charts/openbao/templates/server-headless-service.yaml index c0f4d34..0498eb1 100644 --- a/charts/openbao/templates/server-headless-service.yaml +++ b/charts/openbao/templates/server-headless-service.yaml @@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} -# Service for Vault cluster +# Service for OpenBao cluster apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-internal - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-internal + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-internal: "true" + openbao-internal: "true" annotations: -{{ template "vault.service.annotations" .}} +{{ template "openbao.service.annotations" .}} spec: {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} {{- if .Values.server.service.ipFamilyPolicy }} @@ -33,14 +33,14 @@ spec: clusterIP: None publishNotReadyAddresses: true ports: - - name: "{{ include "vault.scheme" . }}" + - name: "{{ include "openbao.scheme" . }}" port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - name: https-internal port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- end }} diff --git a/charts/openbao/templates/server-ingress.yaml b/charts/openbao/templates/server-ingress.yaml index d796bae..99d4063 100644 --- a/charts/openbao/templates/server-ingress.yaml +++ b/charts/openbao/templates/server-ingress.yaml @@ -4,12 +4,12 @@ SPDX-License-Identifier: MPL-2.0 */}} {{- if not .Values.global.openshift }} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} -{{- $serviceName := include "vault.fullname" . -}} -{{- template "vault.serverServiceEnabled" . -}} +{{- $serviceName := include "openbao.fullname" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} @@ -20,17 +20,17 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Values.server.ingress.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- template "vault.ingress.annotations" . }} + {{- template "openbao.ingress.annotations" . }} spec: {{- if .Values.server.ingress.tls }} tls: diff --git a/charts/openbao/templates/server-network-policy.yaml b/charts/openbao/templates/server-network-policy.yaml index 43dcdb1..0891a50 100644 --- a/charts/openbao/templates/server-network-policy.yaml +++ b/charts/openbao/templates/server-network-policy.yaml @@ -7,14 +7,14 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} spec: podSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} {{- if .Values.server.networkPolicy.egress }} diff --git a/charts/openbao/templates/server-psp-role.yaml b/charts/openbao/templates/server-psp-role.yaml index 64cd6c5..bfb7161 100644 --- a/charts/openbao/templates/server-psp-role.yaml +++ b/charts/openbao/templates/server-psp-role.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -20,6 +20,6 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "vault.fullname" . }} + - {{ template "openbao.fullname" . }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-psp-rolebinding.yaml b/charts/openbao/templates/server-psp-rolebinding.yaml index 342f553..7f8bb97 100644 --- a/charts/openbao/templates/server-psp-rolebinding.yaml +++ b/charts/openbao/templates/server-psp-rolebinding.yaml @@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: kind: Role - name: {{ template "vault.fullname" . }}-psp + name: {{ template "openbao.fullname" . }}-psp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-psp.yaml b/charts/openbao/templates/server-psp.yaml index 567e662..d7c396a 100644 --- a/charts/openbao/templates/server-psp.yaml +++ b/charts/openbao/templates/server-psp.yaml @@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} +{{- template "openbao.psp.annotations" . }} spec: privileged: false # Required to prevent escalations to root. diff --git a/charts/openbao/templates/server-route.yaml b/charts/openbao/templates/server-route.yaml index 4e95555..4c350d7 100644 --- a/charts/openbao/templates/server-route.yaml +++ b/charts/openbao/templates/server-route.yaml @@ -6,24 +6,24 @@ SPDX-License-Identifier: MPL-2.0 {{- if .Values.global.openshift }} {{- if ne .mode "external" }} {{- if .Values.server.route.enabled -}} -{{- $serviceName := include "vault.fullname" . -}} +{{- $serviceName := include "openbao.fullname" . -}} {{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} kind: Route apiVersion: route.openshift.io/v1 metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Values.server.route.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- template "vault.route.annotations" . }} + {{- template "openbao.route.annotations" . }} spec: host: {{ .Values.server.route.host }} to: diff --git a/charts/openbao/templates/server-service.yaml b/charts/openbao/templates/server-service.yaml index c12e190..73e5b06 100644 --- a/charts/openbao/templates/server-service.yaml +++ b/charts/openbao/templates/server-service.yaml @@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} -# Service for Vault cluster +# Service for OpenBao cluster apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{ template "openbao.service.annotations" .}} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} @@ -40,7 +40,7 @@ spec: # since this DNS is also used for join operations. publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -50,7 +50,7 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/charts/openbao/templates/server-serviceaccount-secret.yaml b/charts/openbao/templates/server-serviceaccount-secret.yaml index 74d70f9..e9ab357 100644 --- a/charts/openbao/templates/server-serviceaccount-secret.yaml +++ b/charts/openbao/templates/server-serviceaccount-secret.yaml @@ -3,19 +3,19 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }} {{- if .serverServiceAccountSecretCreationEnabled -}} apiVersion: v1 kind: Secret metadata: - name: {{ template "vault.serviceAccount.name" . }}-token - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.serviceAccount.name" . }}-token + namespace: {{ include "openbao.namespace" . }} annotations: - kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} type: kubernetes.io/service-account-token -{{ end }} \ No newline at end of file +{{ end }} diff --git a/charts/openbao/templates/server-serviceaccount.yaml b/charts/openbao/templates/server-serviceaccount.yaml index 216ea61..aa61520 100644 --- a/charts/openbao/templates/server-serviceaccount.yaml +++ b/charts/openbao/templates/server-serviceaccount.yaml @@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.serverServiceAccountEnabled" . }} +{{ template "openbao.serverServiceAccountEnabled" . }} {{- if .serverServiceAccountEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.server.serviceAccount.extraLabels -}} {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} {{- end -}} - {{ template "vault.serviceAccount.annotations" . }} + {{ template "openbao.serviceAccount.annotations" . }} {{ end }} diff --git a/charts/openbao/templates/server-statefulset.yaml b/charts/openbao/templates/server-statefulset.yaml index 997d3f1..c4f0840 100644 --- a/charts/openbao/templates/server-statefulset.yaml +++ b/charts/openbao/templates/server-statefulset.yaml @@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} {{- if .serverEnabled -}} -# StatefulSet to run the actual vault server cluster. +# StatefulSet to run the actual openbao server cluster. apiVersion: apps/v1 kind: StatefulSet metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.statefulSet.annotations" . }} + {{- template "openbao.statefulSet.annotations" . }} spec: - serviceName: {{ template "vault.fullname" . }}-internal + serviceName: {{ template "openbao.fullname" . }}-internal podManagementPolicy: Parallel - replicas: {{ template "vault.replicas" . }} + replicas: {{ template "openbao.replicas" . }} updateStrategy: type: {{ .Values.server.updateStrategyType }} {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} @@ -29,30 +29,30 @@ spec: {{- end }} selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server template: metadata: labels: - helm.sh/chart: {{ template "vault.chart" . }} - app.kubernetes.io/name: {{ template "vault.name" . }} + helm.sh/chart: {{ template "openbao.chart" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- if .Values.server.extraLabels -}} {{- toYaml .Values.server.extraLabels | nindent 8 -}} {{- end -}} - {{ template "vault.annotations" . }} + {{ template "openbao.annotations" . }} spec: - {{ template "vault.affinity" . }} - {{ template "vault.topologySpreadConstraints" . }} - {{ template "vault.tolerations" . }} - {{ template "vault.nodeselector" . }} + {{ template "openbao.affinity" . }} + {{ template "openbao.topologySpreadConstraints" . }} + {{ template "openbao.tolerations" . }} + {{ template "openbao.nodeselector" . }} {{- if .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }} {{- end }} terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} - serviceAccountName: {{ template "vault.serviceAccount.name" . }} + serviceAccountName: {{ template "openbao.serviceAccount.name" . }} {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} @@ -61,7 +61,7 @@ spec: hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} volumes: - {{ template "vault.volumes" . }} + {{ template "openbao.volumes" . }} - name: home emptyDir: {} {{- if .Values.server.hostAliases }} @@ -73,14 +73,14 @@ spec: {{ toYaml .Values.server.extraInitContainers | nindent 8}} {{- end }} containers: - - name: vault - {{ template "vault.resources" . }} + - name: openbao + {{ template "openbao.resources" . }} image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} imagePullPolicy: {{ .Values.server.image.pullPolicy }} command: - "/bin/sh" - "-ec" - args: {{ template "vault.args" . }} + args: {{ template "openbao.args" . }} {{- template "server.statefulSet.securityContext.container" . }} env: - name: HOST_IP @@ -91,21 +91,21 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME + - name: BAO_K8S_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE + - name: BAO_K8S_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" - - name: VAULT_API_ADDR + - name: BAO_ADDR + value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200" + - name: BAO_API_ADDR {{- if .Values.server.ha.apiAddr }} value: {{ .Values.server.ha.apiAddr }} {{- else }} - value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" + value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200" {{- end }} - name: SKIP_CHOWN value: "true" @@ -115,42 +115,42 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR + - name: BAO_CLUSTER_ADDR {{- if .Values.server.ha.clusterAddr }} value: {{ .Values.server.ha.clusterAddr | quote }} {{- else }} - value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201" {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - - name: VAULT_RAFT_NODE_ID + - name: BAO_RAFT_NODE_ID valueFrom: fieldRef: fieldPath: metadata.name {{- end }} - name: HOME - value: "/home/vault" + value: "/home/openbao" {{- if .Values.server.logLevel }} - - name: VAULT_LOG_LEVEL + - name: BAO_LOG_LEVEL value: "{{ .Values.server.logLevel }}" {{- end }} {{- if .Values.server.logFormat }} - - name: VAULT_LOG_FORMAT + - name: BAO_LOG_FORMAT value: "{{ .Values.server.logFormat }}" {{- end }} - {{ template "vault.envs" . }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} - {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} + {{ template "openbao.envs" . }} + {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }} + {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }} volumeMounts: - {{ template "vault.mounts" . }} + {{ template "openbao.mounts" . }} - name: home - mountPath: /home/vault + mountPath: /home/openbao ports: - containerPort: 8200 - name: {{ include "vault.scheme" . }} + name: {{ include "openbao.scheme" . }} - containerPort: 8201 name: https-internal - containerPort: 8202 - name: {{ include "vault.scheme" . }}-rep + name: {{ include "openbao.scheme" . }}-rep {{- if .Values.server.extraPorts -}} {{ toYaml .Values.server.extraPorts | nindent 12}} {{- end }} @@ -160,15 +160,15 @@ spec: httpGet: path: {{ .Values.server.readinessProbe.path | quote }} port: {{ .Values.server.readinessProbe.port }} - scheme: {{ include "vault.scheme" . | upper }} + scheme: {{ include "openbao.scheme" . | upper }} {{- else }} - # Check status; unsealed vault servers return 0 + # Check status; unsealed openbao servers return 0 # The exit code reflects the seal status: # 0 - unsealed # 1 - error # 2 - sealed exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"] {{- end }} failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} @@ -188,7 +188,7 @@ spec: httpGet: path: {{ .Values.server.livenessProbe.path | quote }} port: {{ .Values.server.livenessProbe.port }} - scheme: {{ include "vault.scheme" . | upper }} + scheme: {{ include "openbao.scheme" . | upper }} {{- end }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} @@ -197,7 +197,7 @@ spec: timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} {{- end }} lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes + # openbao container doesn't receive SIGTERM from Kubernetes # and after the grace period ends, Kube sends SIGKILL. This # causes issues with graceful shutdowns such as deregistering itself # from Consul (zombie services). @@ -208,7 +208,7 @@ spec: # Adding a sleep here to give the pod eviction a # chance to propagate, so requests will not be made # to this pod while it's terminating - "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", + "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)", ] {{- if .Values.server.postStart }} postStart: @@ -222,7 +222,7 @@ spec: {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} {{- include "imagePullSecrets" . | nindent 6 }} - {{ template "vault.volumeclaims" . }} + {{ template "openbao.volumeclaims" . }} {{ end }} {{ end }} {{ end }} diff --git a/charts/openbao/templates/tests/server-test.yaml b/charts/openbao/templates/tests/server-test.yaml index 0282262..02390de 100644 --- a/charts/openbao/templates/tests/server-test.yaml +++ b/charts/openbao/templates/tests/server-test.yaml @@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: - name: {{ template "vault.fullname" . }}-server-test - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-server-test + namespace: {{ include "openbao.namespace" . }} annotations: "helm.sh/hook": test spec: @@ -21,8 +21,8 @@ spec: imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh - -c diff --git a/charts/openbao/templates/ui-service.yaml b/charts/openbao/templates/ui-service.yaml index 9537084..fb18a9a 100644 --- a/charts/openbao/templates/ui-service.yaml +++ b/charts/openbao/templates/ui-service.yaml @@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.uiEnabled" . -}} +{{- template "openbao.uiEnabled" . -}} {{- if .uiEnabled -}} apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-ui - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-ui + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-ui + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-ui app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.ui.annotations" . }} + {{- template "openbao.ui.annotations" . }} spec: {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} {{- if .Values.ui.serviceIPFamilyPolicy }} @@ -29,15 +29,15 @@ spec: {{- end }} {{- end }} selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server - {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} - vault-active: "true" + {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }} + openbao-active: "true" {{- end }} publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.ui.externalPort }} targetPort: {{ .Values.ui.targetPort }} {{- if .Values.ui.serviceNodePort }} diff --git a/charts/openbao/values.schema.json b/charts/openbao/values.schema.json index 9760657..e19fd94 100644 --- a/charts/openbao/values.schema.json +++ b/charts/openbao/values.schema.json @@ -230,7 +230,7 @@ }, "namespace": { "type": "string" - }, + }, "externalVaultAddr": { "type": "string" }, @@ -659,17 +659,6 @@ "string" ] }, - "enterpriseLicense": { - "type": "object", - "properties": { - "secretKey": { - "type": "string" - }, - "secretName": { - "type": "string" - } - } - }, "extraArgs": { "type": "string" }, @@ -1163,7 +1152,7 @@ "ui": { "type": "object", "properties": { - "activeVaultPodOnly": { + "activeOpenbaoPodOnly": { "type": "boolean" }, "annotations": { diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 6273a1b..5513b10 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -1,7 +1,7 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 -# Available parameters and their default values for the Vault chart. +# Available parameters and their default values for the OpenBao chart. global: # -- enabled is the master enabled switch. Setting this to true or false @@ -20,8 +20,8 @@ global: # -- TLS for end-to-end encrypted transport tlsDisable: true - # -- External vault server address for the injector and CSI provider to use. - # Setting this will disable deployment of a vault server. + # -- External openbao server address for the injector and CSI provider to use. + # Setting this will disable deployment of a openbao server. externalVaultAddr: "" # -- If deploying to OpenShift @@ -44,7 +44,7 @@ global: prometheusOperator: false injector: - # -- True if you want to enable vault agent injection. @default: global.enabled + # -- True if you want to enable openbao agent injection. @default: global.enabled enabled: "-" replicas: 1 @@ -75,8 +75,8 @@ injector: # -- image pull policy to use for k8s image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # -- agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is + # -- agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent + # containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is # required. agentImage: # -- image registry to use for agent image @@ -88,7 +88,7 @@ injector: # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # The default values for the injected Vault Agent containers. + # The default values for the injected OpenBao Agent containers. agentDefaults: # For more information on configuring resources, see the K8s documentation: # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @@ -145,7 +145,7 @@ injector: # -- Number of seconds after which the probe times out. timeoutSeconds: 5 - # Mount Path of the Vault Kubernetes Auth Method. + # Mount Path of the OpenBao Kubernetes Auth Method. authPath: "auth/kubernetes" # -- Configures the log verbosity of the injector. @@ -155,7 +155,7 @@ injector: # -- Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" - # Configures all Vault Agent sidecars to revoke their token when shutting down + # Configures all OpenBao Agent sidecars to revoke their token when shutting down revokeOnShutdown: false webhook: @@ -204,7 +204,7 @@ injector: - key: app.kubernetes.io/name operator: NotIn values: - - {{ template "vault.name" . }}-agent-injector + - {{ template "openbao.name" . }}-agent-injector # Extra annotations to attach to the webhook annotations: {} @@ -300,7 +300,7 @@ injector: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: "{{ .Release.Name }}" component: webhook topologyKey: kubernetes.io/hostname @@ -365,8 +365,8 @@ injector: # type: RollingUpdate server: - # If true, or "-" with global.enabled true, Vault server will be installed. - # See vault.mode in _helpers.tpl for implementation details. + # If true, or "-" with global.enabled true, OpenBao server will be installed. + # See openbao.mode in _helpers.tpl for implementation details. enabled: "-" # Resource requests, limits, etc. for the server cluster placement. This @@ -387,11 +387,11 @@ server: # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" - # Configure the logging verbosity for the Vault server. + # Configure the logging verbosity for the OpenBao server. # Supported log levels include: trace, debug, info, warn, error logLevel: "" - # Configure the logging format for the Vault server. + # Configure the logging format for the OpenBao server. # Supported log formats include: standard, json logFormat: "" @@ -405,7 +405,7 @@ server: # cpu: 250m # Ingress allows ingress services to be created to allow external access - # from Kubernetes to access Vault pods. + # from Kubernetes to access OpenBao pods. # If deployment is on OpenShift, the following block is ignored. # In order to expose the service, use the route section below ingress: @@ -429,7 +429,7 @@ server: pathType: Prefix # When HA mode is enabled and K8s service registration is being used, - # configure the ingress to point to the Vault active service. + # configure the ingress to point to the OpenBao active service. activeService: true hosts: - host: chart-example.local @@ -459,7 +459,7 @@ server: enabled: false # When HA mode is enabled and K8s service registration is being used, - # configure the route to point to the Vault active service. + # configure the route to point to the OpenBao active service. activeService: true labels: {} @@ -499,11 +499,11 @@ server: # extraContainers is a list of sidecar containers. Specified as a YAML list. extraContainers: null - # -- shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation + # -- shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers + # This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation shareProcessNamespace: false - # -- extraArgs is a string containing additional Vault server arguments. + # -- extraArgs is a string containing additional OpenBao server arguments. extraArgs: "" # -- extraPorts is a list of extra ports. Specified as a YAML list. @@ -537,7 +537,7 @@ server: execCommand: [] # - /bin/sh # - -c - # - /vault/userconfig/mylivenessscript/run.sh + # - /openbao/userconfig/mylivenessscript/run.sh # Path for the livenessProbe to use httpGet as the livenessProbe handler path: "/v1/sys/health?standbyok=true" # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler @@ -566,30 +566,30 @@ server: postStart: [] # - /bin/sh # - -c - # - /vault/userconfig/myscript/run.sh + # - /openbao/userconfig/myscript/run.sh # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. extraEnvironmentVars: {} # GOOGLE_REGION: global # GOOGLE_PROJECT: myproject - # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json + # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # These variables take value from existing Secret objects. extraSecretEnvironmentVars: [] # - envName: AWS_SECRET_ACCESS_KEY - # secretName: vault + # secretName: openbao # secretKey: AWS_SECRET_ACCESS_KEY # Deprecated: please use 'volumes' instead. # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is + # to OpenBao in the path `/openbao/userconfig//`. The value below is # an array of objects, examples are shown below. extraVolumes: [] # - type: secret (or "configMap") # name: my-secret - # path: null # default is `/vault/userconfig` + # path: null # default is `/openbao/userconfig` # volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. @@ -615,7 +615,7 @@ server: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname @@ -671,25 +671,25 @@ server: annotations: {} # Add an annotation to the server configmap and the statefulset pods, - # vaultproject.io/config-checksum, that is a hash of the Vault configuration. + # vaultproject.io/config-checksum, that is a hash of the OpenBao configuration. # This can be used together with an OnDelete deployment strategy to help # identify which pods still need to be deleted during a deployment to pick up # any configuration changes. configAnnotation: false - # Enables a headless service to be used by the Vault Statefulset + # Enables a headless service to be used by the OpenBao Statefulset service: enabled: true - # Enable or disable the vault-active service, which selects Vault pods that - # have labeled themselves as the cluster leader with `vault-active: "true"`. + # Enable or disable the openbao-active service, which selects OpenBao pods that + # have labeled themselves as the cluster leader with `openbao-active: "true"`. active: enabled: true # Extra annotations for the service definition. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply # to the active service. annotations: {} - # Enable or disable the vault-standby service, which selects Vault pods that - # have labeled themselves as a cluster follower with `vault-active: "false"`. + # Enable or disable the openbao-standby service, which selects OpenBao pods that + # have labeled themselves as a cluster follower with `openbao-active: "false"`. standby: enabled: true # Extra annotations for the service definition. This can either be YAML or a @@ -697,19 +697,19 @@ server: # to the standby service. annotations: {} # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` - # When disabled, services may select Vault pods not deployed from the chart. - # Does not affect the headless vault-internal service with `ClusterIP: None` + # When disabled, services may select OpenBao pods not deployed from the chart. + # Does not affect the headless openbao-internal service with `ClusterIP: None` instanceSelector: enabled: true # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default, the Vault service will + # OpenBao service within Kubernetes. By default, the OpenBao service will # be given a Cluster IP address, set to None to disable. When disabled # Kubernetes will create a "headless" service. Headless services can be # used to communicate with pods directly through DNS instead of a round-robin # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP + # Configures the service type for the main OpenBao service. Can be ClusterIP # or NodePort. # type: ClusterIP @@ -753,7 +753,7 @@ server: # will be random if left blank. # standbyNodePort: 30002 - # Port on which Vault server is listening + # Port on which OpenBao server is listening port: 8200 # Target port to which the service should be mapped to targetPort: 8200 @@ -762,7 +762,7 @@ server: # to the service. annotations: {} - # This configures the Vault Statefulset to create a PVC for data + # This configures the OpenBao Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more dataStorage: @@ -770,7 +770,7 @@ server: # Size of the PVC created size: 10Gi # Location where the PVC will be mounted. - mountPath: "/vault/data" + mountPath: "/openbao/data" # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: null @@ -789,17 +789,17 @@ server: # whenScaled: Retain persistentVolumeClaimRetentionPolicy: {} - # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized, and unsealed, Vault must + # This configures the OpenBao Statefulset to create a PVC for audit + # logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must # be configured to use this for audit logs. This will be mounted to - # /vault/audit + # /openbao/audit # See https://developer.hashicorp.com/vault/docs/audit to know more auditStorage: enabled: false # Size of the PVC created size: 10Gi # Location where the PVC will be mounted. - mountPath: "/vault/audit" + mountPath: "/openbao/audit" # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: null @@ -810,8 +810,8 @@ server: # Labels to apply to the PVC labels: {} - # Run Vault in "dev" mode. This requires no further setup, no state management, - # and no initialization. This is useful for experimenting with Vault without + # Run OpenBao in "dev" mode. This requires no further setup, no state management, + # and no initialization. This is useful for experimenting with OpenBao without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more @@ -821,7 +821,7 @@ server: # Set VAULT_DEV_ROOT_TOKEN_ID value devRootToken: "root" - # Run Vault in "standalone" mode. This is the default mode that will deploy if + # Run OpenBao in "standalone" mode. This is the default mode that will deploy if # no arguments are given to helm. This requires a PVC for data storage to use # the "file" backend. This mode is not highly available and should not be scaled # past a single replica. @@ -829,7 +829,7 @@ server: enabled: "-" # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data + # deployment. Default is to use a PersistentVolumeClaim mounted at /openbao/data # and store data there. This is only used when using a Replica count of 1, and # using a stateful set. This should be HCL. @@ -850,17 +850,17 @@ server: #} } storage "file" { - path = "/vault/data" + path = "/openbao/data" } # Example configuration for using auto-unseal, using Google Cloud KMS. The # GKMS keys must already exist, and the cluster must have a service account # that is authorized to access GCP KMS. #seal "gcpckms" { - # project = "vault-helm-dev" + # project = "openbao-helm-dev" # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" + # key_ring = "openbao-helm-unseal-kr" + # crypto_key = "openbao-helm-unseal-key" #} # Example configuration for enabling Prometheus metrics in your config. @@ -869,29 +869,29 @@ server: # disable_hostname = true #} - # Run Vault in "HA" mode. There are no storage requirements unless the audit log - # persistence is required. In HA mode Vault will configure itself to use Consul + # Run OpenBao in "HA" mode. There are no storage requirements unless the audit log + # persistence is required. In HA mode OpenBao will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul - # Helm project by default. It is possible to manually configure Vault to use a + # Helm project by default. It is possible to manually configure OpenBao to use a # different HA backend. ha: enabled: false replicas: 3 - # Set the api_addr configuration for Vault HA + # Set the api_addr configuration for OpenBao HA # See https://developer.hashicorp.com/vault/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null - # Set the cluster_addr confuguration for Vault HA + # Set the cluster_addr confuguration for OpenBao HA # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr - # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + # If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201 clusterAddr: null - # Enables Vault's integrated Raft storage. Unlike the typical HA modes where - # Vault's persistence is external (such as Consul), enabling Raft mode will create - # persistent volumes for Vault to store data according to the configuration under server.dataStorage. - # The Vault cluster will coordinate leader elections and failovers internally. + # Enables OpenBao's integrated Raft storage. Unlike the typical HA modes where + # OpenBao's persistence is external (such as Consul), enabling Raft mode will create + # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage. + # The OpenBao cluster will coordinate leader elections and failovers internally. raft: # Enables Raft integrated storage @@ -917,7 +917,7 @@ server: } storage "raft" { - path = "/vault/data" + path = "/openbao/data" } service_registration "kubernetes" {} @@ -939,7 +939,7 @@ server: cluster_address = "[::]:8201" } storage "consul" { - path = "vault" + path = "openbao" address = "HOST_IP:8500" } @@ -949,10 +949,10 @@ server: # GKMS keys must already exist, and the cluster must have a service account # that is authorized to access GCP KMS. #seal "gcpckms" { - # project = "vault-helm-dev-246514" + # project = "openbao-helm-dev-246514" # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" + # key_ring = "openbao-helm-unseal-kr" + # crypto_key = "openbao-helm-unseal-key" #} # Example configuration for enabling Prometheus metrics. @@ -973,7 +973,7 @@ server: maxUnavailable: null # Definition of the serviceAccount used to run Vault. - # These options are also used when using an external Vault server to validate + # These options are also used when using an external OpenBao server to validate # Kubernetes tokens. serviceAccount: # Specifies whether a service account should be created @@ -995,12 +995,12 @@ server: # This should be a YAML map of the labels to apply to the serviceAccount extraLabels: {} # Enable or disable a service account role binding with the permissions required for - # Vault's Kubernetes service_registration config option. + # OpenBao's Kubernetes service_registration config option. # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes serviceDiscovery: enabled: true - # Settings for the statefulSet used to run Vault. + # Settings for the statefulSet used to run OpenBao. statefulSet: # Extra annotations for the statefulSet. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply @@ -1027,17 +1027,17 @@ server: # Should the server pods run on the host network hostNetwork: false -# Vault UI +# OpenBao UI ui: - # True if you want to create a Service entry for the Vault UI. + # True if you want to create a Service entry for the OpenBao UI. # # serviceType can be used to control the type of service created. For # example, setting this to "LoadBalancer" will create an external load # balancer (for supported K8S installations) to access the UI. enabled: false publishNotReadyAddresses: true - # The service should only contain selectors for active Vault pod - activeVaultPodOnly: false + # The service should only contain selectors for active OpenBao pod + activeOpenbaoPodOnly: false serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 @@ -1082,8 +1082,8 @@ csi: # Requires installing the secrets-store-csi-driver separately, see: # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver # - # With the driver and provider installed, you can mount Vault secrets into volumes - # similar to the Vault Agent injector, and you can also sync those secrets into + # With the driver and provider installed, you can mount OpenBao secrets into volumes + # similar to the OpenBao Agent injector, and you can also sync those secrets into # Kubernetes secrets. enabled: false @@ -1100,17 +1100,17 @@ csi: # -- volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. - volumes: null + volumes: [] # - name: tls # secret: - # secretName: vault-tls + # secretName: openbao-tls # -- volumeMounts is a list of volumeMounts for the main server container. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. - volumeMounts: null + volumeMounts: [] # - name: tls - # mountPath: "/vault/tls" + # mountPath: "/openbao/tls" # readOnly: true resources: {} @@ -1245,16 +1245,16 @@ csi: # for the available command line flags. extraArgs: [] -# Vault is able to collect and publish various runtime metrics. +# OpenBao is able to collect and publish various runtime metrics. # Enabling this feature requires setting adding `telemetry{}` stanza to -# the Vault configuration. There are a few examples included in the `config` sections above. +# the OpenBao configuration. There are a few examples included in the `config` sections above. # # For more information see: # https://developer.hashicorp.com/vault/docs/configuration/telemetry # https://developer.hashicorp.com/vault/docs/internals/telemetry serverTelemetry: # Enable support for the Prometheus Operator. Currently, this chart does not support - # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included # in the `listener "tcp"{}` stanza # telemetry { # unauthenticated_metrics_access = "true" @@ -1262,7 +1262,7 @@ serverTelemetry: # # See the `standalone.config` for a more complete example of this. # - # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # In addition, a top level `telemetry{}` stanza must also be included in the OpenBao configuration: # # example: # telemetry { @@ -1270,7 +1270,7 @@ serverTelemetry: # disable_hostname = true # } # - # Configuration for monitoring the Vault server. + # Configuration for monitoring the OpenBao server. serviceMonitor: # The Prometheus operator *must* be installed before enabling this feature, # if not the chart will fail to install due to missing CustomResourceDefinitions @@ -1282,7 +1282,7 @@ serverTelemetry: # https://github.com/prometheus-operator/prometheus-operator # https://github.com/prometheus-operator/kube-prometheus - # Enable deployment of the Vault Server ServiceMonitor CustomResource. + # Enable deployment of the OpenBao Server ServiceMonitor CustomResource. enabled: false # Selector labels to add to the ServiceMonitor. @@ -1314,14 +1314,14 @@ serverTelemetry: rules: [] # - alert: vault-HighResponseTime # annotations: - # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # message: The response time of OpenBao is over 500ms on average over the last 5 minutes. # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 # for: 5m # labels: # severity: warning # - alert: vault-HighResponseTime # annotations: - # message: The response time of Vault is over 1s on average over the last 5 minutes. + # message: The response time of OpenBao is over 1s on average over the last 5 minutes. # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 # for: 5m # labels: diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index def7d7c..c13f09d 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -3,7 +3,7 @@ # name_prefix returns the prefix of the resources within Kubernetes. name_prefix() { - printf "vault" + printf "openbao" } # chart_dir returns the directory for the chart @@ -11,7 +11,7 @@ chart_dir() { echo ${BATS_TEST_DIRNAME}/../../charts/openbao } -# helm_install installs the vault chart. This will source overridable +# helm_install installs the openbao chart. This will source overridable # values from the "values.yaml" file in this directory. This can be set # by CI or other environments to do test-specific overrides. Note that its # easily possible to break tests this way so be careful. @@ -22,11 +22,11 @@ helm_install() { fi helm install -f ${values} \ - --name vault \ + --name openbao \ ${BATS_TEST_DIRNAME}/../.. } -# helm_install_ha installs the vault chart using HA mode. This will source +# helm_install_ha installs the openbao chart using HA mode. This will source # overridable values from the "values.yaml" file in this directory. This can be # set by CI or other environments to do test-specific overrides. Note that its # easily possible to break tests this way so be careful. @@ -37,7 +37,7 @@ helm_install_ha() { fi helm install -f ${values} \ - --name vault \ + --name openbao \ --set 'server.enabled=false' \ --set 'serverHA.enabled=true' \ ${BATS_TEST_DIRNAME}/../.. @@ -61,15 +61,15 @@ wait_for_sealed_vault() { for i in $(seq 60); do if check ${POD_NAME}; then - echo "Vault on ${POD_NAME} is running." + echo "OpenBao on ${POD_NAME} is running." return fi - echo "Waiting for Vault on ${POD_NAME} to be running..." + echo "Waiting for OpenBao on ${POD_NAME} to be running..." sleep 2 done - echo "Vault on ${POD_NAME} never became running." + echo "OpenBao on ${POD_NAME} never became running." return 1 } diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml similarity index 77% rename from test/acceptance/csi-test/vault-kv-secretproviderclass.yaml rename to test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml index d52fab1..300676d 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml @@ -1,13 +1,13 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 -# The "Hello World" Vault SecretProviderClass +# The "Hello World" OpenBao SecretProviderClass apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: vault-kv + name: openbao-kv spec: - provider: vault + provider: openbao parameters: roleName: "kv-role" objects: | diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/openbao-policy.hcl similarity index 100% rename from test/acceptance/csi-test/vault-policy.hcl rename to test/acceptance/csi-test/openbao-policy.hcl diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 7f18f33..be5e3b9 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -18,10 +18,10 @@ load _helpers --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ - --set tokenRequests[0].audience="vault" \ + --set tokenRequests[0].audience="openbao" \ --set enableSecretRotation=true \ --set rotationPollInterval=5s - # Install Vault and Vault provider + # Install OpenBao and OpenBao provider helm install openbao \ --wait --timeout=5m \ --namespace=acceptance \ @@ -35,7 +35,7 @@ load _helpers kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider # Set up k8s auth and a kv secret. - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - + cat ./test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' @@ -46,7 +46,7 @@ load _helpers ttl=20m kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 - kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx @@ -55,7 +55,7 @@ load _helpers for i in $(seq 10); do sleep 2 - if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then echo "Agent returned a cached login response" return fi @@ -65,8 +65,8 @@ load _helpers # Print the logs and fail the test echo "Failed to find a log for the Agent renewing CSI's auth token" - kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent - kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider exit 1 } diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index 50a3b5f..b40b57b 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -38,5 +38,5 @@ spec: - "/bin/sh" - "-ec" args: - - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" + - "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout" restartPolicy: Never diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index cacc994..2011a0f 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -38,7 +38,7 @@ spec: - containerPort: 5432 env: - name: POSTGRES_DB - value: mydb + value: mydb - name: POSTGRES_USER value: postgres - name: POSTGRES_PASSWORD @@ -52,7 +52,7 @@ spec: - name: pgdata emptyDir: {} - name: pgconf - configMap: + configMap: name: "pg-init" --- apiVersion: v1 @@ -63,10 +63,10 @@ metadata: app: postgres data: setup.sql: | - CREATE ROLE vault; - ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault'; - - \c mydb + CREATE ROLE openbao; + ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao'; + + \c mydb CREATE SCHEMA app; CREATE TABLE app.inventory(id int); INSERT INTO app.inventory(id) VALUES (0); diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index a2e8a18..c4cf0a1 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -17,7 +17,7 @@ load _helpers --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ --from-file ./test/acceptance/injector-test/bootstrap.sh - kubectl label secret test app=vault-agent-demo + kubectl label secret test app=openbao-agent-demo helm install "$(name_prefix)" \ --set="server.extraVolumes[0].type=secret" \ diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index c6c1ef4..3f6063c 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -57,7 +57,7 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ bao operator init -format=json -n 1 -t 1) @@ -72,7 +72,7 @@ load _helpers sleep 5 - # Vault Unseal + # OpenBao Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index ecfcbce..8788d7b 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -56,14 +56,14 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + # OpenBao Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do kubectl exec -ti ${pod} -- bao operator unseal ${token} @@ -111,7 +111,7 @@ teardown() { # If the test failed, print some debug output if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then kubectl logs -l app=consul - kubectl logs -l app.kubernetes.io/name=vault + kubectl logs -l app.kubernetes.io/name=openbao fi helm delete openbao helm delete consul diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats index 2251732..5b6101e 100644 --- a/test/acceptance/server-telemetry.bats +++ b/test/acceptance/server-telemetry.bats @@ -27,13 +27,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal + # OpenBao Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do @@ -62,7 +62,7 @@ load _helpers -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr ) # Ensure the expected job label was picked up by Prometheus - [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break + [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break ((++tries)) sleep .5 @@ -72,7 +72,7 @@ load _helpers # Ensure the expected job is "up" local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ -c prometheus \ - -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \ + -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \ tee /dev/stderr ) [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ] } diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 5570084..485992a 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -17,7 +17,7 @@ server: } storage "file" { - path = "/vault/data" + path = "/openbao/data" } telemetry { diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 58639bf..e65d987 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -78,7 +78,7 @@ load _helpers jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal + # OpenBao Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index 6d35f69..2d0c336 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -5,7 +5,7 @@ load _helpers setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" - export CHART_VOLUME=vault-helm-chart-src + export CHART_VOLUME=openbao-helm-chart-src local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1" # chart-verifier requires an openshift version if a cluster isn't available local OPENSHIFT_VERSION="4.12" diff --git a/test/terraform/main.tf b/test/terraform/main.tf index d1de1a2..7b825a8 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -19,7 +19,7 @@ data "google_service_account" "gcpapi" { } resource "google_container_cluster" "cluster" { - name = "vault-helm-dev-${random_id.suffix.dec}" + name = "openbao-helm-dev-${random_id.suffix.dec}" project = "${var.project}" enable_legacy_abac = true initial_node_count = 3 diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf index df4832b..c219629 100644 --- a/test/terraform/variables.tf +++ b/test/terraform/variables.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 variable "project" { - default = "vault-helm-dev-246514" + default = "openbao-helm-dev-246514" description = < 0' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index dcb9076..55d67e9 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -134,7 +134,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-config-configmap.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 3c5f9d8..025495a 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -27,7 +27,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.dev.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -184,7 +184,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/dev-StatefulSet: adds extra secret volume" { @@ -222,7 +222,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/dev-StatefulSet: no storageClass on claim by default" { diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index cf36430..9508751 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -7,9 +7,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -18,9 +18,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.active.annotations=vaultIsAwesome: true' \ + --set 'server.service.active.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @test "server/ha-active-Service: with both annotations set" { @@ -28,14 +28,14 @@ load _helpers local object=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.active.annotations=vaultIsAwesome: true' \ - --set 'server.service.annotations=vaultIsNotAwesome: false' \ + --set 'server.service.active.annotations=openBaoIsAwesome: true' \ + --set 'server.service.annotations=openbaoIsNotAwesome: false' \ . | tee /dev/stderr | yq -r '.metadata' | tee /dev/stderr) - local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/ha-active-Service: disable with ha.enabled false" { @@ -192,7 +192,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/ha-active-Service: vault port name is http, when tlsDisable is true" { +@test "server/ha-active-Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ @@ -203,7 +203,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/ha-active-Service: vault port name is https, when tlsDisable is false" { +@test "server/ha-active-Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 4daff30..536c44b 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -47,7 +47,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-disruptionbudget.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index bd04853..9a89dc8 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -7,9 +7,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -18,9 +18,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations.vaultIsAwesome=true' \ + --set 'server.service.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -29,9 +29,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.standby.annotations=vaultIsAwesome: true' \ + --set 'server.service.standby.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -40,9 +40,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.standby.annotations.vaultIsAwesome=true' \ + --set 'server.service.standby.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @test "server/ha-standby-Service: with both annotations set" { @@ -50,14 +50,14 @@ load _helpers local object=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.standby.annotations=vaultIsAwesome: true' \ - --set 'server.service.annotations=vaultIsNotAwesome: false' \ + --set 'server.service.standby.annotations=openBaoIsAwesome: true' \ + --set 'server.service.annotations=openbaoIsNotAwesome: false' \ . | tee /dev/stderr | yq -r '.metadata' | tee /dev/stderr) - local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/ha-standby-Service: disable with ha.enabled false" { @@ -214,7 +214,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/ha-standby-Service: vault port name is http, when tlsDisable is true" { +@test "server/ha-standby-Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ @@ -225,7 +225,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/ha-standby-Service: vault port name is https, when tlsDisable is false" { +@test "server/ha-standby-Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 9bb5118..84bb21c 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -27,7 +27,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.ha.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -266,7 +266,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/ha-StatefulSet: adds extra volume custom mount path" { @@ -347,7 +347,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } #-------------------------------------------------------------------- @@ -450,7 +450,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr set to null" { @@ -465,7 +465,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr set to custom url" { @@ -489,18 +489,18 @@ load _helpers --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.raft.enabled=true' \ - --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-openbao-internal:8201' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] + [ "${value}" = 'http://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr gets quoted" { cd `chart_dir` - local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' + local customUrl='http://$(HOSTNAME).release-name-openbao-internal:8201' local rendered=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ @@ -511,7 +511,7 @@ load _helpers local value=$(echo $rendered | yq -Y '.' | tee /dev/stderr) - [ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] + [ "${value}" = 'value: "http://$(HOSTNAME).release-name-openbao-internal:8201"' ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 90ed0a2..dde3688 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -35,7 +35,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -62,7 +62,7 @@ load _helpers [ "${actual}" = '/' ] } -@test "server/ingress: vault backend should be added when I specify a path" { +@test "server/ingress: openbao backend should be added when I specify a path" { cd `chart_dir` local actual=$(helm template \ @@ -184,7 +184,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-active" ] + [ "${actual}" = "release-name-openbao-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -199,7 +199,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -213,7 +213,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" { @@ -228,7 +228,7 @@ load _helpers --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -243,7 +243,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: pathType is added to Kubernetes version == 1.26.3" { diff --git a/test/unit/server-psp.bats b/test/unit/server-psp.bats index 400e76d..898e1b1 100644 --- a/test/unit/server-psp.bats +++ b/test/unit/server-psp.bats @@ -86,27 +86,27 @@ load _helpers --show-only templates/server-psp.yaml \ --set 'server.dev.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.ha.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } @@ -116,27 +116,27 @@ load _helpers --show-only templates/server-psp.yaml \ --set 'server.dev.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.ha.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index a1716fb..f4caca0 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -18,7 +18,7 @@ load _helpers --show-only templates/server-route.yaml \ --set 'global.openshift=true' \ --set 'server.route.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -57,7 +57,7 @@ load _helpers [ "${actual}" = 'test.com' ] } -@test "server/route: OpenShift - vault backend should be added when I specify a path" { +@test "server/route: OpenShift - openbao backend should be added when I specify a path" { cd `chart_dir` local actual=$(helm template \ @@ -120,7 +120,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -133,7 +133,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -146,7 +146,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-active" ] + [ "${actual}" = "release-name-openbao-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -160,7 +160,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 040e9fa..9ef87e9 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -137,7 +137,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -146,7 +146,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -155,7 +155,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -166,9 +166,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-service.yaml \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -389,7 +389,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/Service: vault port name is http, when tlsDisable is true" { +@test "server/Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -400,7 +400,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/Service: vault port name is https, when tlsDisable is false" { +@test "server/Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-serviceaccount-secret.bats b/test/unit/server-serviceaccount-secret.bats index 2cfe333..fab9d39 100644 --- a/test/unit/server-serviceaccount-secret.bats +++ b/test/unit/server-serviceaccount-secret.bats @@ -28,7 +28,7 @@ load _helpers --set 'server.serviceAccount.createSecret=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-token" ] + [ "${actual}" = "release-name-openbao-token" ] } @@ -50,7 +50,7 @@ load _helpers --set 'server.serviceAccount.createSecret=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 9a688a9..da0dd11 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,7 +26,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @@ -115,7 +115,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -123,7 +123,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -131,7 +131,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 8b92c05..890f963 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -71,7 +71,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -421,7 +421,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -437,7 +437,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/standalone-StatefulSet: server.extraVolumes adds extra secret volume" { @@ -489,7 +489,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -505,7 +505,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/standalone-StatefulSet: can mount audit" { @@ -1571,7 +1571,7 @@ load _helpers [[ "${actual}" = "sleep 10 &&"* ]] } -@test "server/standalone-StatefulSet: vault port name is http, when tlsDisable is true" { +@test "server/standalone-StatefulSet: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -1582,7 +1582,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/standalone-StatefulSet: vault replication port name is http-rep, when tlsDisable is true" { +@test "server/standalone-StatefulSet: openbao replication port name is http-rep, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -1593,7 +1593,7 @@ load _helpers [ "${actual}" = "http-rep" ] } -@test "server/standalone-StatefulSet: vault port name is https, when tlsDisable is false" { +@test "server/standalone-StatefulSet: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ @@ -1604,7 +1604,7 @@ load _helpers [ "${actual}" = "https" ] } -@test "server/standalone-StatefulSet: vault replication port name is https-rep, when tlsDisable is false" { +@test "server/standalone-StatefulSet: openbao replication port name is https-rep, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ @@ -1621,9 +1621,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.annotations=vaultIsAwesome: true' \ + --set 'server.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1632,9 +1632,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.annotations=vaultIsAwesome: true' \ + --set 'server.auditStorage.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1643,9 +1643,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.annotations=vaultIsAwesome: true' \ + --set 'server.dataStorage.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1654,9 +1654,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.annotations.vaultIsAwesome=true' \ + --set 'server.auditStorage.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1665,9 +1665,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.annotations.vaultIsAwesome=true' \ + --set 'server.dataStorage.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1675,9 +1675,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.annotations.vaultIsAwesome=true' \ + --set 'server.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1812,67 +1812,11 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } -#-------------------------------------------------------------------- -# enterprise license autoload support -@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] -} - -@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] -} - -@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] -} - -@test "server/StatefulSet: blank secretName does not set env var" { - cd `chart_dir` - - # setting secretName=null - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=null' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '' ] - - # omitting secretName - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '' ] -} - #-------------------------------------------------------------------- # securityContext @@ -2036,9 +1980,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.labels=vaultIsAwesome: true' \ + --set 'server.auditStorage.labels=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -2047,9 +1991,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.labels=vaultIsAwesome: true' \ + --set 'server.dataStorage.labels=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -2058,9 +2002,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.labels.vaultIsAwesome=true' \ + --set 'server.auditStorage.labels.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -2069,8 +2013,8 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.labels.vaultIsAwesome=true' \ + --set 'server.dataStorage.labels.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 314703a..6619771 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -43,12 +43,12 @@ load _helpers --show-only templates/tests/server-test.yaml \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-server-test" ] + [ "${actual}" = "release-name-openbao-server-test" ] } @test "server/standalone-server-test-Pod: release metadata.name vault" { cd `chart_dir` - local actual=$(helm template vault \ + local actual=$(helm template openbao \ --show-only templates/tests/server-test.yaml \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) @@ -119,7 +119,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index dce0e5e..bc3547f 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -70,7 +70,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -78,7 +78,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -86,7 +86,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -311,7 +311,7 @@ load _helpers --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = "null" ] } @@ -320,19 +320,19 @@ load _helpers local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ - --set 'ui.activeVaultPodOnly=true' \ + --set 'ui.activeOpenbaoPodOnly=true' \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = 'null' ] local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ - --set 'ui.activeVaultPodOnly=true' \ + --set 'ui.activeOpenbaoPodOnly=true' \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = 'true' ] } From bfd5135800026ab22d8ab7754358fc7bd89c7fbf Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 28 May 2024 13:59:57 +0200 Subject: [PATCH 095/113] clean up more references to vault and licensing Signed-off-by: jessebot --- .github/ISSUE_TEMPLATE/bug_report.md | 16 ++++++++-------- .github/ISSUE_TEMPLATE/config.yml | 3 +-- .github/workflows/acceptance.yaml | 2 -- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index c45b6a4..d20f094 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -9,9 +9,9 @@ assignees: '' @@ -21,19 +21,19 @@ A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: 1. Install chart -2. Run vault command -3. See error (vault logs, etc.) +2. Run bao command +3. See error (openbao logs, etc.) -Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output +Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output **Expected behavior** A clear and concise description of what you expected to happen. **Environment** -* Kubernetes version: +* Kubernetes version: * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): * Other configuration options or runtime services (istio, etc.): -* vault-helm version: +* openbao-helm version: Chart values: diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 746c03c..46a1922 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -3,5 +3,4 @@ contact_links: - name: Ask a question - url: https://discuss.hashicorp.com/c/vault - about: For increased visibility, please post questions on the discussion forum, and tag with `k8s` + url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 2a204e3..9dec300 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -18,7 +18,5 @@ jobs: node_image: kindest/node:v${{ matrix.kind-k8s-version }} version: v0.22.0 - run: bats --tap --timing ./test/acceptance - env: - VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} permissions: contents: read From 8f700eb551bca6cf441a574ede71f5d39d3ff97d Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 28 May 2024 14:04:07 +0200 Subject: [PATCH 096/113] fix chart dir for unit tests Signed-off-by: jessebot --- test/unit/_helpers.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/_helpers.bash b/test/unit/_helpers.bash index 5f8a94d..1925da4 100644 --- a/test/unit/_helpers.bash +++ b/test/unit/_helpers.bash @@ -3,5 +3,5 @@ # chart_dir returns the directory for the chart chart_dir() { - echo ${BATS_TEST_DIRNAME}/../.. + echo ${BATS_TEST_DIRNAME}/../../charts/openbao } From 547020f267547ba083477dd55e2e42fadf116c8c Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 28 May 2024 14:09:01 +0200 Subject: [PATCH 097/113] update all the tests to use kube-version 1.27.x instead of 1.22.x so we're supporting supported versions of kubernetes Signed-off-by: jessebot --- test/unit/injector-disruptionbudget.bats | 2 +- test/unit/server-ha-disruptionbudget.bats | 2 +- test/unit/server-headless-service.bats | 4 ++-- test/unit/server-service.bats | 4 ++-- test/unit/server-statefulset.bats | 6 +++--- test/unit/ui-service.bats | 4 ++-- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 4ce5515..a7af871 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -55,7 +55,7 @@ load _helpers local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.22.5 \ + --kube-version 1.27.5 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 536c44b..0732149 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -123,7 +123,7 @@ load _helpers --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=1' \ - --kube-version 1.22.5 \ + --kube-version 1.27.5 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index df649be..43713de 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -79,7 +79,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-headless-service.yaml \ - --kube-version 1.22.0 \ + --kube-version 1.27.0 \ --set 'server.service.ipFamilyPolicy=PreferDualStack' \ . | tee /dev/stderr | yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) @@ -90,7 +90,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-headless-service.yaml \ - --kube-version 1.22.0 \ + --kube-version 1.27.0 \ --set 'server.service.ipFamilies={IPv4,IPv6}' \ . | tee /dev/stderr | yq -r '.spec.ipFamilies' | tee /dev/stderr) diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 9ef87e9..bb3c47a 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -492,7 +492,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-service.yaml \ - --kube-version 1.22.0 \ + --kube-version 1.27.0 \ --set 'server.service.ipFamilyPolicy=PreferDualStack' \ . | tee /dev/stderr | yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) @@ -503,7 +503,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-service.yaml \ - --kube-version 1.22.0 \ + --kube-version 1.27.0 \ --set 'server.service.ipFamilies={IPv4,IPv6}' \ . | tee /dev/stderr | yq -r '.spec.ipFamilies' | tee /dev/stderr) diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 890f963..755333a 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -228,7 +228,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ -s templates/server-statefulset.yaml \ - --kube-version "1.22" \ + --kube-version "1.27" \ . | tee /dev/stderr | yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -238,7 +238,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ -s templates/server-statefulset.yaml \ - --kube-version "1.22" \ + --kube-version "1.27" \ --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ . | tee /dev/stderr | yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) @@ -249,7 +249,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ -s templates/server-statefulset.yaml \ - --kube-version "1.22" \ + --kube-version "1.27" \ --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ . | tee /dev/stderr | yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index bc3547f..531bc56 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -411,7 +411,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/ui-service.yaml \ - --kube-version 1.22.0 \ + --kube-version 1.27.0 \ --set 'ui.enabled=true' \ --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ . | tee /dev/stderr | @@ -423,7 +423,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/ui-service.yaml \ - --kube-version 1.22.0 \ + --kube-version 1.27.0 \ --set 'ui.enabled=true' \ --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ . | tee /dev/stderr | From d5dba29bf521bc40dbce9a5198a50100cd6255e0 Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 28 May 2024 14:20:48 +0200 Subject: [PATCH 098/113] more updates of vault to openbao, and more updates of old k8s versions Signed-off-by: jessebot --- test/unit/csi-daemonset.bats | 4 ++-- test/unit/csi-role.bats | 4 ++-- test/unit/server-ingress.bats | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 5bc9f99..656c136 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -196,7 +196,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) - [ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ] + [ "${actual}" = "--hmac-secret-name=openbao-csi-provider-hmac-key" ] local actual=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -688,7 +688,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] + [ "${value}" = "http://not-external-test-openbao.default.svc:8200" ] } @test "csi/daemonset: with global.externalVaultAddr" { diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats index 3194d62..0f84936 100644 --- a/test/unit/csi-role.bats +++ b/test/unit/csi-role.bats @@ -24,7 +24,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) - [ "${actual}" = "vault-csi-provider-hmac-key" ] + [ "${actual}" = "openbao-csi-provider-hmac-key" ] } @test "csi/Role: namespace" { @@ -55,4 +55,4 @@ load _helpers . | tee /dev/stderr | yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) [ "${actual}" = "foo" ] -} \ No newline at end of file +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index dde3688..11b137c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -216,7 +216,7 @@ load _helpers [ "${actual}" = "release-name-openbao" ] } -@test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" { +@test "server/ingress: k8s 1.27.0 uses correct service format when not ha - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -225,7 +225,7 @@ load _helpers --set 'server.dev.enabled=false' \ --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ - --kube-version 1.26.3 \ + --kube-version 1.27.0 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "release-name-openbao" ] @@ -246,14 +246,14 @@ load _helpers [ "${actual}" = "release-name-openbao" ] } -@test "server/ingress: pathType is added to Kubernetes version == 1.26.3" { +@test "server/ingress: pathType is added to Kubernetes version == 1.27.0" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.26.3 \ + --kube-version 1.27.0 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "ImplementationSpecific" ] @@ -266,7 +266,7 @@ load _helpers --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=Prefix \ - --kube-version 1.26.3 \ + --kube-version 1.27.0 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "Prefix" ] From ad8307d53326a1450debfbc3f5dfa077fdf20997 Mon Sep 17 00:00:00 2001 From: Tijmen <17317361+Btijmen@users.noreply.github.com> Date: Thu, 8 Aug 2024 14:13:31 +0200 Subject: [PATCH 099/113] Remove hashicorp documentation links from values.yaml (#13) Signed-off-by: Tijmen <17317361+Btijmen@users.noreply.github.com> --- charts/openbao/values.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 5513b10..40621c5 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -473,7 +473,7 @@ server: # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth - # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes + # method. See https://openbao.org/docs/auth/kubernetes authDelegator: enabled: true @@ -764,7 +764,7 @@ server: # This configures the OpenBao Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. - # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more + # See https://openbao.org/docs/configuration/storage to know more dataStorage: enabled: true # Size of the PVC created @@ -793,7 +793,7 @@ server: # logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must # be configured to use this for audit logs. This will be mounted to # /openbao/audit - # See https://developer.hashicorp.com/vault/docs/audit to know more + # See https://openbao.org/docs/audit to know more auditStorage: enabled: false # Size of the PVC created @@ -814,7 +814,7 @@ server: # and no initialization. This is useful for experimenting with OpenBao without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. - # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more + # See https://openbao.org/docs/concepts/dev-server to know more dev: enabled: false @@ -836,7 +836,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -879,12 +879,12 @@ server: replicas: 3 # Set the api_addr configuration for OpenBao HA - # See https://developer.hashicorp.com/vault/docs/configuration#api_addr + # See https://openbao.org/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null # Set the cluster_addr confuguration for OpenBao HA - # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr + # See https://openbao.org/docs/configuration#cluster_addr # If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201 clusterAddr: null @@ -902,7 +902,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -929,7 +929,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -996,7 +996,7 @@ server: extraLabels: {} # Enable or disable a service account role binding with the permissions required for # OpenBao's Kubernetes service_registration config option. - # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + # See https://openbao.org/docs/configuration/service-registration/kubernetes serviceDiscovery: enabled: true @@ -1241,7 +1241,7 @@ csi: debug: false # Pass arbitrary additional arguments to vault-csi-provider. - # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments + # See https://openbao.org/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: [] @@ -1250,8 +1250,8 @@ csi: # the OpenBao configuration. There are a few examples included in the `config` sections above. # # For more information see: -# https://developer.hashicorp.com/vault/docs/configuration/telemetry -# https://developer.hashicorp.com/vault/docs/internals/telemetry +# https://openbao.org/docs/configuration/telemetry +# https://openbao.org/docs/internals/telemetry serverTelemetry: # Enable support for the Prometheus Operator. Currently, this chart does not support # authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included From a6f8ccdfeded9b0b3bec4c1023b9edee15d531f5 Mon Sep 17 00:00:00 2001 From: jorge882 Date: Fri, 23 Aug 2024 12:24:36 -0500 Subject: [PATCH 100/113] Corrected Helm values.yaml file - prometheusRules Corrected the alert: valut-HighResponseTime alert rules (lines 1325-26), as well as the documentation (1324) to properly reflect a 10 minute threshold for the critical warning. Signed-off-by: jorge882 --- charts/openbao/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 40621c5..4d433d5 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -1321,8 +1321,8 @@ serverTelemetry: # severity: warning # - alert: vault-HighResponseTime # annotations: - # message: The response time of OpenBao is over 1s on average over the last 5 minutes. + # message: The response time of OpenBao is over 1s on average over the last 10 minutes. # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - # for: 5m + # for: 10m # labels: # severity: critical From 5d545983bfa94192eadf5085b58b028c7cc087e1 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Tue, 3 Sep 2024 22:05:21 +0200 Subject: [PATCH 101/113] update used OpenBao Version to 2.0.1 Signed-off-by: Jan Martens --- charts/openbao/Chart.yaml | 22 ++++++++++++++++------ charts/openbao/values.openshift.yaml | 4 ++-- charts/openbao/values.yaml | 6 +++--- 3 files changed, 21 insertions(+), 11 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index febe394..ef23943 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -3,19 +3,29 @@ apiVersion: v2 name: openbao -version: 0.4.0 -appVersion: v2.0.0-alpha20240329 +version: 0.5.0 +appVersion: v2.0.1 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart home: https://github.com/openbao/openbao-helm icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg -keywords: ["vault", "openbao", "security", "encryption", "secrets", "management", "automation", "infrastructure"] +keywords: + [ + "vault", + "openbao", + "security", + "encryption", + "secrets", + "management", + "automation", + "infrastructure", + ] sources: - https://github.com/openbao/openbao-helm annotations: charts.openshift.io/name: Openbao maintainers: -- name: OpenBao - email: openbao-security@lists.lfedge.org - url: https://openbao.org + - name: OpenBao + email: openbao-security@lists.lfedge.org + url: https://openbao.org diff --git a/charts/openbao/values.openshift.yaml b/charts/openbao/values.openshift.yaml index 2d0e84b..b63f548 100644 --- a/charts/openbao/values.openshift.yaml +++ b/charts/openbao/values.openshift.yaml @@ -14,13 +14,13 @@ injector: agentImage: registry: "quay.io" repository: "openbao/openbao" - tag: "v2.0.0-alpha20240329-ubi" + tag: "v2.0.1-ubi" server: image: registry: "quay.io" repository: "openbao/openbao" - tag: "v2.0.0-alpha20240329-ubi" + tag: "v2.0.1-ubi" readinessProbe: path: "/v1/sys/health?uninitcode=204" diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 4d433d5..99b6eb6 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -84,7 +84,7 @@ injector: # -- image repo to use for agent image repository: "openbao/openbao" # -- image tag to use for agent image - tag: "2.0.0-alpha20240329" + tag: "2.0.1" # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent @@ -379,7 +379,7 @@ server: # -- image repo to use for server image repository: "openbao/openbao" # -- image tag to use for server image - tag: "2.0.0-alpha20240329" + tag: "2.0.1" # -- image pull policy to use for server image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent @@ -1183,7 +1183,7 @@ csi: # -- image repo to use for agent image repository: "openbao/openbao" # -- image tag to use for agent image - tag: "2.0.0-alpha20240329" + tag: "2.0.1" # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent From 5fba05f8f82961734fd06750ba5de915fcd4ebbc Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Wed, 4 Sep 2024 22:07:29 +0200 Subject: [PATCH 102/113] fix chart verifier tests Signed-off-by: Jan Martens --- .github/workflows/tests.yaml | 6 +++--- test/chart/_helpers.bash | 2 +- test/chart/verifier.bats | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 74d5a7d..43d37b2 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -10,14 +10,14 @@ jobs: chart-verifier: runs-on: ubuntu-latest env: - CHART_VERIFIER_VERSION: '1.13.0' + CHART_VERIFIER_VERSION: "1.13.7" steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools uses: ./.github/actions/setup-test-tools - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: '1.21.3' + go-version: "1.22.5" - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: bats --tap --timing ./test/chart permissions: diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash index 4d24657..ac4c23b 100644 --- a/test/chart/_helpers.bash +++ b/test/chart/_helpers.bash @@ -3,7 +3,7 @@ # chart_dir returns the directory for the chart chart_dir() { - echo ${BATS_TEST_DIRNAME}/../.. + echo ${BATS_TEST_DIRNAME}/../../charts/openbao } # check_result checks if the specified test passed diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index 2d0c336..bcbb3c3 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -6,7 +6,7 @@ setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" export CHART_VOLUME=openbao-helm-chart-src - local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1" + local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.7" # chart-verifier requires an openshift version if a cluster isn't available local OPENSHIFT_VERSION="4.12" local DISABLED_TESTS="chart-testing" From d6a660e8680df1bc4a40bcf395d4624ae7a4b4d9 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Wed, 4 Sep 2024 23:06:35 +0200 Subject: [PATCH 103/113] fix chart unit tests Signed-off-by: Jan Martens --- test/acceptance/_helpers.bash | 4 +- test/unit/csi-clusterrole.bats | 2 +- test/unit/csi-clusterrolebinding.bats | 2 +- test/unit/csi-daemonset.bats | 2 +- test/unit/csi-rolebinding.bats | 2 +- test/unit/injector-clusterrolebinding.bats | 2 +- test/unit/injector-deployment.bats | 4 +- test/unit/injector-mutating-webhook.bats | 2 +- test/unit/injector-psp-role.bats | 2 +- test/unit/injector-psp-rolebinding.bats | 2 +- test/unit/server-clusterrolebinding.bats | 2 +- test/unit/server-dev-statefulset.bats | 4 +- test/unit/server-discovery-role.bats | 2 +- test/unit/server-discovery-rolebinding.bats | 2 +- test/unit/server-ha-statefulset.bats | 28 +++++----- test/unit/server-headless-service.bats | 22 -------- test/unit/server-psp-role.bats | 2 +- test/unit/server-psp-rolebinding.bats | 2 +- test/unit/server-service.bats | 22 -------- test/unit/server-serviceaccount.bats | 2 +- test/unit/server-statefulset.bats | 62 +++++---------------- test/unit/server-test.bats | 12 ++-- test/unit/ui-service.bats | 24 -------- 23 files changed, 55 insertions(+), 155 deletions(-) diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index c13f09d..2f62964 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -23,7 +23,7 @@ helm_install() { helm install -f ${values} \ --name openbao \ - ${BATS_TEST_DIRNAME}/../.. + ${BATS_TEST_DIRNAME}/../../charts/openbao } # helm_install_ha installs the openbao chart using HA mode. This will source @@ -40,7 +40,7 @@ helm_install_ha() { --name openbao \ --set 'server.enabled=false' \ --set 'serverHA.enabled=true' \ - ${BATS_TEST_DIRNAME}/../.. + ${BATS_TEST_DIRNAME}/../../charts/openbao } # wait for consul to be ready diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 73d91ba..60346b8 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -30,4 +30,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ] -} \ No newline at end of file +} diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index b97ea3b..522c7ac 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -61,4 +61,4 @@ load _helpers . | tee /dev/stderr | yq -r '.subjects[0].namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 656c136..78daa80 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -101,7 +101,7 @@ load _helpers local actual=$(echo $object | yq -r '.[0].image' | tee /dev/stderr) - [ "${actual}" = "Image1:0.0.1" ] + [ "${actual}" = "docker.io/Image1:0.0.1" ] local actual=$(echo $object | yq -r '.[0].imagePullPolicy' | tee /dev/stderr) [ "${actual}" = "PullPolicy1" ] diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats index d1c7b1a..692ea38 100644 --- a/test/unit/csi-rolebinding.bats +++ b/test/unit/csi-rolebinding.bats @@ -38,4 +38,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/injector-clusterrolebinding.bats b/test/unit/injector-clusterrolebinding.bats index e997ebd..9a99b34 100755 --- a/test/unit/injector-clusterrolebinding.bats +++ b/test/unit/injector-clusterrolebinding.bats @@ -38,4 +38,4 @@ load _helpers . | tee /dev/stderr | yq -r '.subjects[0].namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index ba23bd9..f5d9d1e 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -69,7 +69,7 @@ load _helpers --set 'injector.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "docker.io/foo:1.2.3" ] local actual=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -77,7 +77,7 @@ load _helpers --set 'injector.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "docker.io/foo:1.2.3" ] } @test "injector/deployment: default imagePullPolicy" { diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index fcf4e7b..bd0499b 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -331,4 +331,4 @@ load _helpers yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index 3dda504..32bb696 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -53,4 +53,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index 62afe7b..f978acf 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -53,4 +53,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index 12cd6a9..b5c6930 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -87,4 +87,4 @@ load _helpers . | tee /dev/stderr | yq -r '.subjects[0].namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 025495a..19c94a0 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -43,7 +43,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/ha-StatefulSet: image tag defaults to latest" { @@ -56,7 +56,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats index f17dcf4..16799dc 100755 --- a/test/unit/server-discovery-role.bats +++ b/test/unit/server-discovery-role.bats @@ -57,4 +57,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats index 83e8def..dd961f6 100755 --- a/test/unit/server-discovery-rolebinding.bats +++ b/test/unit/server-discovery-rolebinding.bats @@ -57,4 +57,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 84bb21c..f0385bf 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -43,7 +43,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/ha-StatefulSet: image tag defaults to latest" { @@ -56,7 +56,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } #-------------------------------------------------------------------- @@ -71,7 +71,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = "http://127.0.0.1:8200" ] } @@ -84,7 +84,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = "https://127.0.0.1:8200" ] } @@ -407,7 +407,7 @@ load _helpers } #-------------------------------------------------------------------- -# VAULT_API_ADDR renders +# BAO_API_ADDR renders @test "server/ha-StatefulSet: api addr renders to Pod IP by default" { cd `chart_dir` @@ -418,7 +418,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = 'http://$(POD_IP):8200' ] } @@ -432,12 +432,12 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = "https://example.com:8200" ] } #-------------------------------------------------------------------- -# VAULT_CLUSTER_ADDR renders +# BAO_CLUSTER_ADDR renders @test "server/ha-StatefulSet: clusterAddr not set" { cd `chart_dir` @@ -449,7 +449,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @@ -464,7 +464,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @@ -479,7 +479,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = 'https://test.example.com:8201' ] } @@ -494,7 +494,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = 'http://$(HOSTNAME).release-name-openbao-internal:8201' ] } @@ -515,7 +515,7 @@ local value=$(echo $rendered | } #-------------------------------------------------------------------- -# VAULT_RAFT_NODE_ID renders +# BAO_RAFT_NODE_ID renders @test "server/ha-StatefulSet: raft node ID renders" { cd `chart_dir` @@ -528,7 +528,7 @@ local value=$(echo $rendered | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) [ "${value}" = "metadata.name" ] } diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 43713de..7796dca 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -74,25 +74,3 @@ load _helpers yq '.spec.ipFamilies' -c | tee /dev/stderr) [ "${actual}" = '["IPv4","IPv6"]' ] } - -@test "server/headless-Service: Assert ipFamilyPolicy is not set if version below 1.23" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-headless-service.yaml \ - --kube-version 1.27.0 \ - --set 'server.service.ipFamilyPolicy=PreferDualStack' \ - . | tee /dev/stderr | - yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "server/headless-Service: Assert ipFamilies is not set if version below 1.23" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-headless-service.yaml \ - --kube-version 1.27.0 \ - --set 'server.service.ipFamilies={IPv4,IPv6}' \ - . | tee /dev/stderr | - yq -r '.spec.ipFamilies' | tee /dev/stderr) - [ "${actual}" = "null" ] -} \ No newline at end of file diff --git a/test/unit/server-psp-role.bats b/test/unit/server-psp-role.bats index 28239b0..3e63b3c 100644 --- a/test/unit/server-psp-role.bats +++ b/test/unit/server-psp-role.bats @@ -127,4 +127,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-psp-rolebinding.bats b/test/unit/server-psp-rolebinding.bats index 4a4bae3..d57687b 100644 --- a/test/unit/server-psp-rolebinding.bats +++ b/test/unit/server-psp-rolebinding.bats @@ -127,4 +127,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index bb3c47a..94ebb6a 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -487,25 +487,3 @@ load _helpers yq '.spec.ipFamilies' -c | tee /dev/stderr) [ "${actual}" = '["IPv4","IPv6"]' ] } - -@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-service.yaml \ - --kube-version 1.27.0 \ - --set 'server.service.ipFamilyPolicy=PreferDualStack' \ - . | tee /dev/stderr | - yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "server/Service: Assert ipFamilies is not set if version below 1.23" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-service.yaml \ - --kube-version 1.27.0 \ - --set 'server.service.ipFamilies={IPv4,IPv6}' \ - . | tee /dev/stderr | - yq -r '.spec.ipFamilies' | tee /dev/stderr) - [ "${actual}" = "null" ] -} \ No newline at end of file diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index da0dd11..2a8c60c 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -145,4 +145,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.labels.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 755333a..aafd92d 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -105,7 +105,7 @@ load _helpers --set 'server.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -114,7 +114,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/standalone-StatefulSet: image tag defaults to latest" { @@ -125,7 +125,7 @@ load _helpers --set 'server.image.tag=' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -134,7 +134,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } @test "server/standalone-StatefulSet: default imagePullPolicy" { @@ -224,43 +224,11 @@ load _helpers #-------------------------------------------------------------------- # persistentVolumeClaimRetentionPolicy -@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes < 1.23" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --kube-version "1.27" \ - . | tee /dev/stderr | - yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenDeleted when kubernetes < 1.23" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --kube-version "1.27" \ - --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ - . | tee /dev/stderr | - yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenScaled when kubernetes < 1.23" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --kube-version "1.27" \ - --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ - . | tee /dev/stderr | - yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - @test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes >= 1.23" { cd `chart_dir` local actual=$(helm template \ -s templates/server-statefulset.yaml \ - --kube-version "1.23" \ + --kube-version "1.27" \ . | tee /dev/stderr | yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -270,7 +238,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ -s templates/server-statefulset.yaml \ - --kube-version "1.23" \ + --kube-version "1.27" \ --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ . | tee /dev/stderr | yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) @@ -281,7 +249,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ -s templates/server-statefulset.yaml \ - --kube-version "1.23" \ + --kube-version "1.27" \ --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ . | tee /dev/stderr | yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) @@ -571,7 +539,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .name' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .name' | tee /dev/stderr) [ "${value}" = "" ] } @@ -584,7 +552,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) [ "${value}" = "debug" ] } @@ -599,7 +567,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .name' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .name' | tee /dev/stderr) [ "${value}" = "" ] } @@ -612,7 +580,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) [ "${value}" = "json" ] } @@ -800,7 +768,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "audit")' | tee /dev/stderr) local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/audit" ] + [ "${actual}" = "/openbao/audit" ] } @test "server/standalone-StatefulSet: can configure audit storage mount path" { @@ -825,7 +793,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "data")' | tee /dev/stderr) local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/data" ] + [ "${actual}" = "/openbao/data" ] } @test "server/standalone-StatefulSet: can configure data storage mount path" { @@ -1686,7 +1654,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | - yq '.spec.template.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + yq '.spec.template.metadata.annotations["openbao.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1705,7 +1673,7 @@ load _helpers --show-only templates/server-statefulset.yaml \ --set 'server.includeConfigAnnotation=true' \ . | tee /dev/stderr | - yq '.spec.template.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + yq '.spec.template.metadata.annotations["openbao.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 6619771..f36dc5f 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -52,7 +52,7 @@ load _helpers --show-only templates/tests/server-test.yaml \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "vault-server-test" ] + [ "${actual}" = "openbao-server-test" ] } @test "server/standalone-server-test-Pod: release metadata.name foo" { @@ -61,7 +61,7 @@ load _helpers --show-only templates/tests/server-test.yaml \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "foo-vault-server-test" ] + [ "${actual}" = "foo-openbao-server-test" ] } @test "server/standalone-server-test-Pod: default server.standalone.enabled" { @@ -134,7 +134,7 @@ load _helpers --set 'server.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] local actual=$(helm template \ --show-only templates/tests/server-test.yaml \ @@ -143,7 +143,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/standalone-server-test-Pod: image tag defaults to latest" { @@ -154,7 +154,7 @@ load _helpers --set 'server.image.tag=' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] local actual=$(helm template \ --show-only templates/tests/server-test.yaml \ @@ -163,7 +163,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } @test "server/standalone-server-test-Pod: default imagePullPolicy" { diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 531bc56..42b467e 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -406,27 +406,3 @@ load _helpers yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) [ "${actual}" = "PreferDualStack" ] } - -@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/ui-service.yaml \ - --kube-version 1.27.0 \ - --set 'ui.enabled=true' \ - --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ - . | tee /dev/stderr | - yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "server/Service: Assert ipFamilies is not set if version below 1.23" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/ui-service.yaml \ - --kube-version 1.27.0 \ - --set 'ui.enabled=true' \ - --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ - . | tee /dev/stderr | - yq -r '.spec.ipFamilies' | tee /dev/stderr) - [ "${actual}" = "null" ] -} \ No newline at end of file From 4f63aa2373009b1fb9d2d2adaa13dac4a67e15e5 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Wed, 4 Sep 2024 23:20:47 +0200 Subject: [PATCH 104/113] fix acceptance tests Signed-off-by: Jan Martens --- test/acceptance/csi.bats | 6 +- test/acceptance/injector-leader-elector.bats | 6 +- test/acceptance/injector.bats | 8 +- test/acceptance/server-annotations.bats | 2 +- test/acceptance/server-ha.bats | 121 ------------------- test/acceptance/server-telemetry.bats | 2 +- 6 files changed, 12 insertions(+), 133 deletions(-) delete mode 100644 test/acceptance/server-ha.bats diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index be5e3b9..d95af15 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -35,7 +35,7 @@ load _helpers kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider # Set up k8s auth and a kv secret. - cat ./test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - + cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' @@ -46,8 +46,8 @@ load _helpers ttl=20m kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 - kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml - kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 8605d17..7de823b 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -13,9 +13,9 @@ load _helpers --wait \ --timeout=5m \ --set="injector.replicas=3" . - kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m + kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m - pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) + pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name')) [ "${#pods[@]}" == 3 ] leader='' @@ -49,4 +49,4 @@ teardown() { kubectl delete --all pvc kubectl delete namespace acceptance fi -} \ No newline at end of file +} diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index c4cf0a1..2156597 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -9,13 +9,13 @@ load _helpers kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - kubectl create -f ./test/acceptance/injector-test/pg-deployment.yaml + kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml sleep 5 wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") kubectl create secret generic test \ - --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ - --from-file ./test/acceptance/injector-test/bootstrap.sh + --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ + --from-file ../../test/acceptance/injector-test/bootstrap.sh kubectl label secret test app=openbao-agent-demo @@ -39,7 +39,7 @@ load _helpers [ "${init_status}" == "true" ] - kubectl create -f ./test/acceptance/injector-test/job.yaml + kubectl create -f ../../test/acceptance/injector-test/job.yaml wait_for_complete_job "pgdump" } diff --git a/test/acceptance/server-annotations.bats b/test/acceptance/server-annotations.bats index d382788..b66dc02 100644 --- a/test/acceptance/server-annotations.bats +++ b/test/acceptance/server-annotations.bats @@ -8,7 +8,7 @@ load _helpers kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml . + helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml . wait_for_running $(name_prefix)-0 # service annotations diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats deleted file mode 100644 index 8788d7b..0000000 --- a/test/acceptance/server-ha.bats +++ /dev/null @@ -1,121 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "server/ha: testing deployment" { - cd `chart_dir` - - helm install "$(name_prefix)" \ - --set='server.ha.enabled=true' . - wait_for_running $(name_prefix)-0 - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-0 - - local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Replicas - local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.replicas') - [ "${replicas}" == "3" ] - - # Volume Mounts - local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "2" ] - - # Volumes - local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "2" ] - - local volume=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.volumes[0].configMap.name') - [ "${volume}" == "$(name_prefix)-config" ] - - # Service - local service=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.clusterIP') - [ "${service}" != "None" ] - - local service=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.type') - [ "${service}" == "ClusterIP" ] - - local ports=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.ports | length') - [ "${ports}" == "2" ] - - local ports=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.ports[0].port') - [ "${ports}" == "8200" ] - - local ports=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.ports[1].port') - [ "${ports}" == "8201" ] - - # OpenBao Init - local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - bao operator init -format=json -n 1 -t 1 | \ - jq -r '.unseal_keys_b64[0]') - [ "${token}" != "" ] - - # OpenBao Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - kubectl exec -ti ${pod} -- bao operator unseal ${token} - done - - wait_for_ready "$(name_prefix)-0" - - # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] -} - -# setup a consul env -setup() { - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance - kubectl config set-context --current --namespace=acceptance - - helm repo add hashicorp https://helm.releases.hashicorp.com - helm repo update - - CONSUL_HELM_VERSION=v0.48.0 - - K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major) - K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor) - if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then - CONSUL_HELM_VERSION=v0.32.1 - fi - helm install consul hashicorp/consul \ - --version $CONSUL_HELM_VERSION \ - --set 'ui.enabled=false' - - wait_for_running_consul -} - -#cleanup -teardown() { - if [[ ${CLEANUP:-true} == "true" ]] - then - # If the test failed, print some debug output - if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then - kubectl logs -l app=consul - kubectl logs -l app.kubernetes.io/name=openbao - fi - helm delete openbao - helm delete consul - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true - fi -} diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats index 5b6101e..2c35c45 100644 --- a/test/acceptance/server-telemetry.bats +++ b/test/acceptance/server-telemetry.bats @@ -19,7 +19,7 @@ load _helpers helm install \ --wait \ - --values ./test/acceptance/server-test/telemetry.yaml \ + --values ../../test/acceptance/server-test/telemetry.yaml \ "$(name_prefix)" . wait_for_running $(name_prefix)-0 From e0be4ae6de04bc78710cd17850e04c2f1a1e4b52 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Wed, 4 Sep 2024 23:42:38 +0200 Subject: [PATCH 105/113] disable injector and CSI tests We do not provide our own images for those components yet which is causing some incompabilites and test failures Signed-off-by: Jan Martens --- test/acceptance/csi.bats | 118 +++++++++++++++++----------------- test/acceptance/injector.bats | 58 ++++++++--------- 2 files changed, 88 insertions(+), 88 deletions(-) diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index d95af15..c4b5327 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,73 +2,73 @@ load _helpers -@test "csi: testing deployment" { - cd `chart_dir` +# @test "csi: testing deployment" { +# cd `chart_dir` - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance +# kubectl delete namespace acceptance --ignore-not-found=true +# kubectl create namespace acceptance - # Install Secrets Store CSI driver - # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly - # so we can see Agent's cache working. - CSI_DRIVER_VERSION=1.3.2 - helm install secrets-store-csi-driver secrets-store-csi-driver \ - --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ - --version=$CSI_DRIVER_VERSION \ - --wait --timeout=5m \ - --namespace=acceptance \ - --set linux.image.pullPolicy="IfNotPresent" \ - --set tokenRequests[0].audience="openbao" \ - --set enableSecretRotation=true \ - --set rotationPollInterval=5s - # Install OpenBao and OpenBao provider - helm install openbao \ - --wait --timeout=5m \ - --namespace=acceptance \ - --set="server.dev.enabled=true" \ - --set="csi.enabled=true" \ - --set="csi.debug=true" \ - --set="csi.agent.logLevel=debug" \ - --set="injector.enabled=false" \ - . - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider +# # Install Secrets Store CSI driver +# # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly +# # so we can see Agent's cache working. +# CSI_DRIVER_VERSION=1.3.2 +# helm install secrets-store-csi-driver secrets-store-csi-driver \ +# --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ +# --version=$CSI_DRIVER_VERSION \ +# --wait --timeout=5m \ +# --namespace=acceptance \ +# --set linux.image.pullPolicy="IfNotPresent" \ +# --set tokenRequests[0].audience="openbao" \ +# --set enableSecretRotation=true \ +# --set rotationPollInterval=5s +# # Install OpenBao and OpenBao provider +# helm install openbao \ +# --wait --timeout=5m \ +# --namespace=acceptance \ +# --set="server.dev.enabled=true" \ +# --set="csi.enabled=true" \ +# --set="csi.debug=true" \ +# --set="csi.agent.logLevel=debug" \ +# --set="injector.enabled=false" \ +# . +# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao +# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider - # Set up k8s auth and a kv secret. - cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - - kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes - kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ - kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' - kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ - bound_service_account_names=nginx \ - bound_service_account_namespaces=acceptance \ - policies=kv-policy \ - ttl=20m - kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 +# # Set up k8s auth and a kv secret. +# cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - +# kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes +# kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ +# kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' +# kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ +# bound_service_account_names=nginx \ +# bound_service_account_namespaces=acceptance \ +# policies=kv-policy \ +# ttl=20m +# kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 - kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml - kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx +# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml +# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml +# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx - result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) - [[ "$result" == "hello1" ]] +# result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) +# [[ "$result" == "hello1" ]] - for i in $(seq 10); do - sleep 2 - if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then - echo "Agent returned a cached login response" - return - fi +# for i in $(seq 10); do +# sleep 2 +# if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then +# echo "Agent returned a cached login response" +# return +# fi - echo "Waiting to confirm the Agent is renewing CSI's auth token..." - done +# echo "Waiting to confirm the Agent is renewing CSI's auth token..." +# done - # Print the logs and fail the test - echo "Failed to find a log for the Agent renewing CSI's auth token" - kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent - kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider - exit 1 -} +# # Print the logs and fail the test +# echo "Failed to find a log for the Agent renewing CSI's auth token" +# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent +# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider +# exit 1 +# } # Clean up teardown() { diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index 2156597..e093157 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -2,46 +2,46 @@ load _helpers -@test "injector: testing deployment" { - cd `chart_dir` +# @test "injector: testing deployment" { +# cd `chart_dir` - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance - kubectl config set-context --current --namespace=acceptance +# kubectl delete namespace acceptance --ignore-not-found=true +# kubectl create namespace acceptance +# kubectl config set-context --current --namespace=acceptance - kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml - sleep 5 - wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") +# kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml +# sleep 5 +# wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") - kubectl create secret generic test \ - --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ - --from-file ../../test/acceptance/injector-test/bootstrap.sh +# kubectl create secret generic test \ +# --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ +# --from-file ../../test/acceptance/injector-test/bootstrap.sh - kubectl label secret test app=openbao-agent-demo +# kubectl label secret test app=openbao-agent-demo - helm install "$(name_prefix)" \ - --set="server.extraVolumes[0].type=secret" \ - --set="server.extraVolumes[0].name=test" . - wait_for_running $(name_prefix)-0 +# helm install "$(name_prefix)" \ +# --set="server.extraVolumes[0].type=secret" \ +# --set="server.extraVolumes[0].name=test" . +# wait_for_running $(name_prefix)-0 - wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") +# wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") - kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" - sleep 5 +# kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" +# sleep 5 - # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] +# # Sealed, not initialized +# local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | +# jq -r '.sealed' ) +# [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] +# local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | +# jq -r '.initialized') +# [ "${init_status}" == "true" ] - kubectl create -f ../../test/acceptance/injector-test/job.yaml - wait_for_complete_job "pgdump" -} +# kubectl create -f ../../test/acceptance/injector-test/job.yaml +# wait_for_complete_job "pgdump" +# } # Clean up teardown() { From 100bfce452b228d946f4621fe1652b419b7a65d3 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Wed, 4 Sep 2024 23:53:50 +0200 Subject: [PATCH 106/113] update chart README Signed-off-by: Jan Martens --- charts/openbao/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openbao/README.md b/charts/openbao/README.md index f956ca2..ca7ae18 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -1,6 +1,6 @@ # openbao -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square) +![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v2.0.1](https://img.shields.io/badge/AppVersion-v2.0.1-informational?style=flat-square) Official OpenBao Chart From a6d9d9f388dea5bc9fc8e12ed08aebde7bc31e11 Mon Sep 17 00:00:00 2001 From: Finn Date: Tue, 10 Sep 2024 06:31:43 -0700 Subject: [PATCH 107/113] Use the CSI agent image registry from configuration (#17) * Use the CSI agent image registry from configuration Signed-off-by: Finn * csi-driver agent: Use BAO_LOG_LEVEL and BAO_LOG_FORMAT Signed-off-by: Finn --------- Signed-off-by: Finn --- charts/openbao/Chart.yaml | 2 +- charts/openbao/templates/csi-daemonset.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index ef23943..a1f2d43 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: openbao -version: 0.5.0 +version: 0.5.1 appVersion: v2.0.1 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart diff --git a/charts/openbao/templates/csi-daemonset.yaml b/charts/openbao/templates/csi-daemonset.yaml index f3d2284..1ace436 100644 --- a/charts/openbao/templates/csi-daemonset.yaml +++ b/charts/openbao/templates/csi-daemonset.yaml @@ -103,7 +103,7 @@ spec: timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - name: {{ include "openbao.name" . }}-agent - image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} {{ template "csi.agent.resources" . }} command: @@ -117,9 +117,9 @@ spec: ports: - containerPort: 8200 env: - - name: VAULT_LOG_LEVEL + - name: BAO_LOG_LEVEL value: "{{ .Values.csi.agent.logLevel }}" - - name: VAULT_LOG_FORMAT + - name: BAO_LOG_FORMAT value: "{{ .Values.csi.agent.logFormat }}" securityContext: runAsNonRoot: true From 3dd2dec9e34a8d93704f30a517fa0024e3ccd2fa Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:48:11 +0200 Subject: [PATCH 108/113] update OpenBao to v2.0.2 Signed-off-by: Jan Martens --- charts/openbao/README.md | 2 +- charts/openbao/values.openshift.yaml | 4 +-- charts/openbao/values.yaml | 45 ++++++++++++++++------------ 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/charts/openbao/README.md b/charts/openbao/README.md index ca7ae18..7aac176 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -1,6 +1,6 @@ # openbao -![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v2.0.1](https://img.shields.io/badge/AppVersion-v2.0.1-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square) Official OpenBao Chart diff --git a/charts/openbao/values.openshift.yaml b/charts/openbao/values.openshift.yaml index b63f548..04bed03 100644 --- a/charts/openbao/values.openshift.yaml +++ b/charts/openbao/values.openshift.yaml @@ -14,13 +14,13 @@ injector: agentImage: registry: "quay.io" repository: "openbao/openbao" - tag: "v2.0.1-ubi" + tag: "v2.0.2-ubi" server: image: registry: "quay.io" repository: "openbao/openbao" - tag: "v2.0.1-ubi" + tag: "v2.0.2-ubi" readinessProbe: path: "/v1/sys/health?uninitcode=204" diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 99b6eb6..3e24110 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -84,7 +84,7 @@ injector: # -- image repo to use for agent image repository: "openbao/openbao" # -- image tag to use for agent image - tag: "2.0.1" + tag: "2.0.2" # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent @@ -288,7 +288,8 @@ injector: # extraEnvironmentVars is a list of extra environment variables to set in the # injector deployment. - extraEnvironmentVars: {} + extraEnvironmentVars: + {} # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods @@ -379,7 +380,7 @@ server: # -- image repo to use for server image repository: "openbao/openbao" # -- image tag to use for server image - tag: "2.0.1" + tag: "2.0.2" # -- image pull policy to use for server image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent @@ -410,9 +411,11 @@ server: # In order to expose the service, use the route section below ingress: enabled: false - labels: {} + labels: + {} # traffic: external - annotations: {} + annotations: + {} # | # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" @@ -480,7 +483,8 @@ server: # -- extraInitContainers is a list of init containers. Specified as a YAML list. # This is useful if you need to run a script to provision TLS certificates or # write out configuration files in a dynamic way. - extraInitContainers: [] + extraInitContainers: + [] # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, # # which is defined in the volumes value. # - name: oauthapp @@ -508,7 +512,8 @@ server: # -- extraPorts is a list of extra ports. Specified as a YAML list. # This is useful if you need to add additional ports to the statefulset in dynamic way. - extraPorts: [] + extraPorts: + [] # - containerPort: 8300 # name: http-monitoring @@ -570,14 +575,16 @@ server: # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. - extraEnvironmentVars: {} + extraEnvironmentVars: + {} # GOOGLE_REGION: global # GOOGLE_PROJECT: myproject # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # These variables take value from existing Secret objects. - extraSecretEnvironmentVars: [] + extraSecretEnvironmentVars: + [] # - envName: AWS_SECRET_ACCESS_KEY # secretName: openbao # secretKey: AWS_SECRET_ACCESS_KEY @@ -586,7 +593,8 @@ server: # extraVolumes is a list of extra volumes to mount. These will be exposed # to OpenBao in the path `/openbao/userconfig//`. The value below is # an array of objects, examples are shown below. - extraVolumes: [] + extraVolumes: + [] # - type: secret (or "configMap") # name: my-secret # path: null # default is `/openbao/userconfig` @@ -651,12 +659,12 @@ server: # port: 443 ingress: - from: - - namespaceSelector: {} + - namespaceSelector: {} ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP # Priority class for server pods priorityClassName: "" @@ -893,7 +901,6 @@ server: # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage. # The OpenBao cluster will coordinate leader elections and failovers internally. raft: - # Enables Raft integrated storage enabled: false # Set the Node Raft ID to the name of the pod @@ -968,8 +975,8 @@ server: disruptionBudget: enabled: true - # maxUnavailable will default to (n/2)-1 where n is the number of - # replicas. If you'd like a custom value, you can specify an override here. + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. maxUnavailable: null # Definition of the serviceAccount used to run Vault. @@ -1183,7 +1190,7 @@ csi: # -- image repo to use for agent image repository: "openbao/openbao" # -- image tag to use for agent image - tag: "2.0.1" + tag: "2.0.2" # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent From c5b02f372f399d67fcda2eca58da9c52a62734bc Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:48:48 +0200 Subject: [PATCH 109/113] fix secret injector integration Signed-off-by: Jan Martens --- charts/openbao/values.yaml | 2 +- test/acceptance/injector-test/job.yaml | 14 +++---- test/acceptance/injector.bats | 58 +++++++++++++------------- 3 files changed, 37 insertions(+), 37 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 3e24110..cde4c49 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -71,7 +71,7 @@ injector: # -- image repo to use for k8s image repository: "hashicorp/vault-k8s" # -- image tag to use for k8s image - tag: "1.3.1" + tag: "1.4.2" # -- image pull policy to use for k8s image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index b40b57b..30e6ee2 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -32,11 +32,11 @@ spec: spec: serviceAccountName: pgdump containers: - - name: pgdump - image: postgres:11.5 - command: - - "/bin/sh" - - "-ec" - args: - - "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout" + - name: pgdump + image: postgres:11.5 + command: + - "/bin/sh" + - "-ec" + args: + - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" restartPolicy: Never diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index e093157..2156597 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -2,46 +2,46 @@ load _helpers -# @test "injector: testing deployment" { -# cd `chart_dir` +@test "injector: testing deployment" { + cd `chart_dir` -# kubectl delete namespace acceptance --ignore-not-found=true -# kubectl create namespace acceptance -# kubectl config set-context --current --namespace=acceptance + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance -# kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml -# sleep 5 -# wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") + kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml + sleep 5 + wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") -# kubectl create secret generic test \ -# --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ -# --from-file ../../test/acceptance/injector-test/bootstrap.sh + kubectl create secret generic test \ + --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ + --from-file ../../test/acceptance/injector-test/bootstrap.sh -# kubectl label secret test app=openbao-agent-demo + kubectl label secret test app=openbao-agent-demo -# helm install "$(name_prefix)" \ -# --set="server.extraVolumes[0].type=secret" \ -# --set="server.extraVolumes[0].name=test" . -# wait_for_running $(name_prefix)-0 + helm install "$(name_prefix)" \ + --set="server.extraVolumes[0].type=secret" \ + --set="server.extraVolumes[0].name=test" . + wait_for_running $(name_prefix)-0 -# wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") + wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") -# kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" -# sleep 5 + kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" + sleep 5 -# # Sealed, not initialized -# local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | -# jq -r '.sealed' ) -# [ "${sealed_status}" == "false" ] + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] -# local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | -# jq -r '.initialized') -# [ "${init_status}" == "true" ] + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] -# kubectl create -f ../../test/acceptance/injector-test/job.yaml -# wait_for_complete_job "pgdump" -# } + kubectl create -f ../../test/acceptance/injector-test/job.yaml + wait_for_complete_job "pgdump" +} # Clean up teardown() { From 4549ad2b101b873320103dca8b463bd20f8595f6 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:49:13 +0200 Subject: [PATCH 110/113] fix CSI driver integration Signed-off-by: Jan Martens --- charts/openbao/values.yaml | 2 +- .../openbao-kv-secretproviderclass.yaml | 4 +- test/acceptance/csi.bats | 118 +++++++++--------- test/unit/csi-daemonset.bats | 6 +- 4 files changed, 65 insertions(+), 65 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index cde4c49..50c6859 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -1100,7 +1100,7 @@ csi: # -- image repo to use for csi image repository: "hashicorp/vault-csi-provider" # -- image tag to use for csi image - tag: "1.4.1" + tag: "1.4.0" # -- image pull policy to use for csi image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent diff --git a/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml index 300676d..2c8339a 100644 --- a/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml @@ -5,9 +5,9 @@ apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: openbao-kv + name: vault-kv spec: - provider: openbao + provider: vault parameters: roleName: "kv-role" objects: | diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c4b5327..d95af15 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,73 +2,73 @@ load _helpers -# @test "csi: testing deployment" { -# cd `chart_dir` +@test "csi: testing deployment" { + cd `chart_dir` -# kubectl delete namespace acceptance --ignore-not-found=true -# kubectl create namespace acceptance + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance -# # Install Secrets Store CSI driver -# # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly -# # so we can see Agent's cache working. -# CSI_DRIVER_VERSION=1.3.2 -# helm install secrets-store-csi-driver secrets-store-csi-driver \ -# --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ -# --version=$CSI_DRIVER_VERSION \ -# --wait --timeout=5m \ -# --namespace=acceptance \ -# --set linux.image.pullPolicy="IfNotPresent" \ -# --set tokenRequests[0].audience="openbao" \ -# --set enableSecretRotation=true \ -# --set rotationPollInterval=5s -# # Install OpenBao and OpenBao provider -# helm install openbao \ -# --wait --timeout=5m \ -# --namespace=acceptance \ -# --set="server.dev.enabled=true" \ -# --set="csi.enabled=true" \ -# --set="csi.debug=true" \ -# --set="csi.agent.logLevel=debug" \ -# --set="injector.enabled=false" \ -# . -# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao -# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider + # Install Secrets Store CSI driver + # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly + # so we can see Agent's cache working. + CSI_DRIVER_VERSION=1.3.2 + helm install secrets-store-csi-driver secrets-store-csi-driver \ + --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version=$CSI_DRIVER_VERSION \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set linux.image.pullPolicy="IfNotPresent" \ + --set tokenRequests[0].audience="openbao" \ + --set enableSecretRotation=true \ + --set rotationPollInterval=5s + # Install OpenBao and OpenBao provider + helm install openbao \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set="server.dev.enabled=true" \ + --set="csi.enabled=true" \ + --set="csi.debug=true" \ + --set="csi.agent.logLevel=debug" \ + --set="injector.enabled=false" \ + . + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider -# # Set up k8s auth and a kv secret. -# cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - -# kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes -# kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ -# kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' -# kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ -# bound_service_account_names=nginx \ -# bound_service_account_namespaces=acceptance \ -# policies=kv-policy \ -# ttl=20m -# kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 + # Set up k8s auth and a kv secret. + cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - + kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes + kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' + kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ + bound_service_account_names=nginx \ + bound_service_account_namespaces=acceptance \ + policies=kv-policy \ + ttl=20m + kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 -# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml -# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml -# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx -# result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) -# [[ "$result" == "hello1" ]] + result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) + [[ "$result" == "hello1" ]] -# for i in $(seq 10); do -# sleep 2 -# if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then -# echo "Agent returned a cached login response" -# return -# fi + for i in $(seq 10); do + sleep 2 + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then + echo "Agent returned a cached login response" + return + fi -# echo "Waiting to confirm the Agent is renewing CSI's auth token..." -# done + echo "Waiting to confirm the Agent is renewing CSI's auth token..." + done -# # Print the logs and fail the test -# echo "Failed to find a log for the Agent renewing CSI's auth token" -# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent -# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider -# exit 1 -# } + # Print the logs and fail the test + echo "Failed to find a log for the Agent renewing CSI's auth token" + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider + exit 1 +} # Clean up teardown() { diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 78daa80..4f4e759 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -107,7 +107,7 @@ load _helpers [ "${actual}" = "PullPolicy1" ] local actual=$(echo $object | yq -r '.[1].image' | tee /dev/stderr) - [ "${actual}" = "Image2:0.0.2" ] + [ "${actual}" = "quay.io/Image2:0.0.2" ] local actual=$(echo $object | yq -r '.[1].imagePullPolicy' | tee /dev/stderr) [ "${actual}" = "PullPolicy2" ] @@ -796,7 +796,7 @@ load _helpers yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) [ "${value}" = "error" ] } @@ -810,7 +810,7 @@ load _helpers yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) [ "${value}" = "json" ] } From 2e7c23ce626a1ab64ad7df143d1446826e330a40 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:51:18 +0200 Subject: [PATCH 111/113] update chart version Signed-off-by: Jan Martens --- charts/openbao/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index a1f2d43..f57d37f 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v2 name: openbao -version: 0.5.1 -appVersion: v2.0.1 +version: 0.6.0 +appVersion: v2.0.2 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart home: https://github.com/openbao/openbao-helm From 5f31acad6b328e1160362a116fc00fa78f5f2472 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Mon, 7 Oct 2024 11:03:52 +0200 Subject: [PATCH 112/113] update chart README To display the up to date values Signed-off-by: Jan Martens --- charts/openbao/README.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/openbao/README.md b/charts/openbao/README.md index 7aac176..70bc13c 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -29,7 +29,7 @@ Kubernetes: `>= 1.27.0-0` | csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | | csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image | | csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image | -| csi.agent.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image | +| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image | | csi.agent.logFormat | string | `"standard"` | | | csi.agent.logLevel | string | `"info"` | | | csi.agent.resources | object | `{}` | | @@ -48,7 +48,7 @@ Kubernetes: `>= 1.27.0-0` | csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" | | csi.image.registry | string | `"docker.io"` | image registry to use for csi image | | csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image | -| csi.image.tag | string | `"1.4.1"` | image tag to use for csi image | +| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image | | csi.livenessProbe.failureThreshold | int | `2` | | | csi.livenessProbe.initialDelaySeconds | int | `5` | | | csi.livenessProbe.periodSeconds | int | `5` | | @@ -87,11 +87,11 @@ Kubernetes: `>= 1.27.0-0` | injector.agentDefaults.template | string | `"map"` | | | injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | | | injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | | -| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. | +| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. | | injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | | injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image | | injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image | -| injector.agentImage.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image | +| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image | | injector.annotations | object | `{}` | | | injector.authPath | string | `"auth/kubernetes"` | | | injector.certs.caBundle | string | `""` | | @@ -107,7 +107,7 @@ Kubernetes: `>= 1.27.0-0` | injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" | | injector.image.registry | string | `"docker.io"` | image registry to use for k8s image | | injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image | -| injector.image.tag | string | `"1.3.1"` | image tag to use for k8s image | +| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image | | injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. | | injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up | | injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates | @@ -194,7 +194,7 @@ Kubernetes: `>= 1.27.0-0` | server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" | | server.image.registry | string | `"quay.io"` | image registry to use for server image | | server.image.repository | string | `"openbao/openbao"` | image repo to use for server image | -| server.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for server image | +| server.image.tag | string | `"2.0.2"` | image tag to use for server image | | server.ingress.activeService | bool | `true` | | | server.ingress.annotations | object | `{}` | | | server.ingress.enabled | bool | `false` | | @@ -292,5 +292,3 @@ Kubernetes: `>= 1.27.0-0` | ui.serviceType | string | `"ClusterIP"` | | | ui.targetPort | int | `8200` | | ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) From 766a6a341f6283a79f3c0f46e0100ca4df077f4f Mon Sep 17 00:00:00 2001 From: Ilya Savitsky Date: Wed, 23 Oct 2024 10:41:11 +0100 Subject: [PATCH 113/113] Add the `.injector.agentImage.registry` to the image path Signed-off-by: Ilya Savitsky --- charts/openbao/templates/injector-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openbao/templates/injector-deployment.yaml b/charts/openbao/templates/injector-deployment.yaml index 7d1cd5b..64e0de2 100644 --- a/charts/openbao/templates/injector-deployment.yaml +++ b/charts/openbao/templates/injector-deployment.yaml @@ -69,7 +69,7 @@ spec: - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} - name: AGENT_INJECT_VAULT_IMAGE - value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" + value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" {{- if .Values.injector.certs.secretName }} - name: AGENT_INJECT_TLS_CERT_FILE value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"