diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index ca48a33..0000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,61 +0,0 @@ -version: 2.1 -orbs: - slack: circleci/slack@3.4.2 - -jobs: - update-helm-charts-index: - docker: - - image: docker.mirror.hashicorp.services/cimg/go:1.19.2 - steps: - - checkout - - run: - name: verify Chart version matches tag version - environment: - RELEASE_TAG: << pipeline.parameters.release-tag >> - command: | - go install github.com/mikefarah/yq/v2@latest - export TAG=${RELEASE_TAG:-$CIRCLE_TAG} - git_tag=$(echo "${TAG#v}") - chart_tag=$(yq r Chart.yaml version) - if [ "${git_tag}" != "${chart_tag}" ]; then - echo "chart version (${chart_tag}) did not match git version (${git_tag})" - exit 1 - fi - - run: - name: update helm-charts index - environment: - RELEASE_TAG: << pipeline.parameters.release-tag >> - command: | - curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ - -X POST \ - -H 'Content-Type: application/json' \ - -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ - "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - - slack/status: - fail_only: true - failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" - -parameters: - release-tag: - type: string - default: "" - description: "The tag to release, including v, e.g. v0.22.1" - -workflows: - version: 2 - # Note: unit and acceptance tests are now being run in GitHub Actions - update-helm-charts-index: - jobs: - - update-helm-charts-index: - context: helm-charts-trigger-vault - filters: - tags: - only: /^v.*/ - branches: - ignore: /.*/ - manual-trigger-update-helm-charts-index: - when: << pipeline.parameters.release-tag >> - jobs: - - update-helm-charts-index: - context: helm-charts-trigger-vault diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index cb69c51..d20f094 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -9,9 +9,9 @@ assignees: '' @@ -21,19 +21,19 @@ A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: 1. Install chart -2. Run vault command -3. See error (vault logs, etc.) +2. Run bao command +3. See error (openbao logs, etc.) -Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output +Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output **Expected behavior** A clear and concise description of what you expected to happen. **Environment** -* Kubernetes version: +* Kubernetes version: * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): * Other configuration options or runtime services (istio, etc.): -* vault-helm version: +* openbao-helm version: Chart values: diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index b24b36b..46a1922 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,4 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + contact_links: - name: Ask a question - url: https://discuss.hashicorp.com/c/vault - about: For increased visibility, please post questions on the discussion forum, and tag with `k8s` + url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/actions/setup-test-tools/action.yaml similarity index 59% rename from .github/workflows/setup-test-tools/action.yaml rename to .github/actions/setup-test-tools/action.yaml index 8c69e3d..d294106 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/actions/setup-test-tools/action.yaml @@ -1,10 +1,12 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + name: Setup common testing tools description: Install bats and python-yq - runs: using: "composite" steps: - - uses: actions/setup-node@v2 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: '16' - run: npm install -g bats@${BATS_VERSION} @@ -13,8 +15,10 @@ runs: BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@v4 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.10' - run: pip install yq shell: bash +permissions: + contents: read diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8a90cca --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 + +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 648616b..9dec300 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -1,26 +1,22 @@ name: Acceptance Tests - on: [push, workflow_dispatch] - jobs: kind: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] + kind-k8s-version: [1.27.11, 1.28.7, 1.29.2] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools - + uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.4.0 + uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.16.0 - + version: v0.22.0 - run: bats --tap --timing ./test/acceptance - env: - VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} +permissions: + contents: read diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml deleted file mode 100644 index fc03b21..0000000 --- a/.github/workflows/jira.yaml +++ /dev/null @@ -1,72 +0,0 @@ -on: - issues: - types: [opened, closed, deleted, reopened] - pull_request_target: - types: [opened, closed, reopened] - issue_comment: # Also triggers when commenting on a PR from the conversation view - types: [created] - -name: Jira Sync - -jobs: - sync: - runs-on: ubuntu-latest - name: Jira sync - steps: - - name: Login - uses: atlassian/gajira-login@v2.0.0 - env: - JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - - - name: Preprocess - if: github.event.action == 'opened' || github.event.action == 'created' - id: preprocess - run: | - if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then - echo "::set-output name=type::PR" - else - echo "::set-output name=type::ISS" - fi - - - name: Create ticket - if: github.event.action == 'opened' - uses: tomhjp/gh-action-jira-create@v0.2.0 - with: - project: VAULT - issuetype: "GH Issue" - summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}" - description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" - # customfield_10089 is Issue Link custom field - # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - - - name: Search - if: github.event.action != 'opened' - id: search - uses: tomhjp/gh-action-jira-search@v0.2.1 - with: - # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - - - name: Sync comment - if: github.event.action == 'created' && steps.search.outputs.issue - uses: tomhjp/gh-action-jira-comment@v0.2.0 - with: - issue: ${{ steps.search.outputs.issue }} - comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}" - - - name: Close ticket - if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: Closed - - - name: Reopen ticket - if: github.event.action == 'reopened' && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: "Pending Triage" diff --git a/.github/workflows/lint-chart.yml b/.github/workflows/lint-chart.yml new file mode 100644 index 0000000..dc826b1 --- /dev/null +++ b/.github/workflows/lint-chart.yml @@ -0,0 +1,47 @@ +name: Lint and Test Chart + +on: + pull_request: + paths: + - 'charts/**' + +permissions: + contents: read + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: "0" + + - name: Install Helm + uses: azure/setup-helm@v4 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run chart-testing (lint) + id: lint + if: steps.list-changed.outputs.changed == 'true' + run: ct lint --target-branch ${{ github.event.repository.default_branch }} + + - name: Create kind cluster + uses: helm/kind-action@v1.10.0 + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + id: install + if: steps.list-changed.outputs.changed == 'true' + run: ct install --target-branch ${{ github.event.repository.default_branch }} diff --git a/.github/workflows/release-chart.yml b/.github/workflows/release-chart.yml new file mode 100644 index 0000000..e4c3f84 --- /dev/null +++ b/.github/workflows/release-chart.yml @@ -0,0 +1,38 @@ +name: Release + +on: + push: + branches: + - main + paths: + - 'charts/**' + +jobs: + release: + environment: helm-release + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3.5 + id: helm-install + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Run chart-releaser + id: helm-release + uses: helm/chart-releaser-action@v1.6.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + CR_GENERATE_RELEASE_NOTES: true diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index bcabd1d..43d37b2 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,25 +1,24 @@ name: Tests - on: [push, workflow_dispatch] - jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: ./.github/workflows/setup-test-tools + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit - chart-verifier: runs-on: ubuntu-latest env: - CHART_VERIFIER_VERSION: '1.2.1' + CHART_VERIFIER_VERSION: "1.13.7" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v3 + uses: ./.github/actions/setup-test-tools + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: '1.19.2' - - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + go-version: "1.22.5" + - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: bats --tap --timing ./test/chart +permissions: + contents: read diff --git a/.gitignore b/.gitignore index 2e23aca..95317a7 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ vaul-helm-dev-creds.json ./test/acceptance/values.yaml ./test/acceptance/values.yml .idea +scratch/ diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a647c2..97d2750 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,87 @@ ## Unreleased +Bugs: +* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005) + +## 0.27.0 (November 16, 2023) + +Changes: + +* Default `vault` version updated to 1.15.2 + +Features: + +* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) +* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969) +* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877) + +Improvements: + +* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971) + +## 0.26.1 (October 30, 2023) + +Bugs: +* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961) + +## 0.26.0 (October 27, 2023) + +Changes: +* Default `vault` version updated to 1.15.1 +* Default `vault-k8s` version updated to 1.3.1 +* Default `vault-csi-provider` version updated to 1.4.1 +* Tested with Kubernetes versions 1.24-1.28 +* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) + +Features: +* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) +* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) +* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) +* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923) + +Bugs: +* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + +Improvements: +* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) +* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) +* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943) + +## 0.25.0 (June 26, 2023) + +Changes: +* Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Improvements: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Bugs: +* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) + +## 0.24.1 (April 17, 2023) + +Bugs: +* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) + +## 0.24.0 (April 6, 2023) + +Changes: +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) +* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) +* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + ## 0.23.0 (November 28th, 2022) Changes: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ad31ac9..b6ab34c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,8 +1,8 @@ -# Contributing to Vault Helm +# Contributing to OpenBao Helm -**Please note:** We take Vault's security and our users' trust very seriously. -If you believe you have found a security issue in Vault, please responsibly -disclose by contacting us at security@hashicorp.com. +**Please note:** We take OpenBao's security and our users' trust very seriously. +If you believe you have found a security issue in OpenBao, please responsibly +disclose by contacting us at openbao-security@lists.lfedge.org. **First:** if you're unsure or afraid of _anything_, just ask or submit the issue or pull request anyways. You won't be yelled at for giving it your best @@ -12,14 +12,15 @@ rules to get in the way of that. That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure that your contribution -won't clash or be obviated by Vault's normal direction. A great way to do this -is via the [Vault Discussion Forum][1]. +won't clash or be obviated by OpenBao's normal direction. A great way to do this +is via the [Linux Foundation Element chat server][1], or [mailing list][2]. This document will cover what we're looking for in terms of reporting issues. By addressing all the points we're looking for, it raises the chances we can quickly merge or address your contributions. -[1]: https://discuss.hashicorp.com/c/vault +[1]: https://chat.lfx.linuxfoundation.org +[2]: https://lists.lfedge.org/g/openbao ## Issues @@ -33,14 +34,14 @@ quickly merge or address your contributions. * Provide steps to reproduce the issue, and if possible include the expected results as well as the actual results. Please provide text, not screen shots! -* Respond as promptly as possible to any questions made by the Vault +* Respond as promptly as possible to any questions made by the OpenBao team to your issue. Stale issues will be closed periodically. ### Issue Lifecycle 1. The issue is reported. -2. The issue is verified and categorized by a Vault Helm collaborator. +2. The issue is verified and categorized by a OpenBao Helm collaborator. Categorization is done via tags. For example, bugs are marked as "bugs". 3. Unless it is critical, the issue may be left for a period of time (sometimes @@ -70,25 +71,25 @@ The following are the instructions for running bats tests using a Docker contain #### Prerequisites * Docker installed -* `vault-helm` checked out locally +* `openbao-helm` checked out locally #### Test -**Note:** the following commands should be run from the `vault-helm` directory. +**Note:** the following commands should be run from the `openbao-helm` directory. First, build the Docker image for running the tests: ```shell -docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t openbao-helm-test ``` Next, execute the tests with the following commands: ```shell -docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit ``` -It's possible to only run specific bats tests using regular expressions. +It's possible to only run specific bats tests using regular expressions. For example, the following will run only tests with "injector" in the name: ```shell -docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector" ``` ### Test Manually @@ -122,7 +123,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to start from a clean slate. **Note:** There is a Terraform configuration in the -[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory +[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory that can be used to quickly bring up a GKE cluster and configure `kubectl` and `helm` locally. This can be used to quickly spin up a test cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes diff --git a/Chart.yaml b/Chart.yaml deleted file mode 100644 index f42a831..0000000 --- a/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v2 -name: vault -version: 0.23.0 -appVersion: 1.12.1 -kubeVersion: ">= 1.16.0-0" -description: Official HashiCorp Vault Chart -home: https://www.vaultproject.io -icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png -keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] -sources: - - https://github.com/hashicorp/vault - - https://github.com/hashicorp/vault-helm - - https://github.com/hashicorp/vault-k8s - - https://github.com/hashicorp/vault-csi-provider diff --git a/Makefile b/Makefile index e423f35..9873633 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ -TEST_IMAGE?=vault-helm-test -GOOGLE_CREDENTIALS?=vault-helm-test.json -CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 +TEST_IMAGE?=openbao-helm-test +GOOGLE_CREDENTIALS?=openbao-helm-test.json +CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance @@ -11,10 +11,10 @@ UNIT_TESTS_FILTER?='.*' LOCAL_ACCEPTANCE_TESTS?=false # kind cluster name -KIND_CLUSTER_NAME?=vault-helm +KIND_CLUSTER_NAME?=openbao-helm # kind k8s version -KIND_K8S_VERSION?=v1.25.0 +KIND_K8S_VERSION?=v1.29.2 # Generate json schema for chart values. See test/README.md for more details. values-schema: @@ -40,7 +40,6 @@ else -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ -e KUBECONFIG=/helm-test/.kube/config \ - -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ -w /helm-test \ $(TEST_IMAGE) \ make acceptance diff --git a/README.md b/README.md index c9971ff..69c3aa8 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,12 @@ -# Vault Helm Chart +# OpenBao Helm Chart -> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If -you believe you have found a security issue in Vault Helm, _please responsibly disclose_ -by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). +> :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If +you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_ +by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org). -This repository contains the official HashiCorp Helm chart for installing -and configuring Vault on Kubernetes. This chart supports multiple use -cases of Vault on Kubernetes depending on the values provided. - -For full documentation on this Helm chart along with all the ways you can -use Vault with Kubernetes, please see the -[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/). +This repository contains the OpenBao Helm chart for installing +and configuring OpenBao on Kubernetes. This chart supports multiple use +cases of OpenBao on Kubernetes depending on the values provided. ## Prerequisites @@ -20,24 +16,19 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: - * **Helm 3.6+** - * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. + * **Helm 3.12+** - Earliest verison tested + * **Kubernetes 1.28+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. ## Usage -To install the latest version of this chart, add the Hashicorp helm repository -and run `helm install`: +To install the latest version of this chart, add the OpenBao helm repository and run `helm install`: ```console -$ helm repo add hashicorp https://helm.releases.hashicorp.com -"hashicorp" has been added to your repositories +helm repo add openbao https://openbao.github.io/openbao-helm -$ helm install vault hashicorp/vault +helm install openbao openbao/openbao ``` -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more -detailed installation instructions. +Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions. diff --git a/.helmignore b/charts/openbao/.helmignore similarity index 100% rename from .helmignore rename to charts/openbao/.helmignore diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml new file mode 100644 index 0000000..f57d37f --- /dev/null +++ b/charts/openbao/Chart.yaml @@ -0,0 +1,31 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: v2 +name: openbao +version: 0.6.0 +appVersion: v2.0.2 +kubeVersion: ">= 1.27.0-0" +description: Official OpenBao Chart +home: https://github.com/openbao/openbao-helm +icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg +keywords: + [ + "vault", + "openbao", + "security", + "encryption", + "secrets", + "management", + "automation", + "infrastructure", + ] +sources: + - https://github.com/openbao/openbao-helm +annotations: + charts.openshift.io/name: Openbao + +maintainers: + - name: OpenBao + email: openbao-security@lists.lfedge.org + url: https://openbao.org diff --git a/charts/openbao/README.md b/charts/openbao/README.md new file mode 100644 index 0000000..70bc13c --- /dev/null +++ b/charts/openbao/README.md @@ -0,0 +1,294 @@ +# openbao + +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square) + +Official OpenBao Chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| OpenBao | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.27.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| csi.agent.enabled | bool | `true` | | +| csi.agent.extraArgs | list | `[]` | | +| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | +| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image | +| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image | +| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image | +| csi.agent.logFormat | string | `"standard"` | | +| csi.agent.logLevel | string | `"info"` | | +| csi.agent.resources | object | `{}` | | +| csi.daemonSet.annotations | object | `{}` | | +| csi.daemonSet.extraLabels | object | `{}` | | +| csi.daemonSet.kubeletRootDir | string | `"/var/lib/kubelet"` | | +| csi.daemonSet.providersDir | string | `"/etc/kubernetes/secrets-store-csi-providers"` | | +| csi.daemonSet.securityContext.container | object | `{}` | | +| csi.daemonSet.securityContext.pod | object | `{}` | | +| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | | +| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | | +| csi.debug | bool | `false` | | +| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. | +| csi.extraArgs | list | `[]` | | +| csi.hmacSecretName | string | `""` | | +| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" | +| csi.image.registry | string | `"docker.io"` | image registry to use for csi image | +| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image | +| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image | +| csi.livenessProbe.failureThreshold | int | `2` | | +| csi.livenessProbe.initialDelaySeconds | int | `5` | | +| csi.livenessProbe.periodSeconds | int | `5` | | +| csi.livenessProbe.successThreshold | int | `1` | | +| csi.livenessProbe.timeoutSeconds | int | `3` | | +| csi.pod.affinity | object | `{}` | | +| csi.pod.annotations | object | `{}` | | +| csi.pod.extraLabels | object | `{}` | | +| csi.pod.nodeSelector | object | `{}` | | +| csi.pod.tolerations | list | `[]` | | +| csi.priorityClassName | string | `""` | | +| csi.readinessProbe.failureThreshold | int | `2` | | +| csi.readinessProbe.initialDelaySeconds | int | `5` | | +| csi.readinessProbe.periodSeconds | int | `5` | | +| csi.readinessProbe.successThreshold | int | `1` | | +| csi.readinessProbe.timeoutSeconds | int | `3` | | +| csi.resources | object | `{}` | | +| csi.serviceAccount.annotations | object | `{}` | | +| csi.serviceAccount.extraLabels | object | `{}` | | +| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. | +| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. | +| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. | +| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. | +| global.openshift | bool | `false` | If deploying to OpenShift | +| global.psp | object | `{"annotations":"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n","enable":false}` | Create PodSecurityPolicy for pods | +| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. | +| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. | +| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport | +| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | +| injector.agentDefaults.cpuLimit | string | `"500m"` | | +| injector.agentDefaults.cpuRequest | string | `"250m"` | | +| injector.agentDefaults.memLimit | string | `"128Mi"` | | +| injector.agentDefaults.memRequest | string | `"64Mi"` | | +| injector.agentDefaults.template | string | `"map"` | | +| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | | +| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | | +| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. | +| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | +| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image | +| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image | +| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image | +| injector.annotations | object | `{}` | | +| injector.authPath | string | `"auth/kubernetes"` | | +| injector.certs.caBundle | string | `""` | | +| injector.certs.certName | string | `"tls.crt"` | | +| injector.certs.keyName | string | `"tls.key"` | | +| injector.certs.secretName | string | `nil` | | +| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled | +| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. | +| injector.extraEnvironmentVars | object | `{}` | | +| injector.extraLabels | object | `{}` | | +| injector.failurePolicy | string | `"Ignore"` | | +| injector.hostNetwork | bool | `false` | | +| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" | +| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image | +| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image | +| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image | +| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. | +| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up | +| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates | +| injector.livenessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe | +| injector.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed | +| injector.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | +| injector.logFormat | string | `"standard"` | Configures the log format of the injector. Supported log formats: "standard", "json". | +| injector.logLevel | string | `"info"` | Configures the log verbosity of the injector. Supported log levels include: trace, debug, info, warn, error | +| injector.metrics | object | `{"enabled":false}` | If true, will enable a node exporter metrics endpoint at /metrics. | +| injector.namespaceSelector | object | `{}` | | +| injector.nodeSelector | object | `{}` | | +| injector.objectSelector | object | `{}` | | +| injector.podDisruptionBudget | object | `{}` | | +| injector.port | int | `8080` | Configures the port the injector should listen on | +| injector.priorityClassName | string | `""` | | +| injector.readinessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up | +| injector.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates | +| injector.readinessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe | +| injector.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed | +| injector.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | +| injector.replicas | int | `1` | | +| injector.resources | object | `{}` | | +| injector.revokeOnShutdown | bool | `false` | | +| injector.securityContext.container | object | `{}` | | +| injector.securityContext.pod | object | `{}` | | +| injector.service.annotations | object | `{}` | | +| injector.serviceAccount.annotations | object | `{}` | | +| injector.startupProbe.failureThreshold | int | `12` | When a probe fails, Kubernetes will try failureThreshold times before giving up | +| injector.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates | +| injector.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | +| injector.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed | +| injector.startupProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | +| injector.strategy | object | `{}` | | +| injector.tolerations | list | `[]` | | +| injector.topologySpreadConstraints | list | `[]` | | +| injector.webhook.annotations | object | `{}` | | +| injector.webhook.failurePolicy | string | `"Ignore"` | | +| injector.webhook.matchPolicy | string | `"Exact"` | | +| injector.webhook.namespaceSelector | object | `{}` | | +| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"openbao.name\" . }}-agent-injector\n"` | | +| injector.webhook.timeoutSeconds | int | `30` | | +| injector.webhookAnnotations | object | `{}` | | +| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | | +| server.annotations | object | `{}` | | +| server.auditStorage.accessMode | string | `"ReadWriteOnce"` | | +| server.auditStorage.annotations | object | `{}` | | +| server.auditStorage.enabled | bool | `false` | | +| server.auditStorage.labels | object | `{}` | | +| server.auditStorage.mountPath | string | `"/openbao/audit"` | | +| server.auditStorage.size | string | `"10Gi"` | | +| server.auditStorage.storageClass | string | `nil` | | +| server.authDelegator.enabled | bool | `true` | | +| server.configAnnotation | bool | `false` | | +| server.dataStorage.accessMode | string | `"ReadWriteOnce"` | | +| server.dataStorage.annotations | object | `{}` | | +| server.dataStorage.enabled | bool | `true` | | +| server.dataStorage.labels | object | `{}` | | +| server.dataStorage.mountPath | string | `"/openbao/data"` | | +| server.dataStorage.size | string | `"10Gi"` | | +| server.dataStorage.storageClass | string | `nil` | | +| server.dev.devRootToken | string | `"root"` | | +| server.dev.enabled | bool | `false` | | +| server.enabled | string | `"-"` | | +| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. | +| server.extraContainers | string | `nil` | | +| server.extraEnvironmentVars | object | `{}` | | +| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. | +| server.extraLabels | object | `{}` | | +| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. | +| server.extraSecretEnvironmentVars | list | `[]` | | +| server.extraVolumes | list | `[]` | | +| server.ha.apiAddr | string | `nil` | | +| server.ha.clusterAddr | string | `nil` | | +| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"openbao\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.ha.disruptionBudget.enabled | bool | `true` | | +| server.ha.disruptionBudget.maxUnavailable | string | `nil` | | +| server.ha.enabled | bool | `false` | | +| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | | +| server.ha.raft.enabled | bool | `false` | | +| server.ha.raft.setNodeId | bool | `false` | | +| server.ha.replicas | int | `3` | | +| server.hostAliases | list | `[]` | | +| server.hostNetwork | bool | `false` | | +| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" | +| server.image.registry | string | `"quay.io"` | image registry to use for server image | +| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image | +| server.image.tag | string | `"2.0.2"` | image tag to use for server image | +| server.ingress.activeService | bool | `true` | | +| server.ingress.annotations | object | `{}` | | +| server.ingress.enabled | bool | `false` | | +| server.ingress.extraPaths | list | `[]` | | +| server.ingress.hosts[0].host | string | `"chart-example.local"` | | +| server.ingress.hosts[0].paths | list | `[]` | | +| server.ingress.ingressClassName | string | `""` | | +| server.ingress.labels | object | `{}` | | +| server.ingress.pathType | string | `"Prefix"` | | +| server.ingress.tls | list | `[]` | | +| server.livenessProbe.enabled | bool | `false` | | +| server.livenessProbe.execCommand | list | `[]` | | +| server.livenessProbe.failureThreshold | int | `2` | | +| server.livenessProbe.initialDelaySeconds | int | `60` | | +| server.livenessProbe.path | string | `"/v1/sys/health?standbyok=true"` | | +| server.livenessProbe.periodSeconds | int | `5` | | +| server.livenessProbe.port | int | `8200` | | +| server.livenessProbe.successThreshold | int | `1` | | +| server.livenessProbe.timeoutSeconds | int | `3` | | +| server.logFormat | string | `""` | | +| server.logLevel | string | `""` | | +| server.networkPolicy.egress | list | `[]` | | +| server.networkPolicy.enabled | bool | `false` | | +| server.networkPolicy.ingress[0].from[0].namespaceSelector | object | `{}` | | +| server.networkPolicy.ingress[0].ports[0].port | int | `8200` | | +| server.networkPolicy.ingress[0].ports[0].protocol | string | `"TCP"` | | +| server.networkPolicy.ingress[0].ports[1].port | int | `8201` | | +| server.networkPolicy.ingress[0].ports[1].protocol | string | `"TCP"` | | +| server.nodeSelector | object | `{}` | | +| server.persistentVolumeClaimRetentionPolicy | object | `{}` | | +| server.postStart | list | `[]` | | +| server.preStopSleepSeconds | int | `5` | | +| server.priorityClassName | string | `""` | | +| server.readinessProbe.enabled | bool | `true` | | +| server.readinessProbe.failureThreshold | int | `2` | | +| server.readinessProbe.initialDelaySeconds | int | `5` | | +| server.readinessProbe.periodSeconds | int | `5` | | +| server.readinessProbe.port | int | `8200` | | +| server.readinessProbe.successThreshold | int | `1` | | +| server.readinessProbe.timeoutSeconds | int | `3` | | +| server.resources | object | `{}` | | +| server.route.activeService | bool | `true` | | +| server.route.annotations | object | `{}` | | +| server.route.enabled | bool | `false` | | +| server.route.host | string | `"chart-example.local"` | | +| server.route.labels | object | `{}` | | +| server.route.tls.termination | string | `"passthrough"` | | +| server.service.active.annotations | object | `{}` | | +| server.service.active.enabled | bool | `true` | | +| server.service.annotations | object | `{}` | | +| server.service.enabled | bool | `true` | | +| server.service.externalTrafficPolicy | string | `"Cluster"` | | +| server.service.instanceSelector.enabled | bool | `true` | | +| server.service.ipFamilies | list | `[]` | | +| server.service.ipFamilyPolicy | string | `""` | | +| server.service.port | int | `8200` | | +| server.service.publishNotReadyAddresses | bool | `true` | | +| server.service.standby.annotations | object | `{}` | | +| server.service.standby.enabled | bool | `true` | | +| server.service.targetPort | int | `8200` | | +| server.serviceAccount.annotations | object | `{}` | | +| server.serviceAccount.create | bool | `true` | | +| server.serviceAccount.createSecret | bool | `false` | | +| server.serviceAccount.extraLabels | object | `{}` | | +| server.serviceAccount.name | string | `""` | | +| server.serviceAccount.serviceDiscovery.enabled | bool | `true` | | +| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation | +| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.standalone.enabled | string | `"-"` | | +| server.statefulSet.annotations | object | `{}` | | +| server.statefulSet.securityContext.container | object | `{}` | | +| server.statefulSet.securityContext.pod | object | `{}` | | +| server.terminationGracePeriodSeconds | int | `10` | | +| server.tolerations | list | `[]` | | +| server.topologySpreadConstraints | list | `[]` | | +| server.updateStrategyType | string | `"OnDelete"` | | +| server.volumeMounts | string | `nil` | | +| server.volumes | string | `nil` | | +| serverTelemetry.prometheusRules.enabled | bool | `false` | | +| serverTelemetry.prometheusRules.rules | list | `[]` | | +| serverTelemetry.prometheusRules.selectors | object | `{}` | | +| serverTelemetry.serviceMonitor.enabled | bool | `false` | | +| serverTelemetry.serviceMonitor.interval | string | `"30s"` | | +| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | | +| serverTelemetry.serviceMonitor.selectors | object | `{}` | | +| ui.activeOpenbaoPodOnly | bool | `false` | | +| ui.annotations | object | `{}` | | +| ui.enabled | bool | `false` | | +| ui.externalPort | int | `8200` | | +| ui.externalTrafficPolicy | string | `"Cluster"` | | +| ui.publishNotReadyAddresses | bool | `true` | | +| ui.serviceIPFamilies | list | `[]` | | +| ui.serviceIPFamilyPolicy | string | `""` | | +| ui.serviceNodePort | string | `nil` | | +| ui.serviceType | string | `"ClusterIP"` | | +| ui.targetPort | int | `8200` | | + diff --git a/charts/openbao/templates/NOTES.txt b/charts/openbao/templates/NOTES.txt new file mode 100644 index 0000000..c89dbd2 --- /dev/null +++ b/charts/openbao/templates/NOTES.txt @@ -0,0 +1,14 @@ + +Thank you for installing OpenBao! + +Now that you have deployed OpenBao, you should look over the docs on using +OpenBao with Kubernetes available here: + +https://openbao.org/docs/ + + +Your release is named {{ .Release.Name }}. To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get manifest {{ .Release.Name }} + diff --git a/templates/_helpers.tpl b/charts/openbao/templates/_helpers.tpl similarity index 78% rename from templates/_helpers.tpl rename to charts/openbao/templates/_helpers.tpl index ca79b69..2650db5 100644 --- a/templates/_helpers.tpl +++ b/charts/openbao/templates/_helpers.tpl @@ -1,10 +1,15 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "vault.fullname" -}} +{{- define "openbao.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -20,21 +25,28 @@ be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "vault.chart" -}} +{{- define "openbao.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Expand the name of the chart. */}} -{{- define "vault.name" -}} +{{- define "openbao.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "openbao.namespace" -}} +{{- default .Release.Namespace .Values.global.namespace -}} +{{- end -}} + {{/* Compute if the csi driver is enabled. */}} -{{- define "vault.csiEnabled" -}} +{{- define "openbao.csiEnabled" -}} {{- $_ := set . "csiEnabled" (or (eq (.Values.csi.enabled | toString) "true") (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -43,7 +55,7 @@ Compute if the csi driver is enabled. {{/* Compute if the injector is enabled. */}} -{{- define "vault.injectorEnabled" -}} +{{- define "openbao.injectorEnabled" -}} {{- $_ := set . "injectorEnabled" (or (eq (.Values.injector.enabled | toString) "true") (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -52,7 +64,7 @@ Compute if the injector is enabled. {{/* Compute if the server is enabled. */}} -{{- define "vault.serverEnabled" -}} +{{- define "openbao.serverEnabled" -}} {{- $_ := set . "serverEnabled" (or (eq (.Values.server.enabled | toString) "true") (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -61,7 +73,7 @@ Compute if the server is enabled. {{/* Compute if the server serviceaccount is enabled. */}} -{{- define "vault.serverServiceAccountEnabled" -}} +{{- define "openbao.serverServiceAccountEnabled" -}} {{- $_ := set . "serverServiceAccountEnabled" (and (eq (.Values.server.serviceAccount.create | toString) "true" ) @@ -70,10 +82,21 @@ Compute if the server serviceaccount is enabled. (eq (.Values.global.enabled | toString) "true"))) -}} {{- end -}} +{{/* +Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. +*/}} +{{- define "openbao.serverServiceAccountSecretCreationEnabled" -}} +{{- $_ := set . "serverServiceAccountSecretCreationEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true") + (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} +{{- end -}} + + {{/* Compute if the server auth delegator serviceaccount is enabled. */}} -{{- define "vault.serverAuthDelegator" -}} +{{- define "openbao.serverAuthDelegator" -}} {{- $_ := set . "serverAuthDelegator" (and (eq (.Values.server.authDelegator.enabled | toString) "true" ) @@ -87,15 +110,15 @@ Compute if the server auth delegator serviceaccount is enabled. {{/* Compute if the server service is enabled. */}} -{{- define "vault.serverServiceEnabled" -}} -{{- template "vault.serverEnabled" . -}} +{{- define "openbao.serverServiceEnabled" -}} +{{- template "openbao.serverEnabled" . -}} {{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} {{- end -}} {{/* Compute if the ui is enabled. */}} -{{- define "vault.uiEnabled" -}} +{{- define "openbao.uiEnabled" -}} {{- $_ := set . "uiEnabled" (or (eq (.Values.ui.enabled | toString) "true") (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -106,7 +129,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. Add a special case for replicas=1, where it should default to 0 as well. */}} -{{- define "vault.pdb.maxUnavailable" -}} +{{- define "openbao.pdb.maxUnavailable" -}} {{- if eq (int .Values.server.ha.replicas) 1 -}} {{ 0 }} {{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} @@ -120,8 +143,8 @@ Add a special case for replicas=1, where it should default to 0 as well. Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} -{{- define "vault.mode" -}} - {{- template "vault.serverEnabled" . -}} +{{- define "openbao.mode" -}} + {{- template "openbao.serverEnabled" . -}} {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} @@ -140,11 +163,15 @@ template logic. {{/* Set's the replica count based on the different modes configured by user */}} -{{- define "vault.replicas" -}} +{{- define "openbao.replicas" -}} {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} - {{- .Values.server.ha.replicas | default 3 -}} + {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} + {{- .Values.server.ha.replicas -}} + {{ else }} + {{- 3 -}} + {{- end -}} {{ else }} {{- default 1 -}} {{ end }} @@ -155,11 +182,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user defined a custom configuration. Additionally iterates over any extra volumes the user may have specified (such as a secret with TLS). */}} -{{- define "vault.volumes" -}} +{{- define "openbao.volumes" -}} {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config configMap: - name: {{ template "vault.fullname" . }}-config + name: {{ template "openbao.fullname" . }}-config {{ end }} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} @@ -174,40 +201,34 @@ extra volumes the user may have specified (such as a secret with TLS). {{- if .Values.server.volumes }} {{- toYaml .Values.server.volumes | nindent 8}} {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: vault-license - secret: - secretName: {{ .Values.server.enterpriseLicense.secretName }} - defaultMode: 0440 - {{- end }} {{- end -}} {{/* -Set's the args for custom command to render the Vault configuration +Set's the args for custom command to render the OpenBao configuration file with IP addresses to make the out of box experience easier for users looking to use this chart with Consul Helm. */}} -{{- define "vault.args" -}} +{{- define "openbao.args" -}} {{ if or (eq .mode "standalone") (eq .mode "ha") }} - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; + cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} + /usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} {{ else if eq .mode "dev" }} - | - /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} + /usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }} {{ end }} {{- end -}} {{/* Set's additional environment variables based on the mode. */}} -{{- define "vault.envs" -}} +{{- define "openbao.envs" -}} {{ if eq .mode "dev" }} - name: VAULT_DEV_ROOT_TOKEN_ID value: {{ .Values.server.dev.devRootToken }} @@ -220,7 +241,7 @@ Set's additional environment variables based on the mode. Set's which additional volumes should be mounted to the container based on the mode configured. */}} -{{- define "vault.mounts" -}} +{{- define "openbao.mounts" -}} {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} - name: audit mountPath: {{ .Values.server.auditStorage.mountPath }} @@ -233,21 +254,16 @@ based on the mode configured. {{ end }} {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config - mountPath: /vault/config + mountPath: /openbao/config {{ end }} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} readOnly: true - mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }} {{- end }} {{- if .Values.server.volumeMounts }} {{- toYaml .Values.server.volumeMounts | nindent 12}} {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: vault-license - mountPath: /vault/license - readOnly: true - {{- end }} {{- end -}} {{/* @@ -255,13 +271,14 @@ Set's up the volumeClaimTemplates when data or audit storage is required. HA might not use data storage since Consul is likely it's backend, however, audit storage might be desired by the user. */}} -{{- define "vault.volumeclaims" -}} +{{- define "openbao.volumeclaims" -}} {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} volumeClaimTemplates: {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} - metadata: name: data - {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} @@ -275,7 +292,8 @@ storage might be desired by the user. {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} - metadata: name: audit - {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} @@ -292,7 +310,7 @@ storage might be desired by the user. {{/* Set's the affinity for pod placement when running in standalone and HA modes. */}} -{{- define "vault.affinity" -}} +{{- define "openbao.affinity" -}} {{- if and (ne .mode "dev") .Values.server.affinity }} affinity: {{ $tp := typeOf .Values.server.affinity }} @@ -322,7 +340,7 @@ Sets the injector affinity for pod placement {{/* Sets the topologySpreadConstraints when running in standalone and HA modes. */}} -{{- define "vault.topologySpreadConstraints" -}} +{{- define "openbao.topologySpreadConstraints" -}} {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} topologySpreadConstraints: {{ $tp := typeOf .Values.server.topologySpreadConstraints }} @@ -353,7 +371,7 @@ Sets the injector topologySpreadConstraints for pod placement {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} -{{- define "vault.tolerations" -}} +{{- define "openbao.tolerations" -}} {{- if and (ne .mode "dev") .Values.server.tolerations }} tolerations: {{- $tp := typeOf .Values.server.tolerations }} @@ -383,7 +401,7 @@ Sets the injector toleration for pod placement {{/* Set's the node selector for pod placement when running in standalone and HA modes. */}} -{{- define "vault.nodeselector" -}} +{{- define "openbao.nodeselector" -}} {{- if and (ne .mode "dev") .Values.server.nodeSelector }} nodeSelector: {{- $tp := typeOf .Values.server.nodeSelector }} @@ -428,9 +446,12 @@ Sets the injector deployment update strategy {{/* Sets extra pod annotations */}} -{{- define "vault.annotations" -}} - {{- if .Values.server.annotations }} +{{- define "openbao.annotations" }} annotations: + {{- if .Values.server.includeConfigAnnotation }} + openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }} + {{- end }} + {{- if .Values.server.annotations }} {{- $tp := typeOf .Values.server.annotations }} {{- if eq $tp "string" }} {{- tpl .Values.server.annotations . | nindent 8 }} @@ -534,7 +555,7 @@ securityContext for the statefulset pod template. {{- end -}} {{/* -securityContext for the statefulset vault container +securityContext for the statefulset openbao container */}} {{- define "server.statefulSet.securityContext.container" -}} {{- if .Values.server.statefulSet.securityContext.container }} @@ -601,7 +622,7 @@ Set's the injector webhook objectSelector {{/* Sets extra ui service annotations */}} -{{- define "vault.ui.annotations" -}} +{{- define "openbao.ui.annotations" -}} {{- if .Values.ui.annotations }} annotations: {{- $tp := typeOf .Values.ui.annotations }} @@ -616,9 +637,9 @@ Sets extra ui service annotations {{/* Create the name of the service account to use */}} -{{- define "vault.serviceAccount.name" -}} +{{- define "openbao.serviceAccount.name" -}} {{- if .Values.server.serviceAccount.create -}} - {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} + {{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }} {{- else -}} {{ default "default" .Values.server.serviceAccount.name }} {{- end -}} @@ -627,7 +648,7 @@ Create the name of the service account to use {{/* Sets extra service account annotations */}} -{{- define "vault.serviceAccount.annotations" -}} +{{- define "openbao.serviceAccount.annotations" -}} {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} annotations: {{- $tp := typeOf .Values.server.serviceAccount.annotations }} @@ -642,7 +663,7 @@ Sets extra service account annotations {{/* Sets extra ingress annotations */}} -{{- define "vault.ingress.annotations" -}} +{{- define "openbao.ingress.annotations" -}} {{- if .Values.server.ingress.annotations }} annotations: {{- $tp := typeOf .Values.server.ingress.annotations }} @@ -657,7 +678,7 @@ Sets extra ingress annotations {{/* Sets extra route annotations */}} -{{- define "vault.route.annotations" -}} +{{- define "openbao.route.annotations" -}} {{- if .Values.server.route.annotations }} annotations: {{- $tp := typeOf .Values.server.route.annotations }} @@ -670,9 +691,9 @@ Sets extra route annotations {{- end -}} {{/* -Sets extra vault server Service annotations +Sets extra openbao server Service annotations */}} -{{- define "vault.service.annotations" -}} +{{- define "openbao.service.annotations" -}} {{- if .Values.server.service.annotations }} {{- $tp := typeOf .Values.server.service.annotations }} {{- if eq $tp "string" }} @@ -683,10 +704,37 @@ Sets extra vault server Service annotations {{- end }} {{- end -}} +{{/* +Sets extra openbao server Service (active) annotations +*/}} +{{- define "openbao.service.active.annotations" -}} + {{- if .Values.server.service.active.annotations }} + {{- $tp := typeOf .Values.server.service.active.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.active.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.active.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets extra openbao server Service annotations +*/}} +{{- define "openbao.service.standby.annotations" -}} + {{- if .Values.server.service.standby.annotations }} + {{- $tp := typeOf .Values.server.service.standby.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets PodSecurityPolicy annotations */}} -{{- define "vault.psp.annotations" -}} +{{- define "openbao.psp.annotations" -}} {{- if .Values.global.psp.annotations }} annotations: {{- $tp := typeOf .Values.global.psp.annotations }} @@ -701,7 +749,7 @@ Sets PodSecurityPolicy annotations {{/* Sets extra statefulset annotations */}} -{{- define "vault.statefulSet.annotations" -}} +{{- define "openbao.statefulSet.annotations" -}} {{- if .Values.server.statefulSet.annotations }} annotations: {{- $tp := typeOf .Values.server.statefulSet.annotations }} @@ -716,7 +764,7 @@ Sets extra statefulset annotations {{/* Sets VolumeClaim annotations for data volume */}} -{{- define "vault.dataVolumeClaim.annotations" -}} +{{- define "openbao.dataVolumeClaim.annotations" -}} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} annotations: {{- $tp := typeOf .Values.server.dataStorage.annotations }} @@ -728,10 +776,25 @@ Sets VolumeClaim annotations for data volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for data volume +*/}} +{{- define "openbao.dataVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.dataStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets VolumeClaim annotations for audit volume */}} -{{- define "vault.auditVolumeClaim.annotations" -}} +{{- define "openbao.auditVolumeClaim.annotations" -}} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} annotations: {{- $tp := typeOf .Values.server.auditStorage.annotations }} @@ -743,10 +806,25 @@ Sets VolumeClaim annotations for audit volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for audit volume +*/}} +{{- define "openbao.auditVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.auditStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Set's the container resources if the user has set any. */}} -{{- define "vault.resources" -}} +{{- define "openbao.resources" -}} {{- if .Values.server.resources -}} resources: {{ toYaml .Values.server.resources | indent 12}} @@ -773,6 +851,16 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + {{/* Sets extra CSI daemonset annotations */}} @@ -834,6 +922,34 @@ Sets the injector toleration for pod placement {{- end }} {{- end -}} +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} {{/* Sets extra CSI provider pod annotations */}} @@ -867,7 +983,7 @@ Sets extra CSI service account annotations {{/* Inject extra environment vars in the format key:value, if populated */}} -{{- define "vault.extraEnvironmentVars" -}} +{{- define "openbao.extraEnvironmentVars" -}} {{- if .extraEnvironmentVars -}} {{- range $key, $value := .extraEnvironmentVars }} - name: {{ printf "%s" $key | replace "." "_" | upper | quote }} @@ -879,7 +995,7 @@ Inject extra environment vars in the format key:value, if populated {{/* Inject extra environment populated by secrets, if populated */}} -{{- define "vault.extraSecretEnvironmentVars" -}} +{{- define "openbao.extraSecretEnvironmentVars" -}} {{- if .extraSecretEnvironmentVars -}} {{- range .extraSecretEnvironmentVars }} - name: {{ .envName }} @@ -892,7 +1008,7 @@ Inject extra environment populated by secrets, if populated {{- end -}} {{/* Scheme for health check and local endpoint */}} -{{- define "vault.scheme" -}} +{{- define "openbao.scheme" -}} {{- if .Values.global.tlsDisable -}} {{ "http" }} {{- else -}} @@ -951,3 +1067,28 @@ Supported inputs are Values.ui {{- end -}} {{- end }} {{- end -}} + +{{/* +config file from values +*/}} +{{- define "openbao.config" -}} + {{- if or (eq .mode "ha") (eq .mode "standalone") }} + {{- $type := typeOf (index .Values.server .mode).config }} + {{- if eq $type "string" }} + disable_mlock = true + {{- if eq .mode "standalone" }} + {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} + {{ tpl .Values.server.ha.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} + {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} + {{ end }} + {{- else }} + {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} + {{- else }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/openbao/templates/csi-agent-configmap.yaml b/charts/openbao/templates/csi-agent-configmap.yaml new file mode 100644 index 0000000..5455b09 --- /dev/null +++ b/charts/openbao/templates/csi-agent-configmap.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "openbao.fullname" . }}-csi-provider-agent-config + namespace: {{ include "openbao.namespace" . }} + labels: + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/templates/csi-clusterrole.yaml b/charts/openbao/templates/csi-clusterrole.yaml similarity index 54% rename from templates/csi-clusterrole.yaml rename to charts/openbao/templates/csi-clusterrole.yaml index ec6a3d2..a3fbb61 100644 --- a/templates/csi-clusterrole.yaml +++ b/charts/openbao/templates/csi-clusterrole.yaml @@ -1,11 +1,16 @@ -{{- template "vault.csiEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/csi-clusterrolebinding.yaml b/charts/openbao/templates/csi-clusterrolebinding.yaml new file mode 100644 index 0000000..3c7847a --- /dev/null +++ b/charts/openbao/templates/csi-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} +{{- end }} diff --git a/charts/openbao/templates/csi-daemonset.yaml b/charts/openbao/templates/csi-daemonset.yaml new file mode 100644 index 0000000..1ace436 --- /dev/null +++ b/charts/openbao/templates/csi-daemonset.yaml @@ -0,0 +1,157 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "csi.daemonSet.annotations" . }} +spec: + updateStrategy: + type: {{ .Values.csi.daemonSet.updateStrategy.type }} + {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "csi.pod.annotations" . }} + spec: + {{ template "csi.daemonSet.securityContext.pod" . }} + {{- if .Values.csi.priorityClassName }} + priorityClassName: {{ .Values.csi.priorityClassName }} + {{- end }} + serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider + {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} + containers: + - name: {{ include "openbao.name" . }}-csi-provider + {{ template "csi.resources" . }} + {{ template "csi.daemonSet.securityContext.container" . }} + image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + imagePullPolicy: {{ .Values.csi.image.pullPolicy }} + args: + - --endpoint=/provider/vault.sock + - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key + {{- end }} + {{- if .Values.csi.extraArgs }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} + env: + - name: VAULT_ADDR + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- end }} + volumeMounts: + - name: providervol + mountPath: "/provider" + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12}} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "openbao.name" . }}-agent + image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - bao + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: BAO_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: BAO_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} + volumes: + - name: providervol + hostPath: + path: {{ .Values.csi.daemonSet.providersDir }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "openbao.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{- end }} diff --git a/charts/openbao/templates/csi-role.yaml b/charts/openbao/templates/csi-role.yaml new file mode 100644 index 0000000..a7554a6 --- /dev/null +++ b/charts/openbao/templates/csi-role.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "openbao.fullname" . }}-csi-provider-role + namespace: {{ include "openbao.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "openbao.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/charts/openbao/templates/csi-rolebinding.yaml b/charts/openbao/templates/csi-rolebinding.yaml new file mode 100644 index 0000000..c46096e --- /dev/null +++ b/charts/openbao/templates/csi-rolebinding.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "openbao.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "openbao.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} +{{- end }} diff --git a/templates/csi-serviceaccount.yaml b/charts/openbao/templates/csi-serviceaccount.yaml similarity index 57% rename from templates/csi-serviceaccount.yaml rename to charts/openbao/templates/csi-serviceaccount.yaml index 8d6fa53..2f5d346 100644 --- a/templates/csi-serviceaccount.yaml +++ b/charts/openbao/templates/csi-serviceaccount.yaml @@ -1,12 +1,17 @@ -{{- template "vault.csiEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.csi.serviceAccount.extraLabels -}} diff --git a/templates/injector-certs-secret.yaml b/charts/openbao/templates/injector-certs-secret.yaml similarity index 52% rename from templates/injector-certs-secret.yaml rename to charts/openbao/templates/injector-certs-secret.yaml index e88685b..b5de48b 100644 --- a/templates/injector-certs-secret.yaml +++ b/charts/openbao/templates/injector-certs-secret.yaml @@ -1,14 +1,19 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: - name: vault-injector-certs - namespace: {{ .Release.Namespace }} + name: openbao-injector-certs + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/openbao/templates/injector-clusterrole.yaml b/charts/openbao/templates/injector-clusterrole.yaml new file mode 100644 index 0000000..10ea35c --- /dev/null +++ b/charts/openbao/templates/injector-clusterrole.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: + - "get" + - "list" + - "watch" + - "patch" +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +- apiGroups: [""] + resources: ["nodes"] + verbs: + - "get" +{{ end }} +{{ end }} diff --git a/charts/openbao/templates/injector-clusterrolebinding.yaml b/charts/openbao/templates/injector-clusterrolebinding.yaml new file mode 100644 index 0000000..353ee8a --- /dev/null +++ b/charts/openbao/templates/injector-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "openbao.fullname" . }}-agent-injector-binding + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} +{{ end }} diff --git a/templates/injector-deployment.yaml b/charts/openbao/templates/injector-deployment.yaml similarity index 62% rename from templates/injector-deployment.yaml rename to charts/openbao/templates/injector-deployment.yaml index f060559..64e0de2 100644 --- a/templates/injector-deployment.yaml +++ b/charts/openbao/templates/injector-deployment.yaml @@ -1,13 +1,18 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} component: webhook @@ -15,14 +20,14 @@ spec: replicas: {{ .Values.injector.replicas }} selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{ template "injector.strategy" . }} template: metadata: labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- if .Values.injector.extraLabels -}} @@ -37,7 +42,7 @@ spec: {{- if .Values.injector.priorityClassName }} priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} - serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector" {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} @@ -45,7 +50,7 @@ spec: containers: - name: sidecar-injector {{ template "injector.resources" . }} - image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" + image: "{{ .Values.injector.image.registry | default "docker.io" }}/{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" {{- template "injector.securityContext.container" . }} env: @@ -59,12 +64,12 @@ spec: {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} - name: AGENT_INJECT_VAULT_IMAGE - value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" + value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" {{- if .Values.injector.certs.secretName }} - name: AGENT_INJECT_TLS_CERT_FILE value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" @@ -72,9 +77,9 @@ spec: value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" {{- else }} - name: AGENT_INJECT_TLS_AUTO - value: {{ template "vault.fullname" . }}-agent-injector-cfg + value: {{ template "openbao.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc + value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} @@ -104,6 +109,14 @@ spec: value: "{{ .Values.injector.agentDefaults.memRequest }}" - name: AGENT_INJECT_MEM_LIMIT value: "{{ .Values.injector.agentDefaults.memLimit }}" + {{- if .Values.injector.agentDefaults.ephemeralRequest }} + - name: AGENT_INJECT_EPHEMERAL_REQUEST + value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" + {{- end }} + {{- if .Values.injector.agentDefaults.ephemeralLimit }} + - name: AGENT_INJECT_EPHEMERAL_LIMIT + value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" + {{- end }} - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE @@ -112,7 +125,7 @@ spec: - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" {{- end }} - {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} + {{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: fieldRef: @@ -125,21 +138,31 @@ spec: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} readinessProbe: httpGet: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/templates/injector-disruptionbudget.yaml b/charts/openbao/templates/injector-disruptionbudget.yaml similarity index 50% rename from templates/injector-disruptionbudget.yaml rename to charts/openbao/templates/injector-disruptionbudget.yaml index b44fd73..08749bd 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/charts/openbao/templates/injector-disruptionbudget.yaml @@ -1,19 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.injector.podDisruptionBudget }} -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} component: webhook spec: selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} diff --git a/templates/injector-mutating-webhook.yaml b/charts/openbao/templates/injector-mutating-webhook.yaml similarity index 78% rename from templates/injector-mutating-webhook.yaml rename to charts/openbao/templates/injector-mutating-webhook.yaml index 3d3fd36..8ffd267 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/charts/openbao/templates/injector-mutating-webhook.yaml @@ -1,4 +1,9 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 @@ -7,9 +12,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1 {{- end }} kind: MutatingWebhookConfiguration metadata: - name: {{ template "vault.fullname" . }}-agent-injector-cfg + name: {{ template "openbao.fullname" . }}-agent-injector-cfg labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- template "injector.webhookAnnotations" . }} @@ -22,8 +27,8 @@ webhooks: admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-agent-injector-svc + namespace: {{ include "openbao.namespace" . }} path: "/mutate" caBundle: {{ .Values.injector.certs.caBundle | quote }} rules: diff --git a/templates/injector-network-policy.yaml b/charts/openbao/templates/injector-network-policy.yaml similarity index 59% rename from templates/injector-network-policy.yaml rename to charts/openbao/templates/injector-network-policy.yaml index 68892d2..95df49e 100644 --- a/templates/injector-network-policy.yaml +++ b/charts/openbao/templates/injector-network-policy.yaml @@ -1,17 +1,22 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} spec: podSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook ingress: diff --git a/templates/injector-psp-role.yaml b/charts/openbao/templates/injector-psp-role.yaml similarity index 53% rename from templates/injector-psp-role.yaml rename to charts/openbao/templates/injector-psp-role.yaml index 5d23c75..3f42450 100644 --- a/templates/injector-psp-role.yaml +++ b/charts/openbao/templates/injector-psp-role.yaml @@ -1,13 +1,18 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-agent-injector-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -15,6 +20,6 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "vault.fullname" . }}-agent-injector + - {{ template "openbao.fullname" . }}-agent-injector {{- end }} {{- end }} diff --git a/charts/openbao/templates/injector-psp-rolebinding.yaml b/charts/openbao/templates/injector-psp-rolebinding.yaml new file mode 100644 index 0000000..62a609c --- /dev/null +++ b/charts/openbao/templates/injector-psp-rolebinding.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "openbao.fullname" . }}-agent-injector-psp + namespace: {{ include "openbao.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "openbao.fullname" . }}-agent-injector-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "openbao.fullname" . }}-agent-injector +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-psp.yaml b/charts/openbao/templates/injector-psp.yaml similarity index 78% rename from templates/injector-psp.yaml rename to charts/openbao/templates/injector-psp.yaml index 1eee2fc..5c1c58f 100644 --- a/templates/injector-psp.yaml +++ b/charts/openbao/templates/injector-psp.yaml @@ -1,15 +1,20 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} +{{- template "openbao.psp.annotations" . }} spec: privileged: false # Required to prevent escalations to root. diff --git a/templates/injector-role.yaml b/charts/openbao/templates/injector-role.yaml similarity index 65% rename from templates/injector-role.yaml rename to charts/openbao/templates/injector-role.yaml index 08c8264..2e29aa7 100644 --- a/templates/injector-role.yaml +++ b/charts/openbao/templates/injector-role.yaml @@ -1,13 +1,18 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/injector-rolebinding.yaml b/charts/openbao/templates/injector-rolebinding.yaml new file mode 100644 index 0000000..8e460c4 --- /dev/null +++ b/charts/openbao/templates/injector-rolebinding.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ include "openbao.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role +subjects: + - kind: ServiceAccount + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/charts/openbao/templates/injector-service.yaml similarity index 52% rename from templates/injector-service.yaml rename to charts/openbao/templates/injector-service.yaml index 5e747d6..1a7467c 100644 --- a/templates/injector-service.yaml +++ b/charts/openbao/templates/injector-service.yaml @@ -1,12 +1,17 @@ -{{- template "vault.injectorEnabled" . -}} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-agent-injector-svc + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "injector.service.annotations" . }} @@ -16,7 +21,7 @@ spec: port: 443 targetPort: {{ .Values.injector.port }} selector: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- end }} diff --git a/charts/openbao/templates/injector-serviceaccount.yaml b/charts/openbao/templates/injector-serviceaccount.yaml new file mode 100644 index 0000000..a411788 --- /dev/null +++ b/charts/openbao/templates/injector-serviceaccount.yaml @@ -0,0 +1,18 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "openbao.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.serviceAccount.annotations" . }} +{{ end }} diff --git a/templates/prometheus-prometheusrules.yaml b/charts/openbao/templates/prometheus-prometheusrules.yaml similarity index 73% rename from templates/prometheus-prometheusrules.yaml rename to charts/openbao/templates/prometheus-prometheusrules.yaml index 572f1a0..f3d30b1 100644 --- a/templates/prometheus-prometheusrules.yaml +++ b/charts/openbao/templates/prometheus-prometheusrules.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ if and (.Values.serverTelemetry.prometheusRules.rules) (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) }} @@ -5,10 +10,10 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} @@ -20,7 +25,7 @@ metadata: {{- end }} spec: groups: - - name: {{ include "vault.fullname" . }} + - name: {{ include "openbao.fullname" . }} rules: {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} {{- end }} diff --git a/templates/prometheus-servicemonitor.yaml b/charts/openbao/templates/prometheus-servicemonitor.yaml similarity index 67% rename from templates/prometheus-servicemonitor.yaml rename to charts/openbao/templates/prometheus-servicemonitor.yaml index 323e51f..c5a8ff5 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/charts/openbao/templates/prometheus-servicemonitor.yaml @@ -1,13 +1,18 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} @@ -20,18 +25,18 @@ metadata: spec: selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- if eq .mode "ha" }} - vault-active: "true" + openbao-active: "true" {{- else }} - vault-internal: "true" + openbao-internal: "true" {{- end }} endpoints: - - port: {{ include "vault.scheme" . }} + - port: {{ include "openbao.scheme" . }} interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} - scheme: {{ include "vault.scheme" . | lower }} + scheme: {{ include "openbao.scheme" . | lower }} path: /v1/sys/metrics params: format: @@ -40,5 +45,5 @@ spec: insecureSkipVerify: true namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "openbao.namespace" . }} {{ end }} diff --git a/templates/server-clusterrolebinding.yaml b/charts/openbao/templates/server-clusterrolebinding.yaml similarity index 55% rename from templates/server-clusterrolebinding.yaml rename to charts/openbao/templates/server-clusterrolebinding.yaml index 8cdd611..0f851ec 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/charts/openbao/templates/server-clusterrolebinding.yaml @@ -1,4 +1,9 @@ -{{ template "vault.serverAuthDelegator" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.serverAuthDelegator" . }} {{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 @@ -7,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-server-binding + name: {{ template "openbao.fullname" . }}-server-binding labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: @@ -19,6 +24,6 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} -{{ end }} \ No newline at end of file + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} +{{ end }} diff --git a/charts/openbao/templates/server-config-configmap.yaml b/charts/openbao/templates/server-config-configmap.yaml new file mode 100644 index 0000000..585ae7a --- /dev/null +++ b/charts/openbao/templates/server-config-configmap.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} +{{- if ne .mode "external" }} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} +{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "openbao.fullname" . }}-config + namespace: {{ include "openbao.namespace" . }} + labels: + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.server.includeConfigAnnotation }} + annotations: + vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }} +{{- end }} +data: + extraconfig-from-values.hcl: |- + {{ template "openbao.config" . }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/templates/server-discovery-role.yaml b/charts/openbao/templates/server-discovery-role.yaml similarity index 58% rename from templates/server-discovery-role.yaml rename to charts/openbao/templates/server-discovery-role.yaml index 4dba09d..082ff99 100644 --- a/templates/server-discovery-role.yaml +++ b/charts/openbao/templates/server-discovery-role.yaml @@ -1,15 +1,20 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: {{ .Release.Namespace }} - name: {{ template "vault.fullname" . }}-discovery-role + namespace: {{ include "openbao.namespace" . }} + name: {{ template "openbao.fullname" . }}-discovery-role labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/templates/server-discovery-rolebinding.yaml b/charts/openbao/templates/server-discovery-rolebinding.yaml similarity index 54% rename from templates/server-discovery-rolebinding.yaml rename to charts/openbao/templates/server-discovery-rolebinding.yaml index 280ec6c..5d3f95e 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/charts/openbao/templates/server-discovery-rolebinding.yaml @@ -1,4 +1,9 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} @@ -9,21 +14,21 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-discovery-rolebinding + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "vault.fullname" . }}-discovery-role + name: {{ template "openbao.fullname" . }}-discovery-role subjects: - kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} {{ end }} {{ end }} {{ end }} diff --git a/templates/server-disruptionbudget.yaml b/charts/openbao/templates/server-disruptionbudget.yaml similarity index 55% rename from templates/server-disruptionbudget.yaml rename to charts/openbao/templates/server-disruptionbudget.yaml index d940fa4..7e6660a 100644 --- a/templates/server-disruptionbudget.yaml +++ b/charts/openbao/templates/server-disruptionbudget.yaml @@ -1,24 +1,29 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if ne .mode "external" -}} {{- if .serverEnabled -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} spec: - maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} + maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }} selector: matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- end -}} diff --git a/templates/server-ha-active-service.yaml b/charts/openbao/templates/server-ha-active-service.yaml similarity index 56% rename from templates/server-ha-active-service.yaml rename to charts/openbao/templates/server-ha-active-service.yaml index 7def2a0..334ac30 100644 --- a/templates/server-ha-active-service.yaml +++ b/charts/openbao/templates/server-ha-active-service.yaml @@ -1,34 +1,48 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.active.enabled | toString) "true" }} -# Service for active Vault pod +# Service for active OpenBao pod apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-active - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-active + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-active: "true" + openbao-active: "true" annotations: -{{ template "vault.service.annotations" .}} +{{- template "openbao.service.active.annotations" . }} +{{- template "openbao.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -38,12 +52,12 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} component: server - vault-active: "true" + openbao-active: "true" {{- end }} {{- end }} {{- end }} diff --git a/templates/server-ha-standby-service.yaml b/charts/openbao/templates/server-ha-standby-service.yaml similarity index 56% rename from templates/server-ha-standby-service.yaml rename to charts/openbao/templates/server-ha-standby-service.yaml index 50fca4b..9b1ad4d 100644 --- a/templates/server-ha-standby-service.yaml +++ b/charts/openbao/templates/server-ha-standby-service.yaml @@ -1,33 +1,47 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.standby.enabled | toString) "true" }} -# Service for standby Vault pod +# Service for standby OpenBao pod apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-standby - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-standby + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{- template "openbao.service.standby.annotations" . }} +{{- template "openbao.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -37,12 +51,12 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} component: server - vault-active: "false" + openbao-active: "false" {{- end }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-headless-service.yaml b/charts/openbao/templates/server-headless-service.yaml new file mode 100644 index 0000000..0498eb1 --- /dev/null +++ b/charts/openbao/templates/server-headless-service.yaml @@ -0,0 +1,47 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} +{{- if ne .mode "external" }} +{{- template "openbao.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +# Service for OpenBao cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "openbao.fullname" . }}-internal + namespace: {{ include "openbao.namespace" . }} + labels: + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + openbao-internal: "true" + annotations: +{{ template "openbao.service.annotations" .}} +spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: "{{ include "openbao.scheme" . }}" + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "openbao.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end }} +{{- end }} diff --git a/templates/server-ingress.yaml b/charts/openbao/templates/server-ingress.yaml similarity index 65% rename from templates/server-ingress.yaml rename to charts/openbao/templates/server-ingress.yaml index c81e5f5..99d4063 100644 --- a/templates/server-ingress.yaml +++ b/charts/openbao/templates/server-ingress.yaml @@ -1,10 +1,15 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if not .Values.global.openshift }} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} -{{- $serviceName := include "vault.fullname" . -}} -{{- template "vault.serverServiceEnabled" . -}} +{{- $serviceName := include "openbao.fullname" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} @@ -12,26 +17,20 @@ {{- $servicePort := .Values.server.service.port -}} {{- $pathType := .Values.server.ingress.pathType -}} {{- $kubeVersion := .Capabilities.KubeVersion.Version }} -{{ if semverCompare ">= 1.19.0-0" $kubeVersion }} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end }} kind: Ingress metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Values.server.ingress.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- template "vault.ingress.annotations" . }} + {{- template "openbao.ingress.annotations" . }} spec: {{- if .Values.server.ingress.tls }} tls: @@ -56,22 +55,15 @@ spec: {{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} pathType: {{ $pathType }} - {{ end }} backend: - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} service: name: {{ $serviceName }} port: number: {{ $servicePort }} - {{ else }} - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{ end }} {{- end }} {{- end }} {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-network-policy.yaml b/charts/openbao/templates/server-network-policy.yaml similarity index 57% rename from templates/server-network-policy.yaml rename to charts/openbao/templates/server-network-policy.yaml index 5f4c21a..0891a50 100644 --- a/templates/server-network-policy.yaml +++ b/charts/openbao/templates/server-network-policy.yaml @@ -1,24 +1,22 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} spec: podSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP + ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} {{- if .Values.server.networkPolicy.egress }} egress: {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} diff --git a/templates/server-psp-role.yaml b/charts/openbao/templates/server-psp-role.yaml similarity index 57% rename from templates/server-psp-role.yaml rename to charts/openbao/templates/server-psp-role.yaml index b8eb897..bfb7161 100644 --- a/templates/server-psp-role.yaml +++ b/charts/openbao/templates/server-psp-role.yaml @@ -1,13 +1,18 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -15,6 +20,6 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "vault.fullname" . }} + - {{ template "openbao.fullname" . }} {{- end }} {{- end }} diff --git a/templates/server-psp-rolebinding.yaml b/charts/openbao/templates/server-psp-rolebinding.yaml similarity index 53% rename from templates/server-psp-rolebinding.yaml rename to charts/openbao/templates/server-psp-rolebinding.yaml index fded9fb..7f8bb97 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/charts/openbao/templates/server-psp-rolebinding.yaml @@ -1,21 +1,26 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: kind: Role - name: {{ template "vault.fullname" . }}-psp + name: {{ template "openbao.fullname" . }}-psp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} {{- end }} {{- end }} diff --git a/templates/server-psp.yaml b/charts/openbao/templates/server-psp.yaml similarity index 81% rename from templates/server-psp.yaml rename to charts/openbao/templates/server-psp.yaml index d210af3..d7c396a 100644 --- a/templates/server-psp.yaml +++ b/charts/openbao/templates/server-psp.yaml @@ -1,15 +1,20 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} +{{- template "openbao.psp.annotations" . }} spec: privileged: false # Required to prevent escalations to root. diff --git a/templates/server-route.yaml b/charts/openbao/templates/server-route.yaml similarity index 67% rename from templates/server-route.yaml rename to charts/openbao/templates/server-route.yaml index e122d93..4c350d7 100644 --- a/templates/server-route.yaml +++ b/charts/openbao/templates/server-route.yaml @@ -1,24 +1,29 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.global.openshift }} {{- if ne .mode "external" }} {{- if .Values.server.route.enabled -}} -{{- $serviceName := include "vault.fullname" . -}} +{{- $serviceName := include "openbao.fullname" . -}} {{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} kind: Route apiVersion: route.openshift.io/v1 metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Values.server.route.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- template "vault.route.annotations" . }} + {{- template "openbao.route.annotations" . }} spec: host: {{ .Values.server.route.host }} to: diff --git a/templates/server-service.yaml b/charts/openbao/templates/server-service.yaml similarity index 59% rename from templates/server-service.yaml rename to charts/openbao/templates/server-service.yaml index 913b569..73e5b06 100644 --- a/templates/server-service.yaml +++ b/charts/openbao/templates/server-service.yaml @@ -1,24 +1,37 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} -# Service for Vault cluster +# Service for OpenBao cluster apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{ template "openbao.service.annotations" .}} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} @@ -27,7 +40,7 @@ spec: # since this DNS is also used for join operations. publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -37,7 +50,7 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/charts/openbao/templates/server-serviceaccount-secret.yaml b/charts/openbao/templates/server-serviceaccount-secret.yaml new file mode 100644 index 0000000..e9ab357 --- /dev/null +++ b/charts/openbao/templates/server-serviceaccount-secret.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }} +{{- if .serverServiceAccountSecretCreationEnabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "openbao.serviceAccount.name" . }}-token + namespace: {{ include "openbao.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }} + labels: + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: kubernetes.io/service-account-token +{{ end }} diff --git a/charts/openbao/templates/server-serviceaccount.yaml b/charts/openbao/templates/server-serviceaccount.yaml new file mode 100644 index 0000000..aa61520 --- /dev/null +++ b/charts/openbao/templates/server-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} + labels: + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "openbao.serviceAccount.annotations" . }} +{{ end }} diff --git a/templates/server-statefulset.yaml b/charts/openbao/templates/server-statefulset.yaml similarity index 62% rename from templates/server-statefulset.yaml rename to charts/openbao/templates/server-statefulset.yaml index a4ec05a..c4f0840 100644 --- a/templates/server-statefulset.yaml +++ b/charts/openbao/templates/server-statefulset.yaml @@ -1,50 +1,58 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} {{- if .serverEnabled -}} -# StatefulSet to run the actual vault server cluster. +# StatefulSet to run the actual openbao server cluster. apiVersion: apps/v1 kind: StatefulSet metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.statefulSet.annotations" . }} + {{- template "openbao.statefulSet.annotations" . }} spec: - serviceName: {{ template "vault.fullname" . }}-internal + serviceName: {{ template "openbao.fullname" . }}-internal podManagementPolicy: Parallel - replicas: {{ template "vault.replicas" . }} + replicas: {{ template "openbao.replicas" . }} updateStrategy: type: {{ .Values.server.updateStrategyType }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server template: metadata: labels: - helm.sh/chart: {{ template "vault.chart" . }} - app.kubernetes.io/name: {{ template "vault.name" . }} + helm.sh/chart: {{ template "openbao.chart" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- if .Values.server.extraLabels -}} {{- toYaml .Values.server.extraLabels | nindent 8 -}} {{- end -}} - {{ template "vault.annotations" . }} + {{ template "openbao.annotations" . }} spec: - {{ template "vault.affinity" . }} - {{ template "vault.topologySpreadConstraints" . }} - {{ template "vault.tolerations" . }} - {{ template "vault.nodeselector" . }} + {{ template "openbao.affinity" . }} + {{ template "openbao.topologySpreadConstraints" . }} + {{ template "openbao.tolerations" . }} + {{ template "openbao.nodeselector" . }} {{- if .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }} {{- end }} terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} - serviceAccountName: {{ template "vault.serviceAccount.name" . }} + serviceAccountName: {{ template "openbao.serviceAccount.name" . }} {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} @@ -53,22 +61,26 @@ spec: hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} volumes: - {{ template "vault.volumes" . }} + {{ template "openbao.volumes" . }} - name: home emptyDir: {} + {{- if .Values.server.hostAliases }} + hostAliases: + {{ toYaml .Values.server.hostAliases | nindent 8}} + {{- end }} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | nindent 8}} {{- end }} containers: - - name: vault - {{ template "vault.resources" . }} - image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + - name: openbao + {{ template "openbao.resources" . }} + image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} imagePullPolicy: {{ .Values.server.image.pullPolicy }} command: - "/bin/sh" - "-ec" - args: {{ template "vault.args" . }} + args: {{ template "openbao.args" . }} {{- template "server.statefulSet.securityContext.container" . }} env: - name: HOST_IP @@ -79,21 +91,21 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME + - name: BAO_K8S_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE + - name: BAO_K8S_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" - - name: VAULT_API_ADDR + - name: BAO_ADDR + value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200" + - name: BAO_API_ADDR {{- if .Values.server.ha.apiAddr }} value: {{ .Values.server.ha.apiAddr }} {{- else }} - value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" + value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200" {{- end }} - name: SKIP_CHOWN value: "true" @@ -103,61 +115,60 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR + - name: BAO_CLUSTER_ADDR {{- if .Values.server.ha.clusterAddr }} value: {{ .Values.server.ha.clusterAddr | quote }} {{- else }} - value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201" {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - - name: VAULT_RAFT_NODE_ID + - name: BAO_RAFT_NODE_ID valueFrom: fieldRef: fieldPath: metadata.name {{- end }} - name: HOME - value: "/home/vault" + value: "/home/openbao" {{- if .Values.server.logLevel }} - - name: VAULT_LOG_LEVEL + - name: BAO_LOG_LEVEL value: "{{ .Values.server.logLevel }}" {{- end }} {{- if .Values.server.logFormat }} - - name: VAULT_LOG_FORMAT + - name: BAO_LOG_FORMAT value: "{{ .Values.server.logFormat }}" {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: VAULT_LICENSE_PATH - value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} - {{- end }} - {{ template "vault.envs" . }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} - {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} + {{ template "openbao.envs" . }} + {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }} + {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }} volumeMounts: - {{ template "vault.mounts" . }} + {{ template "openbao.mounts" . }} - name: home - mountPath: /home/vault + mountPath: /home/openbao ports: - containerPort: 8200 - name: {{ include "vault.scheme" . }} + name: {{ include "openbao.scheme" . }} - containerPort: 8201 name: https-internal - containerPort: 8202 - name: {{ include "vault.scheme" . }}-rep + name: {{ include "openbao.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} {{- if .Values.server.readinessProbe.enabled }} readinessProbe: {{- if .Values.server.readinessProbe.path }} httpGet: path: {{ .Values.server.readinessProbe.path | quote }} - port: 8200 - scheme: {{ include "vault.scheme" . | upper }} + port: {{ .Values.server.readinessProbe.port }} + scheme: {{ include "openbao.scheme" . | upper }} {{- else }} - # Check status; unsealed vault servers return 0 + # Check status; unsealed openbao servers return 0 # The exit code reflects the seal status: # 0 - unsealed # 1 - error # 2 - sealed exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"] {{- end }} failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} @@ -167,10 +178,18 @@ spec: {{- end }} {{- if .Values.server.livenessProbe.enabled }} livenessProbe: + {{- if .Values.server.livenessProbe.execCommand }} + exec: + command: + {{- range (.Values.server.livenessProbe.execCommand) }} + - {{ . | quote }} + {{- end }} + {{- else }} httpGet: path: {{ .Values.server.livenessProbe.path | quote }} - port: 8200 - scheme: {{ include "vault.scheme" . | upper }} + port: {{ .Values.server.livenessProbe.port }} + scheme: {{ include "openbao.scheme" . | upper }} + {{- end }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} @@ -178,7 +197,7 @@ spec: timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} {{- end }} lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes + # openbao container doesn't receive SIGTERM from Kubernetes # and after the grace period ends, Kube sends SIGKILL. This # causes issues with graceful shutdowns such as deregistering itself # from Consul (zombie services). @@ -189,7 +208,7 @@ spec: # Adding a sleep here to give the pod eviction a # chance to propagate, so requests will not be made # to this pod while it's terminating - "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", + "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)", ] {{- if .Values.server.postStart }} postStart: @@ -203,7 +222,7 @@ spec: {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} {{- include "imagePullSecrets" . | nindent 6 }} - {{ template "vault.volumeclaims" . }} + {{ template "openbao.volumeclaims" . }} {{ end }} {{ end }} {{ end }} diff --git a/templates/tests/server-test.yaml b/charts/openbao/templates/tests/server-test.yaml similarity index 54% rename from templates/tests/server-test.yaml rename to charts/openbao/templates/tests/server-test.yaml index 56dbee7..02390de 100644 --- a/templates/tests/server-test.yaml +++ b/charts/openbao/templates/tests/server-test.yaml @@ -1,39 +1,44 @@ -{{ template "vault.mode" . }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: - name: "{{ .Release.Name }}-server-test" - namespace: {{ .Release.Namespace }} + name: {{ template "openbao.fullname" . }}-server-test + namespace: {{ include "openbao.namespace" . }} annotations: "helm.sh/hook": test spec: {{- include "imagePullSecrets" . | nindent 2 }} containers: - name: {{ .Release.Name }}-server-test - image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh - -c - | - echo "Checking for sealed info in 'vault status' output" + echo "Checking for sealed info in 'bao status' output" ATTEMPTS=10 n=0 until [ "$n" -ge $ATTEMPTS ] do echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break + bao status -format yaml | grep -E '^sealed: (true|false)' && break n=$((n+1)) sleep 5 done if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" + echo "timed out looking for sealed info in 'bao status' output" exit 1 fi diff --git a/charts/openbao/templates/ui-service.yaml b/charts/openbao/templates/ui-service.yaml new file mode 100644 index 0000000..fb18a9a --- /dev/null +++ b/charts/openbao/templates/ui-service.yaml @@ -0,0 +1,50 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "openbao.mode" . }} +{{- if ne .mode "external" }} +{{- template "openbao.uiEnabled" . -}} +{{- if .uiEnabled -}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "openbao.fullname" . }}-ui + namespace: {{ include "openbao.namespace" . }} + labels: + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-ui + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "openbao.ui.annotations" . }} +spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.ui.serviceIPFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} + {{- end }} + {{- if .Values.ui.serviceIPFamilies }} + ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "openbao.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }} + openbao-active: "true" + {{- end }} + publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} + ports: + - name: {{ include "openbao.scheme" . }} + port: {{ .Values.ui.externalPort }} + targetPort: {{ .Values.ui.targetPort }} + {{- if .Values.ui.serviceNodePort }} + nodePort: {{ .Values.ui.serviceNodePort }} + {{- end }} + type: {{ .Values.ui.serviceType }} + {{- include "service.externalTrafficPolicy" .Values.ui }} + {{- include "service.loadBalancer" .Values.ui }} +{{- end -}} +{{- end }} diff --git a/charts/openbao/values.openshift.yaml b/charts/openbao/values.openshift.yaml new file mode 100644 index 0000000..04bed03 --- /dev/null +++ b/charts/openbao/values.openshift.yaml @@ -0,0 +1,26 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# These overrides are appropriate defaults for deploying this chart on OpenShift + +global: + openshift: true + +injector: + image: + repository: "registry.connect.redhat.com/hashicorp/vault-k8s" + tag: "1.3.1-ubi" + + agentImage: + registry: "quay.io" + repository: "openbao/openbao" + tag: "v2.0.2-ubi" + +server: + image: + registry: "quay.io" + repository: "openbao/openbao" + tag: "v2.0.2-ubi" + + readinessProbe: + path: "/v1/sys/health?uninitcode=204" diff --git a/values.schema.json b/charts/openbao/values.schema.json similarity index 87% rename from values.schema.json rename to charts/openbao/values.schema.json index c183957..e19fd94 100644 --- a/values.schema.json +++ b/charts/openbao/values.schema.json @@ -5,6 +5,40 @@ "csi": { "type": "object", "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, "daemonSet": { "type": "object", "properties": { @@ -102,6 +136,13 @@ "pod": { "type": "object", "properties": { + "affinity": { + "type": [ + "null", + "object", + "string" + ] + }, "annotations": { "type": [ "object", @@ -111,6 +152,13 @@ "extraLabels": { "type": "object" }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, "tolerations": { "type": [ "null", @@ -180,6 +228,9 @@ "enabled": { "type": "boolean" }, + "namespace": { + "type": "string" + }, "externalVaultAddr": { "type": "string" }, @@ -232,6 +283,12 @@ "memRequest": { "type": "string" }, + "ephemeralLimit": { + "type": "string" + }, + "ephemeralRequest": { + "type": "string" + }, "template": { "type": "string" }, @@ -502,6 +559,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "enabled": { "type": [ "boolean", @@ -542,6 +605,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "enabled": { "type": [ "boolean", @@ -562,6 +631,17 @@ } } }, + "persistentVolumeClaimRetentionPolicy": { + "type": "object", + "properties": { + "whenDeleted": { + "type": "string" + }, + "whenScaled": { + "type": "string" + } + } + }, "dev": { "type": "object", "properties": { @@ -579,20 +659,15 @@ "string" ] }, - "enterpriseLicense": { - "type": "object", - "properties": { - "secretKey": { - "type": "string" - }, - "secretName": { - "type": "string" - } - } - }, "extraArgs": { "type": "string" }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, "extraContainers": { "type": [ "null", @@ -677,6 +752,9 @@ } } }, + "hostAliases": { + "type": "array" + }, "image": { "type": "object", "properties": { @@ -752,6 +830,12 @@ "path": { "type": "string" }, + "port": { + "type": "integer" + }, + "execCommand": { + "type": "array" + }, "periodSeconds": { "type": "integer" }, @@ -777,6 +861,9 @@ }, "enabled": { "type": "boolean" + }, + "ingress": { + "type": "array" } } }, @@ -856,6 +943,12 @@ "properties": { "enabled": { "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] } } }, @@ -890,6 +983,12 @@ "properties": { "enabled": { "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] } } }, @@ -904,6 +1003,14 @@ }, "standbyNodePort": { "type": "integer" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "ipFamilies": { + "type": [ + "array" + ] } } }, @@ -922,6 +1029,9 @@ "extraLabels": { "type": "object" }, + "createSecret": { + "type": "boolean" + }, "name": { "type": "string" }, @@ -1020,10 +1130,29 @@ } } }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusRules": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rules": { + "type": "array" + }, + "selectors": { + "type": "object" + } + } + } + } + }, "ui": { "type": "object", "properties": { - "activeVaultPodOnly": { + "activeOpenbaoPodOnly": { "type": "boolean" }, "annotations": { @@ -1058,6 +1187,16 @@ }, "targetPort": { "type": "integer" + }, + "serviceIPFamilyPolicy": { + "type": [ + "string" + ] + }, + "serviceIPFamilies": { + "type": [ + "array" + ] } } } diff --git a/values.yaml b/charts/openbao/values.yaml similarity index 65% rename from values.yaml rename to charts/openbao/values.yaml index 2c3d9e2..50c6859 100644 --- a/values.yaml +++ b/charts/openbao/values.yaml @@ -1,30 +1,36 @@ -# Available parameters and their default values for the Vault chart. +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the OpenBao chart. global: - # enabled is the master enabled switch. Setting this to true or false + # -- enabled is the master enabled switch. Setting this to true or false # will enable or disable all the components within this chart by default. enabled: true - # Image pull secret to use for registry authentication. + # -- The namespace to deploy to. Defaults to the `helm` installation namespace. + namespace: "" + + # -- Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] # imagePullSecrets: # - name: image-pull-secret - # TLS for end-to-end encrypted transport + # -- TLS for end-to-end encrypted transport tlsDisable: true - # External vault server address for the injector and CSI provider to use. - # Setting this will disable deployment of a vault server. + # -- External openbao server address for the injector and CSI provider to use. + # Setting this will disable deployment of a openbao server. externalVaultAddr: "" - # If deploying to OpenShift + # -- If deploying to OpenShift openshift: false - # Create PodSecurityPolicy for pods + # -- Create PodSecurityPolicy for pods psp: enable: false - # Annotation for PodSecurityPolicy. + # -- Annotation for PodSecurityPolicy. # This is a multi-line templated string map, and can also be set as YAML. annotations: | seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default @@ -33,46 +39,56 @@ global: apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default serverTelemetry: - # Enable integration with the Prometheus Operator + # -- Enable integration with the Prometheus Operator # See the top level serverTelemetry section below before enabling this feature. prometheusOperator: false injector: - # True if you want to enable vault agent injection. - # @default: global.enabled + # -- True if you want to enable openbao agent injection. @default: global.enabled enabled: "-" replicas: 1 - # Configures the port the injector should listen on + # -- Configures the port the injector should listen on port: 8080 - # If multiple replicas are specified, by default a leader will be determined + # -- If multiple replicas are specified, by default a leader will be determined # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - # If true, will enable a node exporter metrics endpoint at /metrics. + # -- If true, will enable a node exporter metrics endpoint at /metrics. metrics: enabled: false - # Deprecated: Please use global.externalVaultAddr instead. + # -- Deprecated: Please use global.externalVaultAddr instead. externalVaultAddr: "" # image sets the repo and tag of the vault-k8s image to use for the injector. image: + # -- image registry to use for k8s image + registry: "docker.io" + # -- image repo to use for k8s image repository: "hashicorp/vault-k8s" - tag: "1.1.0" + # -- image tag to use for k8s image + tag: "1.4.2" + # -- image pull policy to use for k8s image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is + # -- agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent + # containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is # required. agentImage: - repository: "hashicorp/vault" - tag: "1.12.1" + # -- image registry to use for agent image + registry: "quay.io" + # -- image repo to use for agent image + repository: "openbao/openbao" + # -- image tag to use for agent image + tag: "2.0.2" + # -- image pull policy to use for agent image. if tag is "latest", set to "Always" + pullPolicy: IfNotPresent - # The default values for the injected Vault Agent containers. + # The default values for the injected OpenBao Agent containers. agentDefaults: # For more information on configuring resources, see the K8s documentation: # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @@ -80,6 +96,8 @@ injector: cpuRequest: "250m" memLimit: "128Mi" memRequest: "64Mi" + # ephemeralLimit: "128Mi" + # ephemeralRequest: "64Mi" # Default template type for secrets when no custom template is specified. # Possible values include: "json" and "map". @@ -90,17 +108,54 @@ injector: exitOnRetryFailure: true staticSecretRenderInterval: "" - # Mount Path of the Vault Kubernetes Auth Method. + # Used to define custom livenessProbe settings + livenessProbe: + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # -- Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the probe + periodSeconds: 2 + # -- Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # -- Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the probe + periodSeconds: 2 + # -- Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # -- Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the probe + periodSeconds: 5 + # -- Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + + # Mount Path of the OpenBao Kubernetes Auth Method. authPath: "auth/kubernetes" - # Configures the log verbosity of the injector. + # -- Configures the log verbosity of the injector. # Supported log levels include: trace, debug, info, warn, error logLevel: "info" - # Configures the log format of the injector. Supported log formats: "standard", "json". + # -- Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" - # Configures all Vault Agent sidecars to revoke their token when shutting down + # Configures all OpenBao Agent sidecars to revoke their token when shutting down revokeOnShutdown: false webhook: @@ -149,7 +204,7 @@ injector: - key: app.kubernetes.io/name operator: NotIn values: - - {{ template "vault.name" . }}-agent-injector + - {{ template "openbao.name" . }}-agent-injector # Extra annotations to attach to the webhook annotations: {} @@ -233,7 +288,8 @@ injector: # extraEnvironmentVars is a list of extra environment variables to set in the # injector deployment. - extraEnvironmentVars: {} + extraEnvironmentVars: + {} # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods @@ -245,7 +301,7 @@ injector: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: "{{ .Release.Name }}" component: webhook topologyKey: kubernetes.io/hostname @@ -310,41 +366,33 @@ injector: # type: RollingUpdate server: - # If true, or "-" with global.enabled true, Vault server will be installed. - # See vault.mode in _helpers.tpl for implementation details. + # If true, or "-" with global.enabled true, OpenBao server will be installed. + # See openbao.mode in _helpers.tpl for implementation details. enabled: "-" - # [Enterprise Only] This value refers to a Kubernetes secret that you have - # created that contains your enterprise license. If you are not using an - # enterprise image or if you plan to introduce the license key via another - # route, then leave secretName blank ("") or set it to null. - # Requires Vault Enterprise 1.8 or later. - enterpriseLicense: - # The name of the Kubernetes secret that holds the enterprise license. The - # secret must be in the same namespace that Vault is installed into. - secretName: "" - # The key within the Kubernetes secret that holds the enterprise license. - secretKey: "license" - # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. image: - repository: "hashicorp/vault" - tag: "1.12.1" - # Overrides the default Image Pull Policy + # -- image registry to use for server image + registry: "quay.io" + # -- image repo to use for server image + repository: "openbao/openbao" + # -- image tag to use for server image + tag: "2.0.2" + # -- image pull policy to use for server image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent # Configure the Update Strategy Type for the StatefulSet # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" - # Configure the logging verbosity for the Vault server. + # Configure the logging verbosity for the OpenBao server. # Supported log levels include: trace, debug, info, warn, error logLevel: "" - # Configure the logging format for the Vault server. + # Configure the logging format for the OpenBao server. # Supported log formats include: standard, json logFormat: "" @@ -358,14 +406,16 @@ server: # cpu: 250m # Ingress allows ingress services to be created to allow external access - # from Kubernetes to access Vault pods. + # from Kubernetes to access OpenBao pods. # If deployment is on OpenShift, the following block is ignored. # In order to expose the service, use the route section below ingress: enabled: false - labels: {} + labels: + {} # traffic: external - annotations: {} + annotations: + {} # | # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" @@ -382,7 +432,7 @@ server: pathType: Prefix # When HA mode is enabled and K8s service registration is being used, - # configure the ingress to point to the Vault active service. + # configure the ingress to point to the OpenBao active service. activeService: true hosts: - host: chart-example.local @@ -400,13 +450,19 @@ server: # hosts: # - chart-example.local + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - chart-example.local + # OpenShift only - create a route to expose the service # By default the created route will be of type passthrough route: enabled: false # When HA mode is enabled and K8s service registration is being used, - # configure the route to point to the Vault active service. + # configure the route to point to the OpenBao active service. activeService: true labels: {} @@ -420,14 +476,15 @@ server: # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth - # method. https://www.vaultproject.io/docs/auth/kubernetes.html + # method. See https://openbao.org/docs/auth/kubernetes authDelegator: enabled: true - # extraInitContainers is a list of init containers. Specified as a YAML list. + # -- extraInitContainers is a list of init containers. Specified as a YAML list. # This is useful if you need to run a script to provision TLS certificates or # write out configuration files in a dynamic way. - extraInitContainers: null + extraInitContainers: + [] # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, # # which is defined in the volumes value. # - name: oauthapp @@ -446,19 +503,28 @@ server: # extraContainers is a list of sidecar containers. Specified as a YAML list. extraContainers: null - # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation + # -- shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers + # This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation shareProcessNamespace: false - # extraArgs is a string containing additional Vault server arguments. + # -- extraArgs is a string containing additional OpenBao server arguments. extraArgs: "" + # -- extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: + [] + # - containerPort: 8300 + # name: http-monitoring + # Used to define custom readinessProbe settings readinessProbe: enabled: true # If you need to use a http path instead of the default exec # path: /v1/sys/health?standbyok=true + # Port number on which readinessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -472,7 +538,15 @@ server: # Used to enable a livenessProbe for the pods livenessProbe: enabled: false + # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler. + execCommand: [] + # - /bin/sh + # - -c + # - /openbao/userconfig/mylivenessscript/run.sh + # Path for the livenessProbe to use httpGet as the livenessProbe handler path: "/v1/sys/health?standbyok=true" + # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -497,30 +571,33 @@ server: postStart: [] # - /bin/sh # - -c - # - /vault/userconfig/myscript/run.sh + # - /openbao/userconfig/myscript/run.sh # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. - extraEnvironmentVars: {} + extraEnvironmentVars: + {} # GOOGLE_REGION: global # GOOGLE_PROJECT: myproject - # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json + # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # These variables take value from existing Secret objects. - extraSecretEnvironmentVars: [] + extraSecretEnvironmentVars: + [] # - envName: AWS_SECRET_ACCESS_KEY - # secretName: vault + # secretName: openbao # secretKey: AWS_SECRET_ACCESS_KEY # Deprecated: please use 'volumes' instead. # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is + # to OpenBao in the path `/openbao/userconfig//`. The value below is # an array of objects, examples are shown below. - extraVolumes: [] + extraVolumes: + [] # - type: secret (or "configMap") # name: my-secret - # path: null # default is `/vault/userconfig` + # path: null # default is `/openbao/userconfig` # volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. @@ -546,7 +623,7 @@ server: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname @@ -580,6 +657,14 @@ server: # ports: # - protocol: TCP # port: 443 + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP # Priority class for server pods priorityClassName: "" @@ -593,35 +678,67 @@ server: # of the annotations to apply to the server pods annotations: {} - # Enables a headless service to be used by the Vault Statefulset + # Add an annotation to the server configmap and the statefulset pods, + # vaultproject.io/config-checksum, that is a hash of the OpenBao configuration. + # This can be used together with an OnDelete deployment strategy to help + # identify which pods still need to be deleted during a deployment to pick up + # any configuration changes. + configAnnotation: false + + # Enables a headless service to be used by the OpenBao Statefulset service: enabled: true - # Enable or disable the vault-active service, which selects Vault pods that - # have labelled themselves as the cluster leader with `vault-active: "true"` + # Enable or disable the openbao-active service, which selects OpenBao pods that + # have labeled themselves as the cluster leader with `openbao-active: "true"`. active: enabled: true - # Enable or disable the vault-standby service, which selects Vault pods that - # have labelled themselves as a cluster follower with `vault-active: "false"` + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the active service. + annotations: {} + # Enable or disable the openbao-standby service, which selects OpenBao pods that + # have labeled themselves as a cluster follower with `openbao-active: "false"`. standby: enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the standby service. + annotations: {} # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` - # When disabled, services may select Vault pods not deployed from the chart. - # Does not affect the headless vault-internal service with `ClusterIP: None` + # When disabled, services may select OpenBao pods not deployed from the chart. + # Does not affect the headless openbao-internal service with `ClusterIP: None` instanceSelector: enabled: true # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default, the Vault service will + # OpenBao service within Kubernetes. By default, the OpenBao service will # be given a Cluster IP address, set to None to disable. When disabled # Kubernetes will create a "headless" service. Headless services can be # used to communicate with pods directly through DNS instead of a round-robin # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP + # Configures the service type for the main OpenBao service. Can be ClusterIP # or NodePort. - #type: ClusterIP + # type: ClusterIP - # Do not wait for pods to be ready + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family policy, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + ipFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. + # Can be IPv4 and/or IPv6. + ipFamilies: [] + + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. publishNotReadyAddresses: true # The externalTrafficPolicy can be set to either Cluster or Local @@ -632,19 +749,19 @@ server: # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #nodePort: 30000 + # nodePort: 30000 # When HA mode is enabled # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #activeNodePort: 30001 + # activeNodePort: 30001 # When HA mode is enabled # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #standbyNodePort: 30002 + # standbyNodePort: 30002 - # Port on which Vault server is listening + # Port on which OpenBao server is listening port: 8200 # Target port to which the service should be mapped to targetPort: 8200 @@ -653,15 +770,15 @@ server: # to the service. annotations: {} - # This configures the Vault Statefulset to create a PVC for data + # This configures the OpenBao Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. - # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more + # See https://openbao.org/docs/configuration/storage to know more dataStorage: enabled: true # Size of the PVC created size: 10Gi # Location where the PVC will be mounted. - mountPath: "/vault/data" + mountPath: "/openbao/data" # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: null @@ -669,18 +786,28 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} - # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized, and unsealed, Vault must + # Persistent Volume Claim (PVC) retention policy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + # Example: + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + persistentVolumeClaimRetentionPolicy: {} + + # This configures the OpenBao Statefulset to create a PVC for audit + # logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must # be configured to use this for audit logs. This will be mounted to - # /vault/audit - # See https://www.vaultproject.io/docs/audit/index.html to know more + # /openbao/audit + # See https://openbao.org/docs/audit to know more auditStorage: enabled: false # Size of the PVC created size: 10Gi # Location where the PVC will be mounted. - mountPath: "/vault/audit" + mountPath: "/openbao/audit" # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: null @@ -688,19 +815,21 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} - # Run Vault in "dev" mode. This requires no further setup, no state management, - # and no initialization. This is useful for experimenting with Vault without + # Run OpenBao in "dev" mode. This requires no further setup, no state management, + # and no initialization. This is useful for experimenting with OpenBao without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. - # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more + # See https://openbao.org/docs/concepts/dev-server to know more dev: enabled: false # Set VAULT_DEV_ROOT_TOKEN_ID value devRootToken: "root" - # Run Vault in "standalone" mode. This is the default mode that will deploy if + # Run OpenBao in "standalone" mode. This is the default mode that will deploy if # no arguments are given to helm. This requires a PVC for data storage to use # the "file" backend. This mode is not highly available and should not be scaled # past a single replica. @@ -708,14 +837,14 @@ server: enabled: "-" # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data + # deployment. Default is to use a PersistentVolumeClaim mounted at /openbao/data # and store data there. This is only used when using a Replica count of 1, and # using a stateful set. This should be HCL. # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -729,50 +858,49 @@ server: #} } storage "file" { - path = "/vault/data" + path = "/openbao/data" } # Example configuration for using auto-unseal, using Google Cloud KMS. The # GKMS keys must already exist, and the cluster must have a service account # that is authorized to access GCP KMS. #seal "gcpckms" { - # project = "vault-helm-dev" + # project = "openbao-helm-dev" # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" + # key_ring = "openbao-helm-unseal-kr" + # crypto_key = "openbao-helm-unseal-key" #} # Example configuration for enabling Prometheus metrics in your config. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} - # Run Vault in "HA" mode. There are no storage requirements unless the audit log - # persistence is required. In HA mode Vault will configure itself to use Consul + # Run OpenBao in "HA" mode. There are no storage requirements unless the audit log + # persistence is required. In HA mode OpenBao will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul - # Helm project by default. It is possible to manually configure Vault to use a + # Helm project by default. It is possible to manually configure OpenBao to use a # different HA backend. ha: enabled: false replicas: 3 - # Set the api_addr configuration for Vault HA - # See https://www.vaultproject.io/docs/configuration#api_addr + # Set the api_addr configuration for OpenBao HA + # See https://openbao.org/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null - # Set the cluster_addr confuguration for Vault HA - # See https://www.vaultproject.io/docs/configuration#cluster_addr - # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + # Set the cluster_addr confuguration for OpenBao HA + # See https://openbao.org/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201 clusterAddr: null - # Enables Vault's integrated Raft storage. Unlike the typical HA modes where - # Vault's persistence is external (such as Consul), enabling Raft mode will create - # persistent volumes for Vault to store data according to the configuration under server.dataStorage. - # The Vault cluster will coordinate leader elections and failovers internally. + # Enables OpenBao's integrated Raft storage. Unlike the typical HA modes where + # OpenBao's persistence is external (such as Consul), enabling Raft mode will create + # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage. + # The OpenBao cluster will coordinate leader elections and failovers internally. raft: - # Enables Raft integrated storage enabled: false # Set the Node Raft ID to the name of the pod @@ -781,7 +909,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -796,7 +924,7 @@ server: } storage "raft" { - path = "/vault/data" + path = "/openbao/data" } service_registration "kubernetes" {} @@ -808,7 +936,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -818,7 +946,7 @@ server: cluster_address = "[::]:8201" } storage "consul" { - path = "vault" + path = "openbao" address = "HOST_IP:8500" } @@ -828,17 +956,17 @@ server: # GKMS keys must already exist, and the cluster must have a service account # that is authorized to access GCP KMS. #seal "gcpckms" { - # project = "vault-helm-dev-246514" + # project = "openbao-helm-dev-246514" # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" + # key_ring = "openbao-helm-unseal-kr" + # crypto_key = "openbao-helm-unseal-key" #} # Example configuration for enabling Prometheus metrics. # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. # You may wish to enable unauthenticated metrics in the listener block above. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} @@ -847,12 +975,12 @@ server: disruptionBudget: enabled: true - # maxUnavailable will default to (n/2)-1 where n is the number of - # replicas. If you'd like a custom value, you can specify an override here. + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. maxUnavailable: null # Definition of the serviceAccount used to run Vault. - # These options are also used when using an external Vault server to validate + # These options are also used when using an external OpenBao server to validate # Kubernetes tokens. serviceAccount: # Specifies whether a service account should be created @@ -860,6 +988,12 @@ server: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + # Create a Secret API object to store a non-expiring token for the service account. + # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets + # serviceAccount.create must be equal to 'true' in order to use this feature. + createSecret: false # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. @@ -868,12 +1002,12 @@ server: # This should be a YAML map of the labels to apply to the serviceAccount extraLabels: {} # Enable or disable a service account role binding with the permissions required for - # Vault's Kubernetes service_registration config option. - # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + # OpenBao's Kubernetes service_registration config option. + # See https://openbao.org/docs/configuration/service-registration/kubernetes serviceDiscovery: enabled: true - # Settings for the statefulSet used to run Vault. + # Settings for the statefulSet used to run OpenBao. statefulSet: # Extra annotations for the statefulSet. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply @@ -900,29 +1034,44 @@ server: # Should the server pods run on the host network hostNetwork: false -# Vault UI +# OpenBao UI ui: - # True if you want to create a Service entry for the Vault UI. + # True if you want to create a Service entry for the OpenBao UI. # # serviceType can be used to control the type of service created. For # example, setting this to "LoadBalancer" will create an external load # balancer (for supported K8S installations) to access the UI. enabled: false publishNotReadyAddresses: true - # The service should only contain selectors for active Vault pod - activeVaultPodOnly: false + # The service should only contain selectors for active OpenBao pod + activeOpenbaoPodOnly: false serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 targetPort: 8200 + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + serviceIPFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well + # Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy externalTrafficPolicy: Cluster - #loadBalancerSourceRanges: + # loadBalancerSourceRanges: # - 10.0.0.0/16 # - 1.78.23.3/32 @@ -935,35 +1084,40 @@ ui: # secrets-store-csi-driver-provider-vault csi: - # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # -- True if you want to install a secrets-store-csi-driver-provider-vault daemonset. # # Requires installing the secrets-store-csi-driver separately, see: # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver # - # With the driver and provider installed, you can mount Vault secrets into volumes - # similar to the Vault Agent injector, and you can also sync those secrets into + # With the driver and provider installed, you can mount OpenBao secrets into volumes + # similar to the OpenBao Agent injector, and you can also sync those secrets into # Kubernetes secrets. enabled: false image: + # -- image registry to use for csi image + registry: "docker.io" + # -- image repo to use for csi image repository: "hashicorp/vault-csi-provider" - tag: "1.2.1" + # -- image tag to use for csi image + tag: "1.4.0" + # -- image pull policy to use for csi image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # volumes is a list of volumes made available to all containers. These are rendered + # -- volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. - volumes: null + volumes: [] # - name: tls # secret: - # secretName: vault-tls + # secretName: openbao-tls - # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # -- volumeMounts is a list of volumeMounts for the main server container. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. - volumeMounts: null + volumeMounts: [] # - name: tls - # mountPath: "/vault/tls" + # mountPath: "/openbao/tls" # readOnly: true resources: {} @@ -975,6 +1129,10 @@ csi: # cpu: 50m # memory: 128Mi + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + # Settings for the daemonSet used to run the provider. daemonSet: updateStrategy: @@ -1007,11 +1165,46 @@ csi: # in a PodSpec. tolerations: [] + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + # Extra labels to attach to the vault-csi-provider pod # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} + agent: + enabled: true + extraArgs: [] + image: + # -- image registry to use for agent image + registry: "quay.io" + # -- image repo to use for agent image + repository: "openbao/openbao" + # -- image tag to use for agent image + tag: "2.0.2" + # -- image pull policy to use for agent image. if tag is "latest", set to "Always" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m # Priority class for csi pods priorityClassName: "" @@ -1055,20 +1248,20 @@ csi: debug: false # Pass arbitrary additional arguments to vault-csi-provider. - # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # See https://openbao.org/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: [] -# Vault is able to collect and publish various runtime metrics. +# OpenBao is able to collect and publish various runtime metrics. # Enabling this feature requires setting adding `telemetry{}` stanza to -# the Vault configuration. There are a few examples included in the `config` sections above. +# the OpenBao configuration. There are a few examples included in the `config` sections above. # # For more information see: -# https://www.vaultproject.io/docs/configuration/telemetry -# https://www.vaultproject.io/docs/internals/telemetry +# https://openbao.org/docs/configuration/telemetry +# https://openbao.org/docs/internals/telemetry serverTelemetry: # Enable support for the Prometheus Operator. Currently, this chart does not support - # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included # in the `listener "tcp"{}` stanza # telemetry { # unauthenticated_metrics_access = "true" @@ -1076,15 +1269,15 @@ serverTelemetry: # # See the `standalone.config` for a more complete example of this. # - # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # In addition, a top level `telemetry{}` stanza must also be included in the OpenBao configuration: # # example: # telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true # } # - # Configuration for monitoring the Vault server. + # Configuration for monitoring the OpenBao server. serviceMonitor: # The Prometheus operator *must* be installed before enabling this feature, # if not the chart will fail to install due to missing CustomResourceDefinitions @@ -1096,7 +1289,7 @@ serverTelemetry: # https://github.com/prometheus-operator/prometheus-operator # https://github.com/prometheus-operator/kube-prometheus - # Enable deployment of the Vault Server ServiceMonitor CustomResource. + # Enable deployment of the OpenBao Server ServiceMonitor CustomResource. enabled: false # Selector labels to add to the ServiceMonitor. @@ -1111,32 +1304,32 @@ serverTelemetry: scrapeTimeout: 10s prometheusRules: - # The Prometheus operator *must* be installed before enabling this feature, - # if not the chart will fail to install due to missing CustomResourceDefinitions - # provided by the operator. + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. - # Deploy the PrometheusRule custom resource for AlertManager based alerts. - # Requires that AlertManager is properly deployed. - enabled: false + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false - # Selector labels to add to the PrometheusRules. - # When empty, defaults to: - # release: prometheus - selectors: {} + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} - # Some example rules. - rules: {} - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 500ms on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - # for: 5m - # labels: - # severity: warning - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 1s on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - # for: 5m - # labels: - # severity: critical + # Some example rules. + rules: [] + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of OpenBao is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of OpenBao is over 1s on average over the last 10 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 10m + # labels: + # severity: critical diff --git a/templates/NOTES.txt b/templates/NOTES.txt deleted file mode 100644 index 8e26712..0000000 --- a/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ - -Thank you for installing HashiCorp Vault! - -Now that you have deployed Vault, you should look over the docs on using -Vault with Kubernetes available here: - -https://www.vaultproject.io/docs/ - - -Your release is named {{ .Release.Name }}. To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get manifest {{ .Release.Name }} - diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml deleted file mode 100644 index d5b62a5..0000000 --- a/templates/csi-clusterrolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole -subjects: -- kind: ServiceAccount - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml deleted file mode 100644 index d131aac..0000000 --- a/templates/csi-daemonset.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- if .Values.csi.daemonSet.extraLabels -}} - {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} - {{- end -}} - {{ template "csi.daemonSet.annotations" . }} -spec: - updateStrategy: - type: {{ .Values.csi.daemonSet.updateStrategy.type }} - {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} - rollingUpdate: - maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.csi.pod.extraLabels -}} - {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} - {{- end -}} - {{ template "csi.pod.annotations" . }} - spec: - {{ template "csi.daemonSet.securityContext.pod" . }} - {{- if .Values.csi.priorityClassName }} - priorityClassName: {{ .Values.csi.priorityClassName }} - {{- end }} - serviceAccountName: {{ template "vault.fullname" . }}-csi-provider - {{- template "csi.pod.tolerations" . }} - containers: - - name: {{ include "vault.name" . }}-csi-provider - {{ template "csi.resources" . }} - {{ template "csi.daemonSet.securityContext.container" . }} - image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" - imagePullPolicy: {{ .Values.csi.image.pullPolicy }} - args: - - --endpoint=/provider/vault.sock - - --debug={{ .Values.csi.debug }} - {{- if .Values.csi.extraArgs }} - {{- toYaml .Values.csi.extraArgs | nindent 12 }} - {{- end }} - env: - - name: VAULT_ADDR - {{- if .Values.global.externalVaultAddr }} - value: "{{ .Values.global.externalVaultAddr }}" - {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} - {{- end }} - volumeMounts: - - name: providervol - mountPath: "/provider" - - name: mountpoint-dir - mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - mountPropagation: HostToContainer - {{- if .Values.csi.volumeMounts }} - {{- toYaml .Values.csi.volumeMounts | nindent 12}} - {{- end }} - livenessProbe: - httpGet: - path: /health/ready - port: 8080 - failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} - successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} - timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} - readinessProbe: - httpGet: - path: /health/ready - port: 8080 - failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} - successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} - timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} - volumes: - - name: providervol - hostPath: - path: {{ .Values.csi.daemonSet.providersDir }} - - name: mountpoint-dir - hostPath: - path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - {{- if .Values.csi.volumes }} - {{- toYaml .Values.csi.volumes | nindent 8}} - {{- end }} - {{- include "imagePullSecrets" . | nindent 6 }} -{{- end }} diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml deleted file mode 100644 index 6a0d6be..0000000 --- a/templates/injector-clusterrole.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: - - "get" - - "list" - - "watch" - - "patch" -{{ end }} diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml deleted file mode 100644 index 4c193f8..0000000 --- a/templates/injector-clusterrolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-binding - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole -subjects: -- kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} -{{ end }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml deleted file mode 100644 index 4f6b0a8..0000000 --- a/templates/injector-psp-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if eq (.Values.global.psp.enable | toString) "true" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-psp - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector -{{- end }} -{{- end }} \ No newline at end of file diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml deleted file mode 100644 index ea0db11..0000000 --- a/templates/injector-rolebinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role -subjects: - - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml deleted file mode 100644 index d1919b9..0000000 --- a/templates/injector-serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{ template "injector.serviceAccount.annotations" . }} -{{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml deleted file mode 100644 index f40c696..0000000 --- a/templates/server-config-configmap.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if .serverEnabled -}} -{{- if ne .mode "dev" -}} -{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-config - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -data: - extraconfig-from-values.hcl: |- - {{- if or (eq .mode "ha") (eq .mode "standalone") }} - {{- $type := typeOf (index .Values.server .mode).config }} - {{- if eq $type "string" }} - disable_mlock = true - {{- if eq .mode "standalone" }} - {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} - {{ tpl .Values.server.ha.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} - {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} - {{ end }} - {{- else }} - {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} - {{- else }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml deleted file mode 100644 index b03f491..0000000 --- a/templates/server-headless-service.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} -{{- if .serverServiceEnabled -}} -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }}-internal - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-internal: "true" - annotations: -{{ template "vault.service.annotations" .}} -spec: - clusterIP: None - publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} - ports: - - name: "{{ include "vault.scheme" . }}" - port: {{ .Values.server.service.port }} - targetPort: {{ .Values.server.service.targetPort }} - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - component: server -{{- end }} -{{- end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml deleted file mode 100644 index 580a953..0000000 --- a/templates/server-serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ template "vault.serverServiceAccountEnabled" . }} -{{- if .serverServiceAccountEnabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- if .Values.server.serviceAccount.extraLabels -}} - {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} - {{- end -}} - {{ template "vault.serviceAccount.annotations" . }} -{{ end }} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml deleted file mode 100644 index d45afdd..0000000 --- a/templates/ui-service.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- template "vault.uiEnabled" . -}} -{{- if .uiEnabled -}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }}-ui - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-ui - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.ui.annotations" . }} -spec: - selector: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - component: server - {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} - vault-active: "true" - {{- end }} - publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} - ports: - - name: {{ include "vault.scheme" . }} - port: {{ .Values.ui.externalPort }} - targetPort: {{ .Values.ui.targetPort }} - {{- if .Values.ui.serviceNodePort }} - nodePort: {{ .Values.ui.serviceNodePort }} - {{- end }} - type: {{ .Values.ui.serviceType }} - {{- include "service.externalTrafficPolicy" .Values.ui }} - {{- include "service.loadBalancer" .Values.ui }} -{{- end -}} -{{- end }} diff --git a/test/README.md b/test/README.md index 951a061..066914d 100644 --- a/test/README.md +++ b/test/README.md @@ -1,11 +1,9 @@ -# Vault Helm Tests +# OpenBao Helm Tests -## Running Vault Helm Acceptance tests +## Running OpenBao Helm Acceptance tests The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster. -Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license. - ### Running in a GKE cluster * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project. @@ -49,7 +47,7 @@ editing will be required, since several properties accept multiple data types. ## Helm test -Vault Helm also contains a simple helm test under +OpenBao Helm also contains a simple helm test under [templates/tests/](../templates/tests/) that may be run against a helm release: helm test diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index db8b051..2f62964 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -1,14 +1,17 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # name_prefix returns the prefix of the resources within Kubernetes. name_prefix() { - printf "vault" + printf "openbao" } # chart_dir returns the directory for the chart chart_dir() { - echo ${BATS_TEST_DIRNAME}/../.. + echo ${BATS_TEST_DIRNAME}/../../charts/openbao } -# helm_install installs the vault chart. This will source overridable +# helm_install installs the openbao chart. This will source overridable # values from the "values.yaml" file in this directory. This can be set # by CI or other environments to do test-specific overrides. Note that its # easily possible to break tests this way so be careful. @@ -19,11 +22,11 @@ helm_install() { fi helm install -f ${values} \ - --name vault \ - ${BATS_TEST_DIRNAME}/../.. + --name openbao \ + ${BATS_TEST_DIRNAME}/../../charts/openbao } -# helm_install_ha installs the vault chart using HA mode. This will source +# helm_install_ha installs the openbao chart using HA mode. This will source # overridable values from the "values.yaml" file in this directory. This can be # set by CI or other environments to do test-specific overrides. Note that its # easily possible to break tests this way so be careful. @@ -34,10 +37,10 @@ helm_install_ha() { fi helm install -f ${values} \ - --name vault \ + --name openbao \ --set 'server.enabled=false' \ --set 'serverHA.enabled=true' \ - ${BATS_TEST_DIRNAME}/../.. + ${BATS_TEST_DIRNAME}/../../charts/openbao } # wait for consul to be ready @@ -49,7 +52,7 @@ wait_for_sealed_vault() { POD_NAME=$1 check() { - sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') + sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed') if [ "$sealed_status" == "true" ]; then return 0 fi @@ -58,15 +61,15 @@ wait_for_sealed_vault() { for i in $(seq 60); do if check ${POD_NAME}; then - echo "Vault on ${POD_NAME} is running." + echo "OpenBao on ${POD_NAME} is running." return fi - echo "Waiting for Vault on ${POD_NAME} to be running..." + echo "Waiting for OpenBao on ${POD_NAME} to be running..." sleep 2 done - echo "Vault on ${POD_NAME} never became running." + echo "OpenBao on ${POD_NAME} never became running." return 1 } @@ -141,7 +144,7 @@ wait_for_complete_job() { # string length. kubectl get job $1 -o json | \ jq -r 'select( - .status.succeeded == 1 + .status.succeeded == 1 ) | .metadata.namespace + "/" + .metadata.name' } diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml index fed1137..2fd8603 100644 --- a/test/acceptance/csi-test/nginx.yaml +++ b/test/acceptance/csi-test/nginx.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml similarity index 58% rename from test/acceptance/csi-test/vault-kv-secretproviderclass.yaml rename to test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml index e793bde..2c8339a 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml @@ -1,5 +1,8 @@ -# The "Hello World" Vault SecretProviderClass -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# The "Hello World" OpenBao SecretProviderClass +apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: vault-kv @@ -7,7 +10,6 @@ spec: provider: vault parameters: roleName: "kv-role" - vaultAddress: http://vault:8200 objects: | - objectName: "bar" secretPath: "secret/data/kv1" diff --git a/test/acceptance/csi-test/openbao-policy.hcl b/test/acceptance/csi-test/openbao-policy.hcl new file mode 100644 index 0000000..07bb749 --- /dev/null +++ b/test/acceptance/csi-test/openbao-policy.hcl @@ -0,0 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +path "secret/data/kv1" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl deleted file mode 100644 index 48b670e..0000000 --- a/test/acceptance/csi-test/vault-policy.hcl +++ /dev/null @@ -1,3 +0,0 @@ -path "secret/data/kv1" { - capabilities = ["read"] -} \ No newline at end of file diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index ea164f7..d95af15 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -9,43 +9,65 @@ load _helpers kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly + # so we can see Agent's cache working. + CSI_DRIVER_VERSION=1.3.2 + helm install secrets-store-csi-driver secrets-store-csi-driver \ + --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version=$CSI_DRIVER_VERSION \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ - --set syncSecret.enabled=true - # Install Vault and Vault provider - helm install vault \ + --set tokenRequests[0].audience="openbao" \ + --set enableSecretRotation=true \ + --set rotationPollInterval=5s + # Install OpenBao and OpenBao provider + helm install openbao \ --wait --timeout=5m \ --namespace=acceptance \ --set="server.dev.enabled=true" \ --set="csi.enabled=true" \ - --set="injector.enabled=false" . - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider + --set="csi.debug=true" \ + --set="csi.agent.logLevel=debug" \ + --set="injector.enabled=false" \ + . + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider # Set up k8s auth and a kv secret. - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - - kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes - kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ - disable_iss_validation=true' - kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ + cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - + kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes + kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' + kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ policies=kv-policy \ ttl=20m - kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 + kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 - kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml - kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) [[ "$result" == "hello1" ]] + + for i in $(seq 10); do + sleep 2 + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then + echo "Agent returned a cached login response" + return + fi + + echo "Waiting to confirm the Agent is renewing CSI's auth token..." + done + + # Print the logs and fail the test + echo "Failed to find a log for the Agent renewing CSI's auth token" + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider + exit 1 } # Clean up @@ -53,7 +75,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm --namespace=acceptance delete vault + helm --namespace=acceptance delete openbao helm --namespace=acceptance delete secrets-store-csi-driver kubectl delete --all pvc kubectl delete namespace acceptance diff --git a/test/acceptance/helm-test.bats b/test/acceptance/helm-test.bats index c5f9553..04717e5 100644 --- a/test/acceptance/helm-test.bats +++ b/test/acceptance/helm-test.bats @@ -20,7 +20,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 0f91e02..7de823b 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -13,9 +13,9 @@ load _helpers --wait \ --timeout=5m \ --set="injector.replicas=3" . - kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m + kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m - pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) + pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name')) [ "${#pods[@]}" == 3 ] leader='' @@ -45,8 +45,8 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance fi -} \ No newline at end of file +} diff --git a/test/acceptance/injector-test/bootstrap.sh b/test/acceptance/injector-test/bootstrap.sh index d738fd2..0d844fe 100755 --- a/test/acceptance/injector-test/bootstrap.sh +++ b/test/acceptance/injector-test/bootstrap.sh @@ -1,41 +1,44 @@ #!/bin/sh +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + OUTPUT=/tmp/output.txt -vault operator init -n 1 -t 1 >> ${OUTPUT?} +bao operator init -n 1 -t 1 >> ${OUTPUT?} unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g") root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g") -vault operator unseal ${unseal?} +bao operator unseal ${unseal?} -vault login -no-print ${root?} +bao login -no-print ${root?} -vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl +bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl -vault auth enable kubernetes +bao auth enable kubernetes -vault write auth/kubernetes/config \ +bao write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt -vault write auth/kubernetes/role/db-backup \ +bao write auth/kubernetes/role/db-backup \ bound_service_account_names=pgdump \ bound_service_account_namespaces=acceptance \ policies=db-backup \ ttl=1h -vault secrets enable database +bao secrets enable database -vault write database/config/postgresql \ +bao write database/config/postgresql \ plugin_name=postgresql-database-plugin \ allowed_roles="db-backup" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \ - username="vault" \ - password="vault" + username="openbao" \ + password="openbao" -vault write database/roles/db-backup \ +bao write database/roles/db-backup \ db_name=postgresql \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \ diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index d665383..30e6ee2 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount @@ -29,11 +32,11 @@ spec: spec: serviceAccountName: pgdump containers: - - name: pgdump - image: postgres:11.5 - command: - - "/bin/sh" - - "-ec" - args: - - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" + - name: pgdump + image: postgres:11.5 + command: + - "/bin/sh" + - "-ec" + args: + - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" restartPolicy: Never diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index caf8605..2011a0f 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: Service @@ -35,7 +38,7 @@ spec: - containerPort: 5432 env: - name: POSTGRES_DB - value: mydb + value: mydb - name: POSTGRES_USER value: postgres - name: POSTGRES_PASSWORD @@ -49,7 +52,7 @@ spec: - name: pgdata emptyDir: {} - name: pgconf - configMap: + configMap: name: "pg-init" --- apiVersion: v1 @@ -60,10 +63,10 @@ metadata: app: postgres data: setup.sql: | - CREATE ROLE vault; - ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault'; - - \c mydb + CREATE ROLE openbao; + ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao'; + + \c mydb CREATE SCHEMA app; CREATE TABLE app.inventory(id int); INSERT INTO app.inventory(id) VALUES (0); diff --git a/test/acceptance/injector-test/pgdump-policy.hcl b/test/acceptance/injector-test/pgdump-policy.hcl index 88a6cd6..60da677 100644 --- a/test/acceptance/injector-test/pgdump-policy.hcl +++ b/test/acceptance/injector-test/pgdump-policy.hcl @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + path "database/creds/db-backup" { capabilities = ["read"] } diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index e7fb393..2156597 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -4,20 +4,20 @@ load _helpers @test "injector: testing deployment" { cd `chart_dir` - + kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - kubectl create -f ./test/acceptance/injector-test/pg-deployment.yaml + kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml sleep 5 wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") kubectl create secret generic test \ - --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ - --from-file ./test/acceptance/injector-test/bootstrap.sh + --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ + --from-file ../../test/acceptance/injector-test/bootstrap.sh - kubectl label secret test app=vault-agent-demo + kubectl label secret test app=openbao-agent-demo helm install "$(name_prefix)" \ --set="server.extraVolumes[0].type=secret" \ @@ -26,20 +26,20 @@ load _helpers wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") - kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" + kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" sleep 5 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') - [ "${init_status}" == "true" ] + [ "${init_status}" == "true" ] - kubectl create -f ./test/acceptance/injector-test/job.yaml + kubectl create -f ../../test/acceptance/injector-test/job.yaml wait_for_complete_job "pgdump" } @@ -48,9 +48,9 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc - kubectl delete secret test + kubectl delete secret test kubectl delete job pgdump kubectl delete deployment postgres kubectl delete namespace acceptance diff --git a/test/acceptance/server-annotations.bats b/test/acceptance/server-annotations.bats index d382788..b66dc02 100644 --- a/test/acceptance/server-annotations.bats +++ b/test/acceptance/server-annotations.bats @@ -8,7 +8,7 @@ load _helpers kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml . + helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml . wait_for_running $(name_prefix)-0 # service annotations diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats index 0619c28..72002af 100644 --- a/test/acceptance/server-dev.bats +++ b/test/acceptance/server-dev.bats @@ -43,11 +43,11 @@ load _helpers [ "${ports}" == "8201" ] # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -57,7 +57,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats deleted file mode 100644 index 11effe9..0000000 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ /dev/null @@ -1,166 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "server/ha-enterprise-raft: testing DR deployment" { - cd `chart_dir` - - helm install "$(name_prefix)-east" \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ - --set='injector.enabled=false' \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-east-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-east-0 - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - vault operator init -format=json -n 1 -t 1) - - local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${primary_token}" != "" ] - - local primary_root=$(echo ${init} | jq -r '.root_token') - [ "${primary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} - wait_for_ready "$(name_prefix)-east-0" - - sleep 10 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-east-0" ]] - then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json) - [ "${secondary}" != "" ] - - local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') - [ "${secondary_replica_token}" != "" ] - - # Install vault-west - helm install "$(name_prefix)-west" \ - --set='injector.enabled=false' \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-west-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-west-0 - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - vault operator init -format=json -n 1 -t 1) - - local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${secondary_token}" != "" ] - - local secondary_root=$(echo ${init} | jq -r '.root_token') - [ "${secondary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} - wait_for_ready "$(name_prefix)-west-0" - - sleep 10 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token} - - sleep 10 - - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl delete pod "${pod?}" - wait_for_running "${pod?}" - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done -} - -setup() { - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance - kubectl config set-context --current --namespace=acceptance - kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI -} - -#cleanup -teardown() { - if [[ ${CLEANUP:-true} == "true" ]] - then - helm delete vault-east - helm delete vault-west - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true - fi -} diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats deleted file mode 100644 index 7eaf0cc..0000000 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ /dev/null @@ -1,164 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "server/ha-enterprise-raft: testing performance replica deployment" { - cd `chart_dir` - - helm install "$(name_prefix)-east" \ - --set='injector.enabled=false' \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-east-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-east-0 - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - vault operator init -format=json -n 1 -t 1) - - local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${primary_token}" != "" ] - - local primary_root=$(echo ${init} | jq -r '.root_token') - [ "${primary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} - wait_for_ready "$(name_prefix)-east-0" - - sleep 30 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-east-0" ]] - then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json) - [ "${secondary}" != "" ] - - local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') - [ "${secondary_replica_token}" != "" ] - - # Install vault-west - helm install "$(name_prefix)-west" \ - --set='injector.enabled=false' \ - --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ - --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' \ - --set='server.enterpriseLicense.secretName=vault-license' . - wait_for_running "$(name_prefix)-west-0" - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-west-0 - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Vault Init - local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - vault operator init -format=json -n 1 -t 1) - - local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') - [ "${secondary_token}" != "" ] - - local secondary_root=$(echo ${init} | jq -r '.root_token') - [ "${secondary_root}" != "" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} - wait_for_ready "$(name_prefix)-west-0" - - sleep 30 - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} - wait_for_ready "${pod}" - fi - done - - # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] - - kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} - - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | - jq -r '.data.config.servers | length') - [ "${raft_status}" == "3" ] - - kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token} - - sleep 30 - - local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - if [[ ${pod?} != "$(name_prefix)-west-0" ]] - then - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} - wait_for_ready "${pod}" - fi - done -} - -setup() { - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance - kubectl config set-context --current --namespace=acceptance - kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI -} - -#cleanup -teardown() { - if [[ ${CLEANUP:-true} == "true" ]] - then - helm delete vault-east - helm delete vault-west - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true - fi -} diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index f06ca87..3f6063c 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -13,7 +13,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -57,45 +57,45 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - + local root=$(echo ${init} | jq -r '.root_token') [ "${root}" != "" ] - kubectl exec -ti vault-0 -- vault operator unseal ${token} + kubectl exec -ti openbao-0 -- bao operator unseal ${token} wait_for_ready "$(name_prefix)-0" sleep 5 - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + # OpenBao Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do if [[ ${pod?} != "$(name_prefix)-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${token} wait_for_ready "${pod}" fi done # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-0" -- vault login ${root} + kubectl exec "$(name_prefix)-0" -- bao login ${root} - local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] } @@ -112,9 +112,9 @@ teardown() { then # If the test failed, print some debug output if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then - kubectl logs -l app.kubernetes.io/name=vault + kubectl logs -l app.kubernetes.io/name=openbao fi - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats deleted file mode 100644 index 6876e0f..0000000 --- a/test/acceptance/server-ha.bats +++ /dev/null @@ -1,121 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "server/ha: testing deployment" { - cd `chart_dir` - - helm install "$(name_prefix)" \ - --set='server.ha.enabled=true' . - wait_for_running $(name_prefix)-0 - - # Sealed, not initialized - wait_for_sealed_vault $(name_prefix)-0 - - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "false" ] - - # Replicas - local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.replicas') - [ "${replicas}" == "3" ] - - # Volume Mounts - local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "2" ] - - # Volumes - local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "2" ] - - local volume=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.volumes[0].configMap.name') - [ "${volume}" == "$(name_prefix)-config" ] - - # Service - local service=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.clusterIP') - [ "${service}" != "None" ] - - local service=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.type') - [ "${service}" == "ClusterIP" ] - - local ports=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.ports | length') - [ "${ports}" == "2" ] - - local ports=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.ports[0].port') - [ "${ports}" == "8200" ] - - local ports=$(kubectl get service "$(name_prefix)" --output json | - jq -r '.spec.ports[1].port') - [ "${ports}" == "8201" ] - - # Vault Init - local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ - jq -r '.unseal_keys_b64[0]') - [ "${token}" != "" ] - - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) - for pod in "${pods[@]}" - do - kubectl exec -ti ${pod} -- vault operator unseal ${token} - done - - wait_for_ready "$(name_prefix)-0" - - # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "false" ] - - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.initialized') - [ "${init_status}" == "true" ] -} - -# setup a consul env -setup() { - kubectl delete namespace acceptance --ignore-not-found=true - kubectl create namespace acceptance - kubectl config set-context --current --namespace=acceptance - - helm repo add hashicorp https://helm.releases.hashicorp.com - helm repo update - - CONSUL_HELM_VERSION=v0.48.0 - - K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major) - K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor) - if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then - CONSUL_HELM_VERSION=v0.32.1 - fi - helm install consul hashicorp/consul \ - --version $CONSUL_HELM_VERSION \ - --set 'ui.enabled=false' - - wait_for_running_consul -} - -#cleanup -teardown() { - if [[ ${CLEANUP:-true} == "true" ]] - then - # If the test failed, print some debug output - if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then - kubectl logs -l app=consul - kubectl logs -l app.kubernetes.io/name=vault - fi - helm delete vault - helm delete consul - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true - fi -} diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats index a7c4e0d..2c35c45 100644 --- a/test/acceptance/server-telemetry.bats +++ b/test/acceptance/server-telemetry.bats @@ -19,7 +19,7 @@ load _helpers helm install \ --wait \ - --values ./test/acceptance/server-test/telemetry.yaml \ + --values ../../test/acceptance/server-test/telemetry.yaml \ "$(name_prefix)" . wait_for_running $(name_prefix)-0 @@ -27,31 +27,31 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + # OpenBao Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - # unfortunately it can take up to 2 minutes for the vault prometheus job to appear + # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear # TODO: investigate how reduce this. local job_labels local tries=0 @@ -62,7 +62,7 @@ load _helpers -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr ) # Ensure the expected job label was picked up by Prometheus - [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break + [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break ((++tries)) sleep .5 @@ -72,7 +72,7 @@ load _helpers # Ensure the expected job is "up" local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ -c prometheus \ - -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \ + -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \ tee /dev/stderr ) [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ] } diff --git a/test/acceptance/server-test/annotations-overrides.yaml b/test/acceptance/server-test/annotations-overrides.yaml index 459576a..5aba0f9 100644 --- a/test/acceptance/server-test/annotations-overrides.yaml +++ b/test/acceptance/server-test/annotations-overrides.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: annotations: | environment: production diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 2925bc8..485992a 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: standalone: config: | @@ -14,11 +17,11 @@ server: } storage "file" { - path = "/vault/data" + path = "/openbao/data" } telemetry { - prometheus_retention_time = "30s", + prometheus_retention_time = "30s" disable_hostname = true } diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 1e944a0..e65d987 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -15,7 +15,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -40,7 +40,7 @@ load _helpers local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath') - [ "${mountPath}" == "/vault/data" ] + [ "${mountPath}" == "/openbao/data" ] # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | @@ -72,27 +72,27 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + # OpenBao Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -102,7 +102,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash index fb9db31..ac4c23b 100644 --- a/test/chart/_helpers.bash +++ b/test/chart/_helpers.bash @@ -1,6 +1,9 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # chart_dir returns the directory for the chart chart_dir() { - echo ${BATS_TEST_DIRNAME}/../.. + echo ${BATS_TEST_DIRNAME}/../../charts/openbao } # check_result checks if the specified test passed diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index 63c7939..bcbb3c3 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -5,10 +5,10 @@ load _helpers setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" - export CHART_VOLUME=vault-helm-chart-src - local IMAGE="quay.io/redhat-certification/chart-verifier:1.2.1" + export CHART_VOLUME=openbao-helm-chart-src + local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.7" # chart-verifier requires an openshift version if a cluster isn't available - local OPENSHIFT_VERSION="4.8" + local OPENSHIFT_VERSION="4.12" local DISABLED_TESTS="chart-testing" local run_cmd="chart-verifier" @@ -40,7 +40,7 @@ teardown_file() { } @test "has-kubeversion" { - check_result v1.0/has-kubeversion + check_result v1.1/has-kubeversion } @test "is-helm-v3" { @@ -76,10 +76,19 @@ teardown_file() { } @test "images-are-certified" { - check_result v1.0/images-are-certified + check_result v1.1/images-are-certified +} + +@test "required-annotations-present" { + check_result v1.0/required-annotations-present } @test "chart-testing" { skip "Skipping since this test requires a kubernetes/openshift cluster" check_result v1.0/chart-testing } + +@test "signature-is-valid" { + skip "Chart is not signed : Signature verification not required" + check_result v1.0/signature-is-valid +} diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 98afeac..69baa47 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # This Dockerfile installs all the dependencies necessary to run the unit and # acceptance tests. This image also contains gcloud so you can run tests # against a GKE cluster easily. @@ -25,7 +28,11 @@ RUN apk update && apk add --no-cache --virtual .build-deps \ jq # yq -RUN pip install yq +RUN python3 -m venv venv && \ + . venv/bin/activate && \ + pip install yq && \ + ln -s $PWD/venv/bin/yq /usr/local/bin/yq && \ + deactivate # gcloud RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \ diff --git a/test/kind/config.yaml b/test/kind/config.yaml index 8b18a3a..5fef18a 100644 --- a/test/kind/config.yaml +++ b/test/kind/config.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 5c3570f..7b825a8 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + provider "google" { project = "${var.project}" } @@ -16,7 +19,7 @@ data "google_service_account" "gcpapi" { } resource "google_container_cluster" "cluster" { - name = "vault-helm-dev-${random_id.suffix.dec}" + name = "openbao-helm-dev-${random_id.suffix.dec}" project = "${var.project}" enable_legacy_abac = true initial_node_count = 3 diff --git a/test/terraform/outputs.tf b/test/terraform/outputs.tf index 6435d2b..3793987 100644 --- a/test/terraform/outputs.tf +++ b/test/terraform/outputs.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + output "cluster_id" { value = "${google_container_cluster.cluster.id}" } diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf index 971af4e..c219629 100644 --- a/test/terraform/variables.tf +++ b/test/terraform/variables.tf @@ -1,5 +1,8 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + variable "project" { - default = "vault-helm-dev-246514" + default = "openbao-helm-dev-246514" description = < 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Agent-ConfigMap: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-openbao-csi-provider-agent-config" ] +} + +@test "csi/Agent-ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/Agent-ConfigMap: OpenBao addr not affected by injector setting" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --release-name not-external-test \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://not-external-test-openbao.default.svc:8200" +} + +@test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalVaultAddr" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.externalVaultAddr=http://openbao-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://openbao-outside" +} diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 2bed541..60346b8 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -29,5 +29,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] -} \ No newline at end of file + [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ] +} diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index ccd98c5..522c7ac 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.roleRef.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ] } # ClusterRoleBinding service account name @@ -40,5 +40,25 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-csi-provider" ] -} \ No newline at end of file + [ "${actual}" = "release-name-openbao-csi-provider" ] +} + +# ClusterRoleBinding service account namespace +@test "csi/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 0da308b..4f4e759 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,26 @@ load _helpers [ "${actual}" = "true" ] } +# namespace +@test "csi/daemonset: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + # priorityClassName @test "csi/daemonset: priorityClassName not set by default" { @@ -61,28 +81,36 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-csi-provider" ] + [ "${actual}" = "release-name-openbao-csi-provider" ] } # Image -@test "csi/daemonset: image is configurable" { +@test "csi/daemonset: images are configurable" { cd `chart_dir` - local actual=$(helm template \ + local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set "csi.enabled=true" \ - --set "csi.image.repository=SomeOtherImage" \ + --set "csi.image.repository=Image1" \ --set "csi.image.tag=0.0.1" \ + --set "csi.image.pullPolicy=PullPolicy1" \ + --set "csi.agent.image.repository=Image2" \ + --set "csi.agent.image.tag=0.0.2" \ + --set "csi.agent.image.pullPolicy=PullPolicy2" \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:0.0.1" ] + yq -r '.spec.template.spec.containers' | tee /dev/stderr) - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set "csi.enabled=true" \ - --set "csi.image.pullPolicy=SomePullPolicy" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) - [ "${actual}" = "SomePullPolicy" ] + local actual=$(echo $object | + yq -r '.[0].image' | tee /dev/stderr) + [ "${actual}" = "docker.io/Image1:0.0.1" ] + local actual=$(echo $object | + yq -r '.[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy1" ] + local actual=$(echo $object | + yq -r '.[1].image' | tee /dev/stderr) + [ "${actual}" = "quay.io/Image2:0.0.2" ] + local actual=$(echo $object | + yq -r '.[1].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy2" ] } @test "csi/daemonset: Custom imagePullSecrets" { @@ -160,6 +188,25 @@ load _helpers [ "${actual}" = "--debug=true" ] } +# HMAC secret arg +@test "csi/daemonset: HMAC secret arg is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=openbao-csi-provider-hmac-key" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.hmacSecretName=foo" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=foo" ] +} + # Extra args @test "csi/daemonset: extra args can be passed" { cd `chart_dir` @@ -168,7 +215,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) - [ "${actual}" = "2" ] + [ "${actual}" = "3" ] local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -178,15 +225,15 @@ load _helpers yq -r '.spec.template.spec.containers[0]') local actual=$(echo $object | yq -r '.args | length' | tee /dev/stderr) - [ "${actual}" = "5" ] - local actual=$(echo $object | - yq -r '.args[2]' | tee /dev/stderr) - [ "${actual}" = "--foo=bar" ] + [ "${actual}" = "6" ] local actual=$(echo $object | yq -r '.args[3]' | tee /dev/stderr) - [ "${actual}" = "--bar baz" ] + [ "${actual}" = "--foo=bar" ] local actual=$(echo $object | yq -r '.args[4]' | tee /dev/stderr) + [ "${actual}" = "--bar baz" ] + local actual=$(echo $object | + yq -r '.args[5]' | tee /dev/stderr) [ "${actual}" = "first" ] } @@ -318,6 +365,74 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# nodeSelector +@test "csi/daemonset: nodeSelector not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .nodeSelector? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.nodeSelector=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.nodeSelector.foo=bar,csi.pod.nodeSelector.baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector.foo == "bar" and .spec.template.spec.nodeSelector.baz == "qux"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# affinity +@test "csi/daemonset: affinity not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.affinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.affinity.podAntiAffinity=foobar" \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity.podAntiAffinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Extra Labels @@ -379,21 +494,6 @@ load _helpers [ "${actual}" = "/etc/kubernetes/secrets-store-csi-providers" ] } -@test "csi/daemonset: csi kubeletRootDir default" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/var/lib/kubelet/pods" ] -} - @test "csi/daemonset: csi providersDir override " { cd `chart_dir` @@ -410,22 +510,6 @@ load _helpers [ "${actual}" = "/alt/csi-prov-dir" ] } -@test "csi/daemonset: csi kubeletRootDir override" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.daemonSet.kubeletRootDir=/alt/kubelet-root' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/alt/kubelet-root/pods" ] -} - #-------------------------------------------------------------------- # volumeMounts @@ -564,19 +648,47 @@ load _helpers [ "${actual}" = "14" ] } -@test "csi/daemonset: with only injector.externalVaultAddr" { +@test "csi/daemonset: VAULT_ADDR defaults to Agent unix socket" { cd `chart_dir` local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --release-name not-external-test \ - --set 'injector.externalVaultAddr=http://vault-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + +@test "csi/daemonset: VAULT_ADDR remains pointed to Agent unix socket if external Vault" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'global.externalVaultAddr=http://openbao-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + +@test "csi/daemonset: with only injector.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.enabled=false' \ + --release-name not-external-test \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://not-external-test-openbao.default.svc:8200" ] } @test "csi/daemonset: with global.externalVaultAddr" { @@ -584,13 +696,14 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'global.externalVaultAddr=http://vault-outside' \ + --set 'csi.agent.enabled=false' \ + --set 'global.externalVaultAddr=http://openbao-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "http://vault-outside" ] + [ "${value}" = "http://openbao-outside" ] } #-------------------------------------------------------------------- @@ -648,3 +761,93 @@ load _helpers yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# Agent sidecar configurables + +@test "csi/daemonset: Agent sidecar enabled by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers | length' | tee /dev/stderr) + [ "${actual}" = "2" ] +} + +@test "csi/daemonset: Agent sidecar can pass extra args" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.extraArgs[0]=-config=extra-config.hcl' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].args[2]' | tee /dev/stderr) + [ "${actual}" = "-config=extra-config.hcl" ] +} + +@test "csi/daemonset: Agent log level settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logLevel=error' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "error" ] +} + +@test "csi/daemonset: Agent log format settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} + +@test "csi/daemonset: Agent default resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: Agent custom resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.resources.requests.memory=256Mi' \ + --set 'csi.agent.resources.requests.cpu=250m' \ + --set 'csi.agent.resources.limits.memory=512Mi' \ + --set 'csi.agent.resources.limits.cpu=500m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + local value=$(echo $object | + yq -r '.requests.memory' | tee /dev/stderr) + [ "${value}" = "256Mi" ] + + local value=$(echo $object | + yq -r '.requests.cpu' | tee /dev/stderr) + [ "${value}" = "250m" ] + + local value=$(echo $object | + yq -r '.limits.memory' | tee /dev/stderr) + [ "${value}" = "512Mi" ] + + local value=$(echo $object | + yq -r '.limits.cpu' | tee /dev/stderr) + [ "${value}" = "500m" ] +} diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats new file mode 100644 index 0000000..0f84936 --- /dev/null +++ b/test/unit/csi-role.bats @@ -0,0 +1,58 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/Role: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Role: names" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-openbao-csi-provider-role" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "openbao-csi-provider-hmac-key" ] +} + +@test "csi/Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/Role: HMAC secret name configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'csi.hmacSecretName=foo' \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats new file mode 100644 index 0000000..692ea38 --- /dev/null +++ b/test/unit/csi-rolebinding.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/RoleBinding: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/RoleBinding: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-openbao-csi-provider-rolebinding" ] +} + +@test "csi/RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 41c1734..8d74b41 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -29,7 +29,27 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-csi-provider" ] + [ "${actual}" = "release-name-openbao-csi-provider" ] +} + +# serviceAccountNamespace namespace +@test "csi/daemonset: serviceAccountNamespace namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] } @test "csi/serviceAccount: specify annotations" { diff --git a/test/unit/injector-clusterrole.bats b/test/unit/injector-clusterrole.bats index 7c25f39..0956cce 100755 --- a/test/unit/injector-clusterrole.bats +++ b/test/unit/injector-clusterrole.bats @@ -20,3 +20,33 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ClusterRole: no nodes permissions when replicas=1" { + cd `chart_dir` + local rules=$(helm template \ + --show-only templates/injector-clusterrole.yaml \ + --set 'injector.replicas=1' \ + . | tee /dev/stderr | + yq '.rules' | tee /dev/stderr) + rules_length=$(echo "${rules}" | yq 'length') + [ "${rules_length}" = "1" ] + resources_length=$(echo "${rules}" | yq '.[0].resources | length') + [ "${resources_length}" = "1" ] + resource=$(echo "${rules}" | yq -r '.[0].resources[0]') + [ "${resource}" = "mutatingwebhookconfigurations" ] +} + +@test "injector/ClusterRole: nodes permissions when replicas=2" { + cd `chart_dir` + local rules=$(helm template \ + --show-only templates/injector-clusterrole.yaml \ + --set 'injector.replicas=2' \ + . | tee /dev/stderr | + yq '.rules' | tee /dev/stderr) + rules_length=$(echo "${rules}" | yq 'length') + [ "${rules_length}" = "2" ] + resources_length=$(echo "${rules}" | yq '.[1].resources | length') + [ "${resources_length}" = "1" ] + resource=$(echo "${rules}" | yq -r '.[1].resources[0]') + [ "${resource}" = "nodes" ] +} diff --git a/test/unit/injector-clusterrolebinding.bats b/test/unit/injector-clusterrolebinding.bats index 6e21787..9a99b34 100755 --- a/test/unit/injector-clusterrolebinding.bats +++ b/test/unit/injector-clusterrolebinding.bats @@ -20,3 +20,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 9d2271c..f5d9d1e 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -42,6 +42,25 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ @@ -50,7 +69,7 @@ load _helpers --set 'injector.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "docker.io/foo:1.2.3" ] local actual=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -58,7 +77,7 @@ load _helpers --set 'injector.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "docker.io/foo:1.2.3" ] } @test "injector/deployment: default imagePullPolicy" { @@ -167,7 +186,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "release-name-vault-agent-injector-cfg" ] + [ "${value}" = "release-name-openbao-agent-injector-cfg" ] # helm template does uses current context namespace and ignores namespace flags, so # discover the targeted namespace so we can check the rendered value correctly. @@ -175,7 +194,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ] + [ "${value}" = "release-name-openbao-agent-injector-svc,release-name-openbao-agent-injector-svc.${namespace:-default},release-name-openbao-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: manual TLS adds volume mount" { @@ -183,7 +202,7 @@ load _helpers local object=$(helm template \ --show-only templates/injector-deployment.yaml \ --set 'injector.enabled=true' \ - --set 'injector.certs.secretName=vault-tls' \ + --set 'injector.certs.secretName=openbao-tls' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr) @@ -200,40 +219,40 @@ load _helpers cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "http://vault-outside" ] + [ "${value}" = "http://openbao-outside" ] } @test "injector/deployment: with global.externalVaultAddr" { cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \ - --set 'global.externalVaultAddr=http://vault-outside' \ + --set 'global.externalVaultAddr=http://openbao-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "http://vault-outside" ] + [ "${value}" = "http://openbao-outside" ] } @test "injector/deployment: global.externalVaultAddr takes precendence over injector.externalVaultAddr" { cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \ - --set 'global.externalVaultAddr=http://global-vault-outside' \ - --set 'injector.externalVaultAddr=http://injector-vault-outside' \ + --set 'global.externalVaultAddr=http://global-openbao-outside' \ + --set 'injector.externalVaultAddr=http://injector-openbao-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "http://global-vault-outside" ] + [ "${value}" = "http://global-openbao-outside" ] } @test "injector/deployment: without externalVaultAddr" { @@ -247,7 +266,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] + [ "${value}" = "http://not-external-test-openbao.default.svc:8200" ] } @test "injector/deployment: default authPath" { @@ -275,6 +294,135 @@ load _helpers [ "${value}" = "auth/k8s" ] } +@test "injector/deployment: default livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.livenessProbe.failureThreshold=100' \ + --set 'injector.livenessProbe.initialDelaySeconds=100' \ + --set 'injector.livenessProbe.periodSeconds=100' \ + --set 'injector.livenessProbe.successThreshold=100' \ + --set 'injector.livenessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.readinessProbe.failureThreshold=100' \ + --set 'injector.readinessProbe.initialDelaySeconds=100' \ + --set 'injector.readinessProbe.periodSeconds=100' \ + --set 'injector.readinessProbe.successThreshold=100' \ + --set 'injector.readinessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.startupProbe.failureThreshold=100' \ + --set 'injector.startupProbe.initialDelaySeconds=100' \ + --set 'injector.startupProbe.periodSeconds=100' \ + --set 'injector.startupProbe.successThreshold=100' \ + --set 'injector.startupProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + @test "injector/deployment: default logLevel" { cd `chart_dir` local object=$(helm template \ @@ -834,6 +982,7 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) [ "${value}" = "64Mi" ] + } @test "injector/deployment: can set agent default resources" { @@ -844,6 +993,8 @@ EOF --set 'injector.agentDefaults.cpuRequest=cpuRequest' \ --set 'injector.agentDefaults.memLimit=memLimit' \ --set 'injector.agentDefaults.memRequest=memRequest' \ + --set 'injector.agentDefaults.ephemeralLimit=ephemeralLimit' \ + --set 'injector.agentDefaults.ephemeralRequest=ephemeralRequest' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -862,6 +1013,14 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) [ "${value}" = "memRequest" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_EPHEMERAL_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "ephemeralLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_EPHEMERAL_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "ephemeralRequest" ] } @test "injector/deployment: agent default template" { diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 2f8f50a..a7af871 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { cd `chart_dir` local actual=$(helm template \ @@ -31,24 +50,13 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { +@test "injector/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.19.5 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-disruptionbudget.yaml \ - --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.22.5 \ + --kube-version 1.27.5 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index bbd4829..e72354a 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -96,6 +96,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/role: created/skipped as appropriate" { @@ -147,6 +155,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/rolebinding: created/skipped as appropriate" { @@ -198,4 +214,12 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 0a8be0a..bd0499b 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -40,6 +40,14 @@ load _helpers . | tee /dev/stderr | yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/MutatingWebhookConfiguration: caBundle is empty string" { @@ -323,4 +331,4 @@ load _helpers yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index 8e7acd7..32bb696 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index 88bfe79..f978acf 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats index a415358..a8b021a 100644 --- a/test/unit/injector-psp.bats +++ b/test/unit/injector-psp.bats @@ -51,9 +51,9 @@ load _helpers --show-only templates/injector-psp.yaml \ --set 'injector.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } @@ -63,8 +63,8 @@ load _helpers --show-only templates/injector-psp.yaml \ --set 'injector.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index 027eaa0..a2907b4 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -18,6 +18,23 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/Service: service with default port" { cd `chart_dir` local actual=$(helm template \ @@ -59,8 +76,8 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-service.yaml \ - --set 'injector.service.annotations=vaultIsAwesome: true' \ + --set 'injector.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/test/unit/injector-serviceaccount.bats b/test/unit/injector-serviceaccount.bats index bf178a3..d3936ef 100755 --- a/test/unit/injector-serviceaccount.bats +++ b/test/unit/injector-serviceaccount.bats @@ -21,12 +21,29 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/ServiceAccount: generic annotations" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-serviceaccount.yaml \ - --set 'injector.serviceAccount.annotations=vaultIsAwesome: true' \ + --set 'injector.serviceAccount.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/test/unit/prometheus-prometheusrules.bats b/test/unit/prometheus-prometheusrules.bats index 87736cf..4a17651 100755 --- a/test/unit/prometheus-prometheusrules.bats +++ b/test/unit/prometheus-prometheusrules.bats @@ -6,7 +6,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -26,16 +26,16 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ - --set 'serverTelemetry.prometheusRules.rules.baz=qux' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[1].baz=qux' \ .) | tee /dev/stderr ) [ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ] [ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ] - [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-vault" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-openbao" ] [ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ] - [ "$(echo "$output" | yq -r '.spec.groups[0].rules.foo')" = "bar" ] - [ "$(echo "$output" | yq -r '.spec.groups[0].rules.baz')" = "qux" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules[0].foo')" = "bar" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules[1].baz')" = "qux" ] } @test "prometheus/PrometheusRules-server: assertSelectors default" { @@ -43,7 +43,7 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ . ) | tee /dev/stderr) [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] @@ -55,7 +55,7 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ --set 'serverTelemetry.prometheusRules.selectors.baz=qux' \ --set 'serverTelemetry.prometheusRules.selectors.bar=foo' \ . ) | tee /dev/stderr) diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index 9d05aea..b5c6930 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -66,8 +66,25 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-clusterrolebinding.yaml \ --set 'server.enabled=false' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "server/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index fe2ac12..55d67e9 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -75,6 +75,23 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ConfigMap: standalone extraConfig is set" { cd `chart_dir` local actual=$(helm template \ @@ -117,8 +134,27 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-config-configmap.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ConfigMap: config checksum annotation defaults to off" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + . | tee /dev/stderr | + yq '.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ConfigMap: config checksum annotation can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'server.includeConfigAnnotation=true' \ + . | tee /dev/stderr | + yq '.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 3c5f9d8..19c94a0 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -27,7 +27,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.dev.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -43,7 +43,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/ha-StatefulSet: image tag defaults to latest" { @@ -56,7 +56,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } #-------------------------------------------------------------------- @@ -184,7 +184,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/dev-StatefulSet: adds extra secret volume" { @@ -222,7 +222,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/dev-StatefulSet: no storageClass on claim by default" { diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats index 11473a0..16799dc 100755 --- a/test/unit/server-discovery-role.bats +++ b/test/unit/server-discovery-role.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRole: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats index 568c240..dd961f6 100755 --- a/test/unit/server-discovery-rolebinding.bats +++ b/test/unit/server-discovery-rolebinding.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d78f5d4..9508751 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -7,12 +7,37 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } +@test "server/ha-active-Service: with active annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.active.annotations=openBaoIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} +@test "server/ha-active-Service: with both annotations set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.active.annotations=openBaoIsAwesome: true' \ + --set 'server.service.annotations=openbaoIsNotAwesome: false' \ + . | tee /dev/stderr | + yq -r '.metadata' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] + actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr) + [ "${actual}" = "false" ] +} @test "server/ha-active-Service: disable with ha.enabled false" { cd `chart_dir` local actual=$( (helm template \ @@ -47,6 +72,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ @@ -148,7 +192,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/ha-active-Service: vault port name is http, when tlsDisable is true" { +@test "server/ha-active-Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ @@ -159,7 +203,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/ha-active-Service: vault port name is https, when tlsDisable is false" { +@test "server/ha-active-Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index c98bc66..0732149 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -47,12 +47,31 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-disruptionbudget.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "server/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/DisruptionBudget: correct maxUnavailable with n=1" { cd `chart_dir` local actual=$(helm template \ @@ -98,26 +117,14 @@ load _helpers [ "${actual}" = "2" ] } -@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { +@test "server/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=1' \ - --kube-version 1.19.5 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-disruptionbudget.yaml \ - --set 'server.ha.enabled=true' \ - --set 'server.ha.replicas=1' \ - --kube-version 1.22.5 \ + --kube-version 1.27.5 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 6698314..9a89dc8 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -7,9 +7,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -18,12 +18,48 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations.vaultIsAwesome=true' \ + --set 'server.service.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } +@test "server/ha-standby-Service: with standby annotations string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations=openBaoIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-standby-Service: with standby annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations.openBaoIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} +@test "server/ha-standby-Service: with both annotations set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations=openBaoIsAwesome: true' \ + --set 'server.service.annotations=openbaoIsNotAwesome: false' \ + . | tee /dev/stderr | + yq -r '.metadata' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] + actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr) + [ "${actual}" = "false" ] +} @test "server/ha-standby-Service: disable with ha.enabled false" { cd `chart_dir` local actual=$( (helm template \ @@ -58,6 +94,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ @@ -159,7 +214,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/ha-standby-Service: vault port name is http, when tlsDisable is true" { +@test "server/ha-standby-Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ @@ -170,7 +225,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/ha-standby-Service: vault port name is https, when tlsDisable is false" { +@test "server/ha-standby-Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 06a0ca0..f0385bf 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -27,7 +27,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.ha.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -43,7 +43,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/ha-StatefulSet: image tag defaults to latest" { @@ -56,7 +56,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } #-------------------------------------------------------------------- @@ -71,7 +71,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = "http://127.0.0.1:8200" ] } @@ -84,7 +84,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = "https://127.0.0.1:8200" ] } @@ -157,6 +157,28 @@ load _helpers [ "${actual}" = "10" ] } +@test "server/ha-StatefulSet: zero replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=0' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "0" ] +} + +@test "server/ha-StatefulSet: invalid value for replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=null' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "3" ] +} + #-------------------------------------------------------------------- # resources @@ -244,7 +266,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/ha-StatefulSet: adds extra volume custom mount path" { @@ -325,7 +347,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } #-------------------------------------------------------------------- @@ -385,7 +407,7 @@ load _helpers } #-------------------------------------------------------------------- -# VAULT_API_ADDR renders +# BAO_API_ADDR renders @test "server/ha-StatefulSet: api addr renders to Pod IP by default" { cd `chart_dir` @@ -396,7 +418,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = 'http://$(POD_IP):8200' ] } @@ -410,12 +432,12 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = "https://example.com:8200" ] } #-------------------------------------------------------------------- -# VAULT_CLUSTER_ADDR renders +# BAO_CLUSTER_ADDR renders @test "server/ha-StatefulSet: clusterAddr not set" { cd `chart_dir` @@ -427,8 +449,8 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr set to null" { @@ -442,8 +464,8 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr set to custom url" { @@ -457,7 +479,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = 'https://test.example.com:8201' ] } @@ -467,18 +489,18 @@ load _helpers --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.raft.enabled=true' \ - --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-openbao-internal:8201' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] + yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr gets quoted" { cd `chart_dir` - local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' + local customUrl='http://$(HOSTNAME).release-name-openbao-internal:8201' local rendered=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ @@ -489,11 +511,11 @@ load _helpers local value=$(echo $rendered | yq -Y '.' | tee /dev/stderr) - [ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] + [ "${value}" = 'value: "http://$(HOSTNAME).release-name-openbao-internal:8201"' ] } #-------------------------------------------------------------------- -# VAULT_RAFT_NODE_ID renders +# BAO_RAFT_NODE_ID renders @test "server/ha-StatefulSet: raft node ID renders" { cd `chart_dir` @@ -506,7 +528,7 @@ local value=$(echo $rendered | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) [ "${value}" = "metadata.name" ] } diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 0794d0e..7796dca 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -2,7 +2,7 @@ load _helpers -@test "server/headless-Service: publishNotReadyAddresses can be changed" { +@test "server/headless-Service: publishNotReadyAddresses cannot be changed" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-headless-service.yaml \ @@ -15,7 +15,7 @@ load _helpers --set 'server.service.publishNotReadyAddresses=false' \ . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "server/headless-Service: instance selector cannot be disabled" { @@ -35,3 +35,42 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "release-name" ] } + +@test "server/headless-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/headless-Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/headless-Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index aade5d5..11b137c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -11,12 +11,31 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ingress: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ingress: disable by injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -43,7 +62,7 @@ load _helpers [ "${actual}" = '/' ] } -@test "server/ingress: vault backend should be added when I specify a path" { +@test "server/ingress: openbao backend should be added when I specify a path" { cd `chart_dir` local actual=$(helm template \ @@ -165,7 +184,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-active" ] + [ "${actual}" = "release-name-openbao-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -180,7 +199,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -194,10 +213,10 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } -@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { +@test "server/ingress: k8s 1.27.0 uses correct service format when not ha - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -206,10 +225,10 @@ load _helpers --set 'server.dev.enabled=false' \ --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ - --kube-version 1.18.3 \ + --kube-version 1.27.0 \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -224,35 +243,22 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } -@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { +@test "server/ingress: pathType is added to Kubernetes version == 1.27.0" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.19.0 \ + --kube-version 1.27.0 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "ImplementationSpecific" ] } -@test "server/ingress: pathType is not added to Kubernetes versions < 1.19" { - cd `chart_dir` - - local actual=$(helm template \ - --show-only templates/server-ingress.yaml \ - --set 'server.ingress.enabled=true' \ - --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.18.3 \ - . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - @test "server/ingress: pathType is added to Kubernetes versions > 1.19" { cd `chart_dir` @@ -260,7 +266,7 @@ load _helpers --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=Prefix \ - --kube-version 1.20.0 \ + --kube-version 1.27.0 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "Prefix" ] diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats index 1364321..1792685 100755 --- a/test/unit/server-network-policy.bats +++ b/test/unit/server-network-policy.bats @@ -21,6 +21,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/network-policy: ingress changed by server.networkPolicy.ingress" { + cd `chart_dir` + local actual=$(helm template \ + --set 'server.networkPolicy.enabled=true' \ + --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \ + --show-only templates/server-network-policy.yaml \ + . | tee /dev/stderr | + yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/network-policy: egress enabled by server.networkPolicy.egress" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-psp-role.bats b/test/unit/server-psp-role.bats index 1d3e62c..3e63b3c 100644 --- a/test/unit/server-psp-role.bats +++ b/test/unit/server-psp-role.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/server-psp-rolebinding.bats b/test/unit/server-psp-rolebinding.bats index 4171219..d57687b 100644 --- a/test/unit/server-psp-rolebinding.bats +++ b/test/unit/server-psp-rolebinding.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/server-psp.bats b/test/unit/server-psp.bats index 400e76d..898e1b1 100644 --- a/test/unit/server-psp.bats +++ b/test/unit/server-psp.bats @@ -86,27 +86,27 @@ load _helpers --show-only templates/server-psp.yaml \ --set 'server.dev.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.ha.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } @@ -116,27 +116,27 @@ load _helpers --show-only templates/server-psp.yaml \ --set 'server.dev.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.ha.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 51b1a30..f4caca0 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -18,12 +18,33 @@ load _helpers --show-only templates/server-route.yaml \ --set 'global.openshift=true' \ --set 'server.route.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "server/route: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/route: OpenShift - checking host entry gets added and path is /" { cd `chart_dir` local actual=$(helm template \ @@ -36,7 +57,7 @@ load _helpers [ "${actual}" = 'test.com' ] } -@test "server/route: OpenShift - vault backend should be added when I specify a path" { +@test "server/route: OpenShift - openbao backend should be added when I specify a path" { cd `chart_dir` local actual=$(helm template \ @@ -99,7 +120,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -112,7 +133,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -125,7 +146,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-active" ] + [ "${actual}" = "release-name-openbao-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -139,7 +160,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 70a5445..94ebb6a 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -113,12 +113,31 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -127,7 +146,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -136,7 +155,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -147,9 +166,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-service.yaml \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -370,7 +389,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/Service: vault port name is http, when tlsDisable is true" { +@test "server/Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -381,7 +400,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/Service: vault port name is https, when tlsDisable is false" { +@test "server/Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ @@ -448,3 +467,23 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "server/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} diff --git a/test/unit/server-serviceaccount-secret.bats b/test/unit/server-serviceaccount-secret.bats new file mode 100644 index 0000000..fab9d39 --- /dev/null +++ b/test/unit/server-serviceaccount-secret.bats @@ -0,0 +1,77 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ServiceAccountSecret: verify service account name match" { + cd `chart_dir` + + local actual=$( (helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.create=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa-token" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-openbao-token" ] + +} + +@test "server/ServiceAccountSecret: annotation mapping to service account" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "release-name-openbao" ] + +} + +@test "server/ServiceAccountSecret: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 2c82603..2a8c60c 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,10 +26,29 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } +@test "server/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ServiceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ @@ -96,7 +115,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -104,7 +123,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -112,7 +131,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -126,4 +145,4 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.labels.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 6206e11..aafd92d 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -71,13 +71,32 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "server/standalone-StatefulSet: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ @@ -86,7 +105,7 @@ load _helpers --set 'server.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -95,7 +114,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/standalone-StatefulSet: image tag defaults to latest" { @@ -106,7 +125,7 @@ load _helpers --set 'server.image.tag=' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -115,7 +134,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } @test "server/standalone-StatefulSet: default imagePullPolicy" { @@ -202,6 +221,41 @@ load _helpers [ "${actual}" = "OnDelete" ] } +#-------------------------------------------------------------------- +# persistentVolumeClaimRetentionPolicy + +@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.27" \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: can set persistentVolumeClaimRetentionPolicy.whenDeleted when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.27" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) + [ "${actual}" = "Delete" ] +} + +@test "server/standalone-StatefulSet: can set persistentVolumeClaimRetentionPolicy.whenScaled when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.27" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) + [ "${actual}" = "Delete" ] +} + #-------------------------------------------------------------------- # replicas @@ -335,7 +389,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -351,7 +405,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/standalone-StatefulSet: server.extraVolumes adds extra secret volume" { @@ -403,7 +457,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -419,7 +473,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/standalone-StatefulSet: can mount audit" { @@ -485,7 +539,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .name' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .name' | tee /dev/stderr) [ "${value}" = "" ] } @@ -498,7 +552,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) [ "${value}" = "debug" ] } @@ -513,7 +567,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .name' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .name' | tee /dev/stderr) [ "${value}" = "" ] } @@ -526,7 +580,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $objects | - yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) [ "${value}" = "json" ] } @@ -714,7 +768,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "audit")' | tee /dev/stderr) local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/audit" ] + [ "${actual}" = "/openbao/audit" ] } @test "server/standalone-StatefulSet: can configure audit storage mount path" { @@ -739,7 +793,7 @@ load _helpers yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "data")' | tee /dev/stderr) local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/data" ] + [ "${actual}" = "/openbao/data" ] } @test "server/standalone-StatefulSet: can configure data storage mount path" { @@ -1154,7 +1208,7 @@ load _helpers --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr) - [ "${actual}" = "vault status -tls-skip-verify" ] + [ "${actual}" = "bao status -tls-skip-verify" ] } @test "server/standalone-StatefulSet: readinessProbe configurable" { @@ -1396,6 +1450,41 @@ load _helpers [ "${actual}" = "100" ] } +@test "server/standalone-StatefulSet: liveness exec disabled by default" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.exec' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(echo $object | + yq -r '.httpGet' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: liveness exec can be set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + --set='server.livenessProbe.execCommand={/bin/sh,-c,sleep}' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.exec.command[0]' | tee /dev/stderr) + [ "${actual}" = "/bin/sh" ] + + local actual=$(echo $object | + yq -r '.httpGet' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + #-------------------------------------------------------------------- # args @test "server/standalone-StatefulSet: add extraArgs" { @@ -1450,7 +1539,7 @@ load _helpers [[ "${actual}" = "sleep 10 &&"* ]] } -@test "server/standalone-StatefulSet: vault port name is http, when tlsDisable is true" { +@test "server/standalone-StatefulSet: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -1461,7 +1550,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/standalone-StatefulSet: vault replication port name is http-rep, when tlsDisable is true" { +@test "server/standalone-StatefulSet: openbao replication port name is http-rep, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -1472,7 +1561,7 @@ load _helpers [ "${actual}" = "http-rep" ] } -@test "server/standalone-StatefulSet: vault port name is https, when tlsDisable is false" { +@test "server/standalone-StatefulSet: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ @@ -1483,7 +1572,7 @@ load _helpers [ "${actual}" = "https" ] } -@test "server/standalone-StatefulSet: vault replication port name is https-rep, when tlsDisable is false" { +@test "server/standalone-StatefulSet: openbao replication port name is https-rep, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ @@ -1500,9 +1589,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.annotations=vaultIsAwesome: true' \ + --set 'server.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1511,9 +1600,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.annotations=vaultIsAwesome: true' \ + --set 'server.auditStorage.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1522,9 +1611,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.annotations=vaultIsAwesome: true' \ + --set 'server.dataStorage.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1533,9 +1622,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.annotations.vaultIsAwesome=true' \ + --set 'server.auditStorage.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1544,9 +1633,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.annotations.vaultIsAwesome=true' \ + --set 'server.dataStorage.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1554,12 +1643,40 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.annotations.vaultIsAwesome=true' \ + --set 'server.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } +@test "server/standalone-StatefulSet: config checksum annotation defaults to off" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.metadata.annotations["openbao.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: config checksum annotation off does not set annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.metadata.annotations | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: config checksum annotation can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.includeConfigAnnotation=true' \ + . | tee /dev/stderr | + yq '.spec.template.metadata.annotations["openbao.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + #-------------------------------------------------------------------- # priorityClassName @@ -1663,67 +1780,11 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } -#-------------------------------------------------------------------- -# enterprise license autoload support -@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] -} - -@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] -} - -@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] -} - -@test "server/StatefulSet: blank secretName does not set env var" { - cd `chart_dir` - - # setting secretName=null - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=null' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '' ] - - # omitting secretName - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '' ] -} - #-------------------------------------------------------------------- # securityContext @@ -1806,3 +1867,122 @@ load _helpers yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# hostAliases + +@test "server/StatefulSet: server.hostAliases not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/StatefulSet: server.hostAliases is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostAliases[0]=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases[]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + +#-------------------------------------------------------------------- +# extraPorts + +@test "server/standalone-StatefulSet: adds extra ports" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.extraPorts[0].containerPort=1111' \ + --set 'server.extraPorts[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.containerPort' | tee /dev/stderr) + [ "${actual}" = "1111" ] + + local actual=$(echo $object | + yq -r '.name' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + +#-------------------------------------------------------------------- +# readinessProbe + +@test "server/StatefulSet: server.readinessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.readinessProbe.enabled=true' \ + --set 'server.readinessProbe.path=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + + +#-------------------------------------------------------------------- +# livenessProbe + +@test "server/StatefulSet: server.livenessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + +#-------------------------------------------------------------------- +# labels +@test "server/standalone-StatefulSet: auditStorage volumeClaim labels string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.auditStorage.enabled=true' \ + --set 'server.auditStorage.labels=openBaoIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: dataStorage volumeClaim labels string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.dataStorage.enabled=true' \ + --set 'server.dataStorage.labels=openBaoIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: auditStorage volumeClaim labels yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.auditStorage.enabled=true' \ + --set 'server.auditStorage.labels.openBaoIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: dataStorage volumeClaim labels yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.dataStorage.enabled=true' \ + --set 'server.dataStorage.labels.openBaoIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index de82f84..f36dc5f 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -37,6 +37,33 @@ load _helpers #-------------------------------------------------------------------- +@test "server/standalone-server-test-Pod: default metadata.name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-openbao-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name vault" { + cd `chart_dir` + local actual=$(helm template openbao \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "openbao-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name foo" { + cd `chart_dir` + local actual=$(helm template foo \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "foo-openbao-server-test" ] +} + @test "server/standalone-server-test-Pod: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ @@ -92,7 +119,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -107,7 +134,7 @@ load _helpers --set 'server.image.tag=1.2.3' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] local actual=$(helm template \ --show-only templates/tests/server-test.yaml \ @@ -116,7 +143,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:1.2.3" ] + [ "${actual}" = "quay.io/foo:1.2.3" ] } @test "server/standalone-server-test-Pod: image tag defaults to latest" { @@ -127,7 +154,7 @@ load _helpers --set 'server.image.tag=' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] local actual=$(helm template \ --show-only templates/tests/server-test.yaml \ @@ -136,7 +163,7 @@ load _helpers --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo:latest" ] + [ "${actual}" = "quay.io/foo:latest" ] } @test "server/standalone-server-test-Pod: default imagePullPolicy" { diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 384098f..42b467e 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -70,7 +70,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -78,7 +78,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -86,7 +86,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -311,7 +311,7 @@ load _helpers --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = "null" ] } @@ -320,19 +320,19 @@ load _helpers local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ - --set 'ui.activeVaultPodOnly=true' \ + --set 'ui.activeOpenbaoPodOnly=true' \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = 'null' ] local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ - --set 'ui.activeVaultPodOnly=true' \ + --set 'ui.activeOpenbaoPodOnly=true' \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = 'true' ] } @@ -383,5 +383,26 @@ load _helpers . | tee /dev/stderr | yq '.spec.externalTrafficPolicy' | tee /dev/stderr) [ "${actual}" = "null" ] - +} + +@test "ui/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "ui/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] } diff --git a/values.openshift.yaml b/values.openshift.yaml deleted file mode 100644 index 02985ed..0000000 --- a/values.openshift.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# These overrides are appropriate defaults for deploying this chart on OpenShift - -global: - openshift: true - -injector: - image: - repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.1.0-ubi" - - agentImage: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" - -server: - image: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi"