From 52eb7a10e551d1d0ffc499149189b519de4ea100 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 21 Feb 2020 14:50:42 -0500 Subject: [PATCH 01/31] Update to 0.4.0 --- CHANGELOG.md | 2 ++ Chart.yaml | 2 +- values.yaml | 6 +++--- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e0bd382f..bf3c40546 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.4.0 (February 21st, 2020) + Improvements: * Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)] diff --git a/Chart.yaml b/Chart.yaml index 8a4108197..a41283c3e 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.3.3 +version: 0.4.0 description: Install and configure Vault on Kubernetes. home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/values.yaml b/values.yaml index a5437bf34..23a61f734 100644 --- a/values.yaml +++ b/values.yaml @@ -22,7 +22,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.1.2" + tag: "0.2.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -30,7 +30,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.3.1" + tag: "1.3.2" # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. This should be set to a multiline string. @@ -76,7 +76,7 @@ server: image: repository: "vault" - tag: "1.3.1" + tag: "1.3.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From dfd26678a843ffe637ff94240c161a8318e9b259 Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 02/31] Explain this fork in the README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index c6071b7a0..d0b096e84 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +# MaaS Vault + +This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. + # Vault Helm Chart This repository contains the official HashiCorp Helm chart for installing From b8ee5a426070c96bf94fce29a2a5e1ce97fedaa5 Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 03/31] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 12 +++++++++++- templates/server-service.yaml | 3 +++ values.yaml | 8 ++++++-- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d0b096e84..71b1b4320 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart @@ -41,3 +41,13 @@ then be installed directly: Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + +## Customizations + +This Helm chart has been customized in the following ways: + +### Support LoadBalancerIP Field + +The Service spec in the **server-service.yaml** file now allows setting a +specific IP address when the Service type is set to `LoadBalancer` and a +**maas.lbAddress** value has been provided. diff --git a/templates/server-service.yaml b/templates/server-service.yaml index dc633c6ed..c39a6d3a6 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -27,6 +27,9 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- if and (.Values.maas.lbAddress) (eq (.Values.server.service.type | toString) "LoadBalancer") }} + loadBalancerIP: {{ .Values.maas.lbAddress }} + {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true diff --git a/values.yaml b/values.yaml index 23a61f734..008553d27 100644 --- a/values.yaml +++ b/values.yaml @@ -210,14 +210,18 @@ server: # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. + # Configures the service type for the main Vault service. Can be ClusterIP, + # NodePort, or LoadBalancer. #type: ClusterIP # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. #nodePort: 30000 + # If type is set to "LoadBalancer", a specific IP address can be attached + # to the load balancer, will be random if left blank. + #loadBalancerIP: + # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to From 6c7b31d3e3d7a936bb16009c31535634a16ec955 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 04/31] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 6 ++++++ templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 6 ++---- 3 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f985a8cf0..6fb282b95 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -88,6 +88,11 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} + {{- if .Values.server.logrotate }} + - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + configMap: + name: {{ template "vault.fullname" . }}-logrotate-config + {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -196,6 +201,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 008553d27..41f6f13b8 100644 --- a/values.yaml +++ b/values.yaml @@ -160,10 +160,6 @@ server: # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # path: null # default is `/vault/userconfig` - # Affinity Settings # Commenting out or setting as empty the affinity variable, will allow # deployment to single node services such as Minikube @@ -345,6 +341,8 @@ server: # Definition of the serviceAccount used to run Vault. serviceAccount: annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Vault UI ui: From 0649ff427a3cec537d5f50aa0604ba0cf73db84d Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 05/31] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/_helpers.tpl | 9 ++++++--- templates/datadog-audit-configmap.yaml | 10 ++++++++++ templates/logrotate-config-configmap.yaml | 20 -------------------- templates/logrotate-configmap.yaml | 10 ++++++++++ values.yaml | 1 - 5 files changed, 26 insertions(+), 24 deletions(-) create mode 100644 templates/datadog-audit-configmap.yaml delete mode 100644 templates/logrotate-config-configmap.yaml create mode 100644 templates/logrotate-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 6fb282b95..62e05fd6e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -88,10 +88,13 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} - {{- if .Values.server.logrotate }} - - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + {{- if .Values.server.logrotate.enabled }} + - name: {{ template "vault.fullname" . }}-logrotate-config configMap: - name: {{ template "vault.fullname" . }}-logrotate-config + name: {{ template "vault.fullname" . }}-logrotate-configmap + - name: {{ template "vault.fullname" . }}-datadog-config + configMap: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} diff --git a/templates/datadog-audit-configmap.yaml b/templates/datadog-audit-configmap.yaml new file mode 100644 index 000000000..5190d7fb7 --- /dev/null +++ b/templates/datadog-audit-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap + namespace: {{ .Release.Namespace }} +data: + conf.yaml: |- +{{ .Values.server.logrotate.datadogsidecar.config | indent 6 }} +{{ end }} diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file diff --git a/templates/logrotate-configmap.yaml b/templates/logrotate-configmap.yaml new file mode 100644 index 000000000..0e90cd293 --- /dev/null +++ b/templates/logrotate-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-configmap + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: |- +{{ .Values.server.logrotate.config.logRotateConf | indent 6 }} +{{ end }} diff --git a/values.yaml b/values.yaml index 41f6f13b8..83fbc7d2f 100644 --- a/values.yaml +++ b/values.yaml @@ -83,7 +83,6 @@ server: # Configure the Update Strategy Type for the StatefulSet # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" - resources: # resources: # requests: From 1697b465be2bfbeccd1c28c575046580f697ba9f Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 06/31] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - values.yaml | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 62e05fd6e..fc7b5bf19 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -204,7 +204,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* diff --git a/values.yaml b/values.yaml index 83fbc7d2f..de8a72348 100644 --- a/values.yaml +++ b/values.yaml @@ -91,7 +91,6 @@ server: # limits: # memory: 256Mi # cpu: 250m - # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. ingress: @@ -159,6 +158,10 @@ server: # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # path: null # default is `/vault/userconfig` + # Affinity Settings # Commenting out or setting as empty the affinity variable, will allow # deployment to single node services such as Minikube From d2689d736744e0ab0d25105a86c88b425bdecdb2 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:12:39 -0400 Subject: [PATCH 07/31] Removing extra lines --- values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/values.yaml b/values.yaml index de8a72348..57b954dec 100644 --- a/values.yaml +++ b/values.yaml @@ -83,6 +83,7 @@ server: # Configure the Update Strategy Type for the StatefulSet # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" + resources: # resources: # requests: From 5400d9590d5f108e4b0e3fc5befe4c5f18d687ea Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 08/31] Explain this fork in the README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 29db84819..313f9e7aa 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +# MaaS Vault + +This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. + # Vault Helm Chart > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If From 5d5e176acfc37ae8c5c5dad161a6ca25a84d1794 Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 09/31] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 19 ++++++++++++++----- templates/server-service.yaml | 3 +++ values.yaml | 8 ++++++-- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 313f9e7aa..5145ba792 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart @@ -43,7 +43,16 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm install vault hashicorp/vault ``` -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more -detailed installation instructions. +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + +## Customizations + +This Helm chart has been customized in the following ways: + +### Support LoadBalancerIP Field + +The Service spec in the **server-service.yaml** file now allows setting a +specific IP address when the Service type is set to `LoadBalancer` and a +**maas.lbAddress** value has been provided. diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 6f82e3862..85a05db34 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -21,6 +21,9 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- if and (.Values.maas.lbAddress) (eq (.Values.server.service.type | toString) "LoadBalancer") }} + loadBalancerIP: {{ .Values.maas.lbAddress }} + {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true diff --git a/values.yaml b/values.yaml index 2aa0e3bbc..4ba8d5086 100644 --- a/values.yaml +++ b/values.yaml @@ -395,14 +395,18 @@ server: # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. + # Configures the service type for the main Vault service. Can be ClusterIP, + # NodePort, or LoadBalancer. #type: ClusterIP # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. #nodePort: 30000 + # If type is set to "LoadBalancer", a specific IP address can be attached + # to the load balancer, will be random if left blank. + #loadBalancerIP: + # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to From 49fc835e045477f4fc771bbce0fb7f523653b974 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 10/31] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 6 ++++++ templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 28 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 512bb32f3..8806ff307 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -88,6 +88,11 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} + {{- if .Values.server.logrotate }} + - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + configMap: + name: {{ template "vault.fullname" . }}-logrotate-config + {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -203,6 +208,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 4ba8d5086..6a890a102 100644 --- a/values.yaml +++ b/values.yaml @@ -607,6 +607,8 @@ server: # YAML-formatted multi-line templated string map of the annotations to apply # to the statefulSet. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Vault UI ui: From 05d159337b0832cc747efb1c139a00e648b902ff Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 11/31] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/_helpers.tpl | 9 ++++++--- templates/datadog-audit-configmap.yaml | 10 ++++++++++ templates/logrotate-config-configmap.yaml | 20 -------------------- templates/logrotate-configmap.yaml | 10 ++++++++++ 4 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 templates/datadog-audit-configmap.yaml delete mode 100644 templates/logrotate-config-configmap.yaml create mode 100644 templates/logrotate-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8806ff307..aa7b9e673 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -88,10 +88,13 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} - {{- if .Values.server.logrotate }} - - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + {{- if .Values.server.logrotate.enabled }} + - name: {{ template "vault.fullname" . }}-logrotate-config configMap: - name: {{ template "vault.fullname" . }}-logrotate-config + name: {{ template "vault.fullname" . }}-logrotate-configmap + - name: {{ template "vault.fullname" . }}-datadog-config + configMap: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} diff --git a/templates/datadog-audit-configmap.yaml b/templates/datadog-audit-configmap.yaml new file mode 100644 index 000000000..5190d7fb7 --- /dev/null +++ b/templates/datadog-audit-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap + namespace: {{ .Release.Namespace }} +data: + conf.yaml: |- +{{ .Values.server.logrotate.datadogsidecar.config | indent 6 }} +{{ end }} diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file diff --git a/templates/logrotate-configmap.yaml b/templates/logrotate-configmap.yaml new file mode 100644 index 000000000..0e90cd293 --- /dev/null +++ b/templates/logrotate-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-configmap + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: |- +{{ .Values.server.logrotate.config.logRotateConf | indent 6 }} +{{ end }} From 2a5aa0df00a0f39b63772b94d8b3a7e78aa66d90 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 12/31] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - values.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index aa7b9e673..bb5ec082e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -211,7 +211,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* diff --git a/values.yaml b/values.yaml index 6a890a102..f00818c5d 100644 --- a/values.yaml +++ b/values.yaml @@ -187,7 +187,6 @@ server: # limits: # memory: 256Mi # cpu: 250m - # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. # If deployment is on OpenShift, the following block is ignored. From c4ab6649b548ac6c136ca3bc1b80e37544b2d742 Mon Sep 17 00:00:00 2001 From: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:54:46 -0400 Subject: [PATCH 13/31] feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham --- .circleci/config.yml | 29 +- CHANGELOG.md | 50 ++ CONTRIBUTING.md | 34 +- Chart.yaml | 6 +- Makefile | 6 +- README.md | 7 +- templates/_helpers.tpl | 78 ++ templates/csi-clusterrole.yaml | 17 + templates/csi-clusterrolebinding.yaml | 18 + templates/csi-daemonset.yaml | 84 ++ templates/csi-serviceaccount.yaml | 12 + templates/injector-deployment.yaml | 27 +- templates/injector-mutating-webhook.yaml | 4 + templates/injector-network-policy.yaml | 2 +- templates/injector-psp-role.yaml | 2 +- templates/injector-psp-rolebinding.yaml | 2 +- templates/injector-psp.yaml | 2 +- templates/injector-service.yaml | 5 +- templates/server-clusterrolebinding.yaml | 2 +- templates/server-disruptionbudget.yaml | 2 +- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 4 +- templates/server-ingress.yaml | 6 +- templates/server-psp-role.yaml | 2 +- templates/server-psp-rolebinding.yaml | 2 +- templates/server-psp.yaml | 2 +- templates/server-statefulset.yaml | 12 + templates/tests/server-test.yaml | 39 + templates/ui-service.yaml | 2 +- test/README.md | 35 +- test/acceptance/csi-test/nginx.yaml | 27 + .../vault-kv-secretproviderclass.yaml | 14 + test/acceptance/csi-test/vault-policy.hcl | 3 + test/acceptance/csi.bats | 59 ++ test/acceptance/helm-test.bats | 27 + test/acceptance/server-ha-enterprise-dr.bats | 11 +- .../acceptance/server-ha-enterprise-perf.bats | 11 +- test/chart/_helpers.bash | 18 + test/chart/verifier.bats | 86 ++ test/docker/Test.dockerfile | 2 +- test/terraform/main.tf | 2 +- test/unit/csi-clusterrole.bats | 33 + test/unit/csi-clusterrolebinding.bats | 44 + test/unit/csi-daemonset.bats | 416 +++++++++ test/unit/csi-serviceaccount.bats | 59 ++ test/unit/injector-deployment.bats | 325 ++++--- test/unit/injector-mutating-webhook.bats | 23 + test/unit/injector-service.bats | 19 + test/unit/schema.bats | 46 + test/unit/server-dev-statefulset.bats | 50 +- test/unit/server-ha-disruptionbudget.bats | 12 + test/unit/server-ha-statefulset.bats | 115 +-- test/unit/server-ingress.bats | 37 + test/unit/server-statefulset.bats | 187 +++- test/unit/ui-service.bats | 23 + values.openshift.yaml | 18 + values.schema.json | 806 ++++++++++++++++++ values.yaml | 172 +++- 58 files changed, 2840 insertions(+), 300 deletions(-) create mode 100644 templates/csi-clusterrole.yaml create mode 100644 templates/csi-clusterrolebinding.yaml create mode 100644 templates/csi-daemonset.yaml create mode 100644 templates/csi-serviceaccount.yaml create mode 100644 templates/tests/server-test.yaml create mode 100644 test/acceptance/csi-test/nginx.yaml create mode 100644 test/acceptance/csi-test/vault-kv-secretproviderclass.yaml create mode 100644 test/acceptance/csi-test/vault-policy.hcl create mode 100644 test/acceptance/csi.bats create mode 100644 test/acceptance/helm-test.bats create mode 100644 test/chart/_helpers.bash create mode 100644 test/chart/verifier.bats create mode 100644 test/unit/csi-clusterrole.bats create mode 100644 test/unit/csi-clusterrolebinding.bats create mode 100644 test/unit/csi-daemonset.bats create mode 100644 test/unit/csi-serviceaccount.bats create mode 100644 test/unit/schema.bats create mode 100644 values.openshift.yaml create mode 100644 values.schema.json diff --git a/.circleci/config.yml b/.circleci/config.yml index 4e0f623be..e1bce111f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,14 +6,36 @@ jobs: bats-unit-test: docker: # This image is built from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0 + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 steps: - checkout - run: bats ./test/unit -t + + chart-verifier: + docker: + - image: docker.mirror.hashicorp.services/cimg/go:1.16 + environment: + BATS_VERSION: "1.3.0" + CHART_VERIFIER_VERSION: "1.0.0" + steps: + - checkout + - run: + name: install chart-verifier + command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: + name: install bats + command: | + curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz + tar -zxf /tmp/bats.tgz -C /tmp + sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local + - run: + name: run chart-verifier tests + command: bats ./test/chart -t + acceptance: docker: # This image is build from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0 + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 steps: - checkout @@ -66,6 +88,7 @@ workflows: build_and_test: jobs: - bats-unit-test + - chart-verifier - acceptance: requires: - bats-unit-test @@ -75,7 +98,7 @@ workflows: update-helm-charts-index: jobs: - update-helm-charts-index: - context: helm-charts-trigger + context: helm-charts-trigger-vault filters: tags: only: /^v.*/ diff --git a/CHANGELOG.md b/CHANGELOG.md index 67e53fce8..5c58777ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,55 @@ ## Unreleased +## 0.13.0 (June 17th, 2021) + +Improvements: +* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) +* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549) + +Bugs: +* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) +* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) +* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545) + +## 0.12.0 (May 25th, 2021) + +Features: +* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) + +Improvements: +* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) +* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) +* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437) + +Bugs: +* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) + +## 0.11.0 (April 14th, 2021) + +Features: +* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) +* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) +* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) +* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) + +Improvements: +* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495) + +Bugs: +* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + +## 0.10.0 (March 25th, 2021) + +Features: +* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461) + +Improvements: +* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) + ## 0.9.1 (February 2nd, 2021) Bugs: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 431dfa897..f83d56747 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -62,7 +62,37 @@ The unit tests don't require any active Kubernetes cluster and complete very quickly. These should be used for fast feedback during development. The acceptance tests require a Kubernetes cluster with a configured `kubectl`. -### Prequisites +### Test Using Docker Container + +The following are the instructions for running bats tests using a Docker container. + +#### Prerequisites + +* Docker installed +* `vault-helm` checked out locally + +#### Test + +**Note:** the following commands should be run from the `vault-helm` directory. + +First, build the Docker image for running the tests: + +```shell +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +``` +Next, execute the tests with the following commands: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +``` +It's possible to only run specific bats tests using regular expressions. +For example, the following will run only tests with "injector" in the name: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +``` + +### Test Manually +The following are the instructions for running bats tests on your workstation. +#### Prerequisites * [Bats](https://github.com/bats-core/bats-core) ```bash brew install bats-core @@ -76,7 +106,7 @@ The acceptance tests require a Kubernetes cluster with a configured `kubectl`. brew install kubernetes-helm ``` -### Running The Tests +#### Test To run the unit tests: diff --git a/Chart.yaml b/Chart.yaml index 3456fa48f..045116268 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,8 @@ apiVersion: v2 name: vault -version: 0.9.1 -appVersion: 1.6.2 +version: 0.13.0 +appVersion: 1.7.3 +kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png @@ -10,3 +11,4 @@ sources: - https://github.com/hashicorp/vault - https://github.com/hashicorp/vault-helm - https://github.com/hashicorp/vault-k8s + - https://github.com/hashicorp/vault-csi-provider diff --git a/Makefile b/Makefile index 96bb17ebe..1b3020c59 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,10 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance +# Generate json schema for chart values. See test/README.md for more details. +values-schema: + helm schema-gen values.yaml > values.schema.json + test-image: @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) @@ -62,4 +66,4 @@ provision-cluster: destroy-cluster: terraform destroy -auto-approve -.PHONY: test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster +.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/README.md b/README.md index e824b82db..8096d7f79 100644 --- a/README.md +++ b/README.md @@ -20,16 +20,16 @@ use Vault with Kubernetes, please see the ## Prerequisites To use the charts here, [Helm](https://helm.sh/) must be configured for your -Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope of +Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of this README. Please refer to the Kubernetes and Helm documentation. The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is - untested. Other versions verified are Kubernetes 1.10, 1.11. + untested. ## Usage @@ -48,6 +48,7 @@ fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more detailed installation instructions. + ## Customizations This Helm chart has been customized in the following ways: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index bb5ec082e..5e3269f78 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -53,6 +53,8 @@ template logic. {{- define "vault.mode" -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} + {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} @@ -109,6 +111,12 @@ extra volumes the user may have specified (such as a secret with TLS). {{- if .Values.server.volumes }} {{- toYaml .Values.server.volumes | nindent 8}} {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + secret: + secretName: {{ .Values.server.enterpriseLicense.secretName }} + defaultMode: 0440 + {{- end }} {{- end -}} {{/* @@ -172,6 +180,11 @@ based on the mode configured. {{- if .Values.server.volumeMounts }} {{- toYaml .Values.server.volumeMounts | nindent 12}} {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + mountPath: /vault/license + readOnly: true + {{- end }} {{- end -}} {{/* @@ -483,6 +496,71 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "csi.resources" -}} + {{- if .Values.csi.resources -}} + resources: +{{ toYaml .Values.csi.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets extra CSI daemonset annotations +*/}} +{{- define "csi.daemonSet.annotations" -}} + {{- if .Values.csi.daemonSet.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.daemonSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "csi.pod.tolerations" -}} + {{- if .Values.csi.pod.tolerations }} + tolerations: + {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI provider pod annotations +*/}} +{{- define "csi.pod.annotations" -}} + {{- if .Values.csi.pod.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.pod.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.pod.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI service account annotations +*/}} +{{- define "csi.serviceAccount.annotations" -}} + {{- if .Values.csi.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Inject extra environment vars in the format key:value, if populated */}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml new file mode 100644 index 000000000..a19e520f5 --- /dev/null +++ b/templates/csi-clusterrole.yaml @@ -0,0 +1,17 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{- end }} diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml new file mode 100644 index 000000000..63d69c7b1 --- /dev/null +++ b/templates/csi-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml new file mode 100644 index 000000000..75bde9a32 --- /dev/null +++ b/templates/csi-daemonset.yaml @@ -0,0 +1,84 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "csi.daemonSet.annotations" . }} +spec: + updateStrategy: + type: {{ .Values.csi.daemonSet.updateStrategy.type }} + {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + {{ template "csi.pod.annotations" . }} + spec: + serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + {{- template "csi.pod.tolerations" . }} + containers: + - name: {{ include "vault.name" . }}-csi-provider + {{ template "csi.resources" . }} + image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + imagePullPolicy: {{ .Values.csi.image.pullPolicy }} + args: + - --endpoint=/provider/vault.sock + - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.extraArgs }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} + volumeMounts: + - name: providervol + mountPath: "/provider" + - name: mountpoint-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: HostToContainer + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12}} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + volumes: + - name: providervol + hostPath: + path: "/etc/kubernetes/secrets-store-csi-providers" + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end }} +{{- end }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml new file mode 100644 index 000000000..ee127481b --- /dev/null +++ b/templates/csi-serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "csi.serviceAccount.annotations" . }} +{{- end }} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f5d8fc2ef..4756a253d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -36,6 +36,7 @@ spec: {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.injector.hostNetwork }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.injector.gid | default 1000 }} @@ -52,7 +53,7 @@ spec: {{- end }} env: - name: AGENT_INJECT_LISTEN - value: ":8080" + value: {{ printf ":%v" .Values.injector.port }} - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR @@ -96,6 +97,16 @@ spec: fieldRef: fieldPath: metadata.namespace {{- end }} + - name: AGENT_INJECT_CPU_REQUEST + value: "{{ .Values.injector.agentDefaults.cpuRequest }}" + - name: AGENT_INJECT_CPU_LIMIT + value: "{{ .Values.injector.agentDefaults.cpuLimit }}" + - name: AGENT_INJECT_MEM_REQUEST + value: "{{ .Values.injector.agentDefaults.memRequest }}" + - name: AGENT_INJECT_MEM_LIMIT + value: "{{ .Values.injector.agentDefaults.memLimit }}" + - name: AGENT_INJECT_DEFAULT_TEMPLATE + value: "{{ .Values.injector.agentDefaults.template }}" {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject @@ -103,7 +114,7 @@ spec: livenessProbe: httpGet: path: /health/ready - port: 8080 + port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 @@ -113,13 +124,19 @@ spec: readinessProbe: httpGet: path: /health/ready - port: 8080 + port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} @@ -150,10 +167,6 @@ spec: timeoutSeconds: 5 {{- end }} {{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true volumes: - name: webhook-certs secret: diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index df28dc81a..abe23aabc 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -32,6 +32,10 @@ webhooks: namespaceSelector: {{ toYaml .Values.injector.namespaceSelector | indent 6}} {{ end }} +{{- if .Values.injector.objectSelector }} + objectSelector: +{{ toYaml .Values.injector.objectSelector | indent 6}} +{{ end }} {{- with .Values.injector.failurePolicy }} failurePolicy: {{.}} {{ end }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index f2dfd511e..7a399a538 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 5fd264923..20c87bb2a 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index f7ae7fe6d..d6d0d5e24 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index 5871eb91d..c024ac107 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 0e5172743..3138b7a5b 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -11,8 +11,9 @@ metadata: {{ template "injector.service.annotations" . }} spec: ports: - - port: 443 - targetPort: 8080 + - name: https + port: 443 + targetPort: {{ .Values.injector.port }} selector: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index ecf6a705e..e5e0f5fec 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 6d7f8240a..3c45cc04e 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. apiVersion: policy/v1beta1 diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index b6366b022..74fca41d7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for active Vault pod apiVersion: v1 kind: Service diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 473de5517..9213b7452 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -38,4 +38,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 7c19f5fea..deaa0dd55 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -2,8 +2,9 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} @@ -41,6 +42,9 @@ spec: - host: {{ .host | quote }} http: paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} backend: diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index b4bea0602..fd12e1eb3 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index 923102733..b2a43c834 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 32c152634..2d9426819 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 62296af5e..718c9a03e 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -117,6 +117,18 @@ spec: {{- end }} - name: HOME value: "/home/vault" + {{- if .Values.server.logLevel }} + - name: VAULT_LOG_LEVEL + value: "{{ .Values.server.logLevel }}" + {{- end }} + {{- if .Values.server.logFormat }} + - name: VAULT_LOG_FORMAT + value: "{{ .Values.server.logFormat }}" + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: VAULT_LICENSE_PATH + value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} + {{- end }} {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml new file mode 100644 index 000000000..37819de5c --- /dev/null +++ b/templates/tests/server-test.yaml @@ -0,0 +1,39 @@ +{{- if .Values.server.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-server-test" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: {{ .Release.Name }}-server-test + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + env: + - name: VAULT_ADDR + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'vault status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + vault status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'vault status' output" + exit 1 + fi + + exit 0 + + restartPolicy: Never +{{- end }} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index a1498d5fd..9e90af4bb 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -25,7 +25,7 @@ spec: ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.ui.externalPort }} - targetPort: 8200 + targetPort: {{ .Values.ui.targetPort }} {{- if .Values.ui.serviceNodePort }} nodePort: {{ .Values.ui.serviceNodePort }} {{- end }} diff --git a/test/README.md b/test/README.md index e4ce89144..28431dbf9 100644 --- a/test/README.md +++ b/test/README.md @@ -1,4 +1,6 @@ -# Running Vault Helm Acceptance tests +# Vault Helm Tests + +## Running Vault Helm Acceptance tests The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance. @@ -7,4 +9,33 @@ The Makefile at the top level of this repo contains a few target that should hel * Run `make test-provision` to provision the GKE cluster using terraform. * Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster. * You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target. -* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. \ No newline at end of file +* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. + +## Running chart verification tests + +If [chart-verifier](https://github.com/redhat-certification/chart-verifier) is built and available in your PATH, run: + + bats test/chart/verifier.bats + +Or if you'd rather use the latest chart-verifier docker container, set +USE_DOCKER: + + USE_DOCKER=true bats test/chart/verifier.bats + +## Generating the values json schema + +There is a make target for generating values.schema.json: + + make values-schema + +It relies on the helm [schema-gen plugin][schema-gen]. Note that some manual +editing will be required, since several properties accept multiple data types. + +[schema-gen]: https://github.com/karuppiah7890/helm-schema-gen + +## Helm test + +Vault Helm also contains a simple helm test under +[templates/tests/](../templates/tests/) that may be run against a helm release: + + helm test diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml new file mode 100644 index 000000000..fed1137f7 --- /dev/null +++ b/test/acceptance/csi-test/nginx.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx +--- +kind: Pod +apiVersion: v1 +metadata: + name: nginx +spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: nginx + containers: + - image: docker.mirror.hashicorp.services/nginx + name: nginx + volumeMounts: + - name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true + volumes: + - name: secrets-store-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "vault-kv" diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml new file mode 100644 index 000000000..e793bde64 --- /dev/null +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -0,0 +1,14 @@ +# The "Hello World" Vault SecretProviderClass +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: vault-kv +spec: + provider: vault + parameters: + roleName: "kv-role" + vaultAddress: http://vault:8200 + objects: | + - objectName: "bar" + secretPath: "secret/data/kv1" + secretKey: "bar1" diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl new file mode 100644 index 000000000..48b670ea7 --- /dev/null +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -0,0 +1,3 @@ +path "secret/data/kv1" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats new file mode 100644 index 000000000..67be09d6d --- /dev/null +++ b/test/acceptance/csi.bats @@ -0,0 +1,59 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi: testing deployment" { + cd `chart_dir` + + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + + # Install Secrets Store CSI driver + helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.20.tgz?raw=true \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set linux.image.pullPolicy="IfNotPresent" + # Install Vault and Vault provider + helm install vault \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set="server.dev.enabled=true" \ + --set="csi.enabled=true" \ + --set="injector.enabled=false" . + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider + + # Set up k8s auth and a kv secret. + cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - + kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes + kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + disable_iss_validation=true' + kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ + bound_service_account_names=nginx \ + bound_service_account_namespaces=acceptance \ + policies=kv-policy \ + ttl=20m + kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 + + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx + + result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) + [[ "$result" == "hello1" ]] +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm --namespace=acceptance delete vault + helm --namespace=acceptance delete secrets-store-csi-driver + kubectl delete --all pvc + kubectl delete namespace acceptance + fi +} diff --git a/test/acceptance/helm-test.bats b/test/acceptance/helm-test.bats new file mode 100644 index 000000000..c5f9553df --- /dev/null +++ b/test/acceptance/helm-test.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats + +load _helpers + +@test "helm/test: running helm test" { + cd `chart_dir` + + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance + + helm install "$(name_prefix)" . + wait_for_running $(name_prefix)-0 + + helm test "$(name_prefix)" +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm delete vault + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 3698f08c4..1445ffb83 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,10 +7,11 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized @@ -76,9 +77,10 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized @@ -153,6 +155,7 @@ setup() { kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance + kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI } #cleanup diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5fcfbcef2..98fc3e6d6 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,9 +8,10 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized @@ -76,9 +77,10 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized @@ -151,6 +153,7 @@ setup() { kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance + kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI } #cleanup diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash new file mode 100644 index 000000000..fb9db31da --- /dev/null +++ b/test/chart/_helpers.bash @@ -0,0 +1,18 @@ +# chart_dir returns the directory for the chart +chart_dir() { + echo ${BATS_TEST_DIRNAME}/../.. +} + +# check_result checks if the specified test passed +# results schema example: +# { +# "check": "has-minkubeversion", +# "type": "Mandatory", +# "outcome": "PASS", +# "reason": "Minimum Kubernetes version specified" +# } +check_result() { + local -r var="$1" + local check=$(cat $VERIFY_OUTPUT | jq -r ".results[] | select(.check==\"${var}\").outcome") + [ "$check" = "PASS" ] +} diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats new file mode 100644 index 000000000..e7ab5aa72 --- /dev/null +++ b/test/chart/verifier.bats @@ -0,0 +1,86 @@ +#!/usr/bin/env bats + +load _helpers + +setup_file() { + cd `chart_dir` + export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" + export CHART_VOLUME=vault-helm-chart-src + # Note: currently `latest` is the only tag available in the chart-verifier repo. + local IMAGE="quay.io/redhat-certification/chart-verifier:latest" + # chart-verifier requires an openshift version if a cluster isn't available + local OPENSHIFT_VERSION="4.7" + local DISABLED_TESTS="chart-testing" + + local run_cmd="chart-verifier" + local chart_src="." + + if [ ! -e $USE_DOCKER ]; then + chart_src="/chart" + # Create a dummy container which will hold a volume with chart source + docker create -v $chart_src --name $CHART_VOLUME alpine:3 /bin/true + # Copy the chart source into this volume + docker cp . $CHART_VOLUME:$chart_src + # Make sure we have the latest version of chart-verifier + docker pull $IMAGE + # Start chart-verifier using this volume + run_cmd="docker run --rm --volumes-from $CHART_VOLUME $IMAGE" + fi + + $run_cmd verify $chart_src \ + --output json \ + --openshift-version $OPENSHIFT_VERSION \ + --disable $DISABLED_TESTS \ + --chart-values values.openshift.yaml 2>&1 | tee $VERIFY_OUTPUT +} + +teardown_file() { + if [ ! -e $USE_DOCKER ]; then + docker rm $CHART_VOLUME + fi +} + +@test "has-kubeversion" { + check_result has-kubeversion +} + +@test "is-helm-v3" { + check_result is-helm-v3 +} + +@test "not-contains-crds" { + check_result not-contains-crds +} + +@test "helm-lint" { + check_result helm-lint +} + +@test "not-contain-csi-objects" { + check_result not-contain-csi-objects +} + +@test "has-readme" { + check_result has-readme +} + +@test "contains-values" { + check_result contains-values +} + +@test "contains-values-schema" { + check_result contains-values-schema +} + +@test "contains-test" { + check_result contains-test +} + +@test "images-are-certified" { + check_result images-are-certified +} + +@test "chart-testing" { + skip "Skipping since this test requires a kubernetes/openshift cluster" + check_result chart-testing +} diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 4b1c37579..98afeace2 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -9,7 +9,7 @@ FROM docker.mirror.hashicorp.services/alpine:latest WORKDIR /root -ENV BATS_VERSION "1.1.0" +ENV BATS_VERSION "1.3.0" ENV TERRAFORM_VERSION "0.12.10" # base packages diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 1c3f035c1..3556c6fd8 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -8,7 +8,7 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = "${var.zone}" - version_prefix = "1.15." + version_prefix = "1.17." } data "google_service_account" "gcpapi" { diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats new file mode 100644 index 000000000..68ea7ce78 --- /dev/null +++ b/test/unit/csi-clusterrole.bats @@ -0,0 +1,33 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ClusterRole: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-clusterrole.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ClusterRole: enabled with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrole.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +# ClusterRole name +@test "csi/ClusterRole: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrole.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] +} \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats new file mode 100644 index 000000000..cff3a3699 --- /dev/null +++ b/test/unit/csi-clusterrolebinding.bats @@ -0,0 +1,44 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ClusterRoleBinding: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + . || echo "---")| tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ClusterRoleBinding: enabled with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +# ClusterRoleBinding cluster role ref name +@test "csi/ClusterRoleBinding: cluster role ref name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.roleRef.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] +} + +# ClusterRoleBinding service account name +@test "csi/ClusterRoleBinding: service account name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.subjects[0].name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats new file mode 100644 index 000000000..f0a62c2b2 --- /dev/null +++ b/test/unit/csi-daemonset.bats @@ -0,0 +1,416 @@ +#!/usr/bin/env bats + +load _helpers + +#-------------------------------------------------------------------- +# Daemonset + +# Enabled +@test "csi/daemonset: created only when enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-daemonset.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$( (helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "global.enabled=false" \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +# serviceAccountName reference name +@test "csi/daemonset: serviceAccountName reference name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} + +# Image +@test "csi/daemonset: image is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.image.repository=SomeOtherImage" \ + --set "csi.image.tag=0.0.1" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "SomeOtherImage:0.0.1" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.image.pullPolicy=SomePullPolicy" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "SomePullPolicy" ] +} + +@test "csi/daemonset: Custom imagePullSecrets" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.imagePullSecrets[0].name=foo' \ + --set 'global.imagePullSecrets[1].name=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: default imagePullSecrets" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +# Debug arg +@test "csi/daemonset: debug arg is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr) + [ "${actual}" = "--debug=false" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.debug=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr) + [ "${actual}" = "--debug=true" ] +} + +# Extra args +@test "csi/daemonset: extra args can be passed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) + [ "${actual}" = "2" ] + + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.extraArgs={--foo=bar,--bar baz,first}" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0]') + local actual=$(echo $object | + yq -r '.args | length' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.args[2]' | tee /dev/stderr) + [ "${actual}" = "--foo=bar" ] + local actual=$(echo $object | + yq -r '.args[3]' | tee /dev/stderr) + [ "${actual}" = "--bar baz" ] + local actual=$(echo $object | + yq -r '.args[4]' | tee /dev/stderr) + [ "${actual}" = "first" ] +} + +# updateStrategy +@test "csi/daemonset: updateStrategy is configurable" { + cd `chart_dir` + # Default + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.type' | tee /dev/stderr) + [ "${actual}" = "RollingUpdate" ] + + # OnDelete + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.daemonSet.updateStrategy.type=OnDelete" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.type' | tee /dev/stderr) + [ "${actual}" = "OnDelete" ] + + # Max unavailable + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.daemonSet.updateStrategy.maxUnavailable=25%" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.rollingUpdate.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "25%" ] +} + +#-------------------------------------------------------------------- +# Extra annotations +@test "csi/daemonset: default csi.daemonSet.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.daemonSet.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.daemonSet.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: default csi.pod.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.pod.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: tolerations not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: tolerations can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.tolerations=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# volumes + +@test "csi/daemonset: csi.volumes adds volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.volumes[0].name=plugins' \ + --set 'csi.volumes[0].emptyDir=\{\}' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.emptyDir' | tee /dev/stderr) + [ "${actual}" = "{}" ] +} + +#-------------------------------------------------------------------- +# volumeMounts + +@test "csi/daemonset: csi.volumeMounts adds volume mounts" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.volumeMounts[0].name=plugins' \ + --set 'csi.volumeMounts[0].mountPath=/usr/local/libexec/vault' \ + --set 'csi.volumeMounts[0].readOnly=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/usr/local/libexec/vault" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# Readiness/liveness probes + +@test "csi/daemonset: csi.livenessProbe is configurable" { + cd `chart_dir` + + # Test the defaults + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "3" ] + + # Test it is configurable + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.livenessProbe.failureThreshold=10' \ + --set 'csi.livenessProbe.initialDelaySeconds=11' \ + --set 'csi.livenessProbe.periodSeconds=12' \ + --set 'csi.livenessProbe.successThreshold=13' \ + --set 'csi.livenessProbe.timeoutSeconds=14' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "10" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "11" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "13" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "14" ] +} + +@test "csi/daemonset: csi.readinessProbe is configurable" { + cd `chart_dir` + + # Test the defaults + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "3" ] + + # Test it is configurable + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.readinessProbe.failureThreshold=10' \ + --set 'csi.readinessProbe.initialDelaySeconds=11' \ + --set 'csi.readinessProbe.periodSeconds=12' \ + --set 'csi.readinessProbe.successThreshold=13' \ + --set 'csi.readinessProbe.timeoutSeconds=14' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "10" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "11" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "13" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "14" ] +} diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats new file mode 100644 index 000000000..22ba06df2 --- /dev/null +++ b/test/unit/csi-serviceaccount.bats @@ -0,0 +1,59 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ServiceAccount: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-serviceaccount.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ServiceAccount: enable with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +# serviceAccountName reference name +@test "csi/daemonset: serviceAccountName name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} + +@test "csi/serviceAccount: specify annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'server.serviceAccount.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index a1174808b..cd6f1ddd3 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -133,21 +133,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = "/etc/webhook/certs/test.crt" ] - - local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_CERT_FILE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "/etc/webhook/certs/test.crt" ] - local actual=$(echo $object | - yq -r '.[6].value' | tee /dev/stderr) - [ "${actual}" = "/etc/webhook/certs/test.key" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_KEY_FILE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "/etc/webhook/certs/test.key" ] } @test "injector/deployment: auto TLS by default" { @@ -163,13 +155,35 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_AUTO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] - local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ] + # helm template does uses current context namespace and ignores namespace flags, so + # discover the targeted namespace so we can check the rendered value correctly. + local namespace=$(kubectl config view --minify --output 'jsonpath={..namespace}') + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] +} + +@test "injector/deployment: manual TLS adds volume mount" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.certs.secretName=vault-tls' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/etc/webhook/certs" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] } @test "injector/deployment: with externalVaultAddr" { @@ -180,13 +194,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) - [ "${actual}" = "http://vault-outside" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://vault-outside" ] } @test "injector/deployment: without externalVaultAddr" { @@ -198,13 +208,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) - [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] } @test "injector/deployment: default authPath" { @@ -214,13 +220,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[3].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] - - local actual=$(echo $object | - yq -r '.[3].value' | tee /dev/stderr) - [ "${actual}" = "auth/kubernetes" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_AUTH_PATH")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "auth/kubernetes" ] } @test "injector/deployment: custom authPath" { @@ -231,13 +233,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[3].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] - - local actual=$(echo $object | - yq -r '.[3].value' | tee /dev/stderr) - [ "${actual}" = "auth/k8s" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_AUTH_PATH")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "auth/k8s" ] } @test "injector/deployment: default logLevel" { @@ -247,13 +245,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[1].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] - - local actual=$(echo $object | - yq -r '.[1].value' | tee /dev/stderr) - [ "${actual}" = "info" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "info" ] } @test "injector/deployment: custom logLevel" { @@ -264,13 +258,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[1].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] - - local actual=$(echo $object | - yq -r '.[1].value' | tee /dev/stderr) - [ "${actual}" = "foo" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foo" ] } @test "injector/deployment: default logFormat" { @@ -280,13 +270,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] - - local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) - [ "${actual}" = "standard" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "standard" ] } @test "injector/deployment: custom logFormat" { @@ -297,13 +283,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] - - local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) - [ "${actual}" = "json" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] } @test "injector/deployment: default revoke on shutdown" { @@ -313,13 +295,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] - - local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) - [ "${actual}" = "false" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_REVOKE_ON_SHUTDOWN")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "false" ] } @test "injector/deployment: custom revoke on shutdown" { @@ -330,13 +308,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] - - local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) - [ "${actual}" = "true" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_REVOKE_ON_SHUTDOWN")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "true" ] } @test "injector/deployment: disable security context when openshift enabled" { @@ -347,9 +321,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_SET_SECURITY_CONTEXT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "false" ] } #-------------------------------------------------------------------- @@ -365,29 +339,17 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] - - local actual=$(echo $object | - yq -r '.[9].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "bar" ] - local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foobar" ] - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "LOWER_CASE" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "sanitized" ] + local value=$(echo $object | + yq -r 'map(select(.name=="LOWER_CASE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "sanitized" ] } #-------------------------------------------------------------------- @@ -422,6 +384,42 @@ load _helpers [ "${actual}" = "bar" ] } +#-------------------------------------------------------------------- +# agent port + +@test "injector/deployment: default agentPort" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LISTEN" ] + + local actual=$(echo $object | + yq -r '.[0].value' | tee /dev/stderr) + [ "${actual}" = ":8080" ] +} + +@test "injector/deployment: custom agentPort" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.port=8443' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LISTEN" ] + + local actual=$(echo $object | + yq -r '.[0].value' | tee /dev/stderr) + [ "${actual}" = ":8443" ] +} + #-------------------------------------------------------------------- # affinity @@ -543,3 +541,102 @@ load _helpers yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# hostNetwork + +@test "injector/deployment: injector.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/deployment: injector.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/deployment: agent default resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "500m" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "250m" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "128Mi" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "64Mi" ] +} + +@test "injector/deployment: can set agent default resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.agentDefaults.cpuLimit=cpuLimit' \ + --set 'injector.agentDefaults.cpuRequest=cpuRequest' \ + --set 'injector.agentDefaults.memLimit=memLimit' \ + --set 'injector.agentDefaults.memRequest=memRequest' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "cpuLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "cpuRequest" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "memLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "memRequest" ] +} + +@test "injector/deployment: agent default template" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_DEFAULT_TEMPLATE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "map" ] +} + +@test "injector/deployment: can set agent default template" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.template=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_DEFAULT_TEMPLATE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index bb307f857..65f505bcf 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -76,6 +76,29 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + @test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index f9d872256..ad4800991 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -18,6 +18,25 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/Service: service with default port" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8080" ] +} + +@test "injector/Service: service with custom port" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --set 'injector.port=8443' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8443" ] +} + @test "injector/Service: disable with global.enabled false" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/schema.bats b/test/unit/schema.bats new file mode 100644 index 000000000..a42614bf6 --- /dev/null +++ b/test/unit/schema.bats @@ -0,0 +1,46 @@ +#!/usr/bin/env bats + +load _helpers + +# These tests are just to verify there is a schema file used in the chart. Since +# .enabled is defined as a boolean type for each of the top-level blocks in the +# schema, setting it as a string fails 'helm template'. +@test "schema: csi enabled datatype" { + cd `chart_dir` + run helm template . --set csi.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set csi.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: injector enabled datatype" { + cd `chart_dir` + run helm template . --set injector.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set injector.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: server enabled datatype" { + cd `chart_dir` + run helm template . --set server.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set server.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: ui enabled datatype" { + cd `chart_dir` + run helm template . --set ui.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set ui.enabled=true + [ "$status" -eq 0 ] +} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 4e47fea69..3c5f9d8fb 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -246,13 +246,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_DEV_ROOT_TOKEN_ID" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "root" ] + local name=$(echo $object | + yq -r 'map(select(.name=="VAULT_DEV_ROOT_TOKEN_ID")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "root" ] } @test "server/dev-StatefulSet: set custom devRootToken" { @@ -264,13 +260,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_DEV_ROOT_TOKEN_ID" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "customtoken" ] + local name=$(echo $object | + yq -r 'map(select(.name=="VAULT_DEV_ROOT_TOKEN_ID")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "customtoken" ] } #-------------------------------------------------------------------- @@ -340,27 +332,21 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_0" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_0" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_1" ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index f3c329ec6..6cf21f200 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -85,3 +85,15 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: correct maxUnavailable with custom value" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=3' \ + --set 'server.ha.disruptionBudget.maxUnavailable=2' \ + . | tee /dev/stderr | + yq '.spec.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "2" ] +} \ No newline at end of file diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 6df4dfe30..43e1acef2 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -70,14 +70,11 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) - [ "${actual}" = "http://127.0.0.1:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://127.0.0.1:8200" ] } + @test "server/ha-StatefulSet: tls enabled" { cd `chart_dir` local object=$(helm template \ @@ -86,13 +83,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) - [ "${actual}" = "https://127.0.0.1:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "https://127.0.0.1:8200" ] } #-------------------------------------------------------------------- @@ -348,21 +341,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foobar" ] } #-------------------------------------------------------------------- @@ -382,25 +367,21 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_0" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_0" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_1" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_1" ] } #-------------------------------------------------------------------- @@ -414,16 +395,12 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_API_ADDR" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = 'http://$(POD_IP):8200' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(POD_IP):8200' ] } -@test "server/ha-StatefulSet: api addr can be overriden" { +@test "server/ha-StatefulSet: api addr is configurable" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -432,13 +409,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_API_ADDR" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = 'https://example.com:8200' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "https://example.com:8200" ] } #-------------------------------------------------------------------- @@ -453,13 +426,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_CLUSTER_ADDR" ] - - local actual=$(echo $object | - yq -r '.[9].value' | tee /dev/stderr) - [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] } #-------------------------------------------------------------------- @@ -475,13 +444,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_RAFT_NODE_ID" ] - - local actual=$(echo $object | - yq -r '.[10].valueFrom.fieldRef.fieldPath' | tee /dev/stderr) - [ "${actual}" = 'metadata.name' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + [ "${value}" = "metadata.name" ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 5af493847..bf191c3a2 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -57,6 +57,43 @@ load _helpers } +@test "server/ingress: extra paths prepend host configuration" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + [ "${actual}" = 'ssl-redirect' ] + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].path' | tee /dev/stderr) + [ "${actual}" = '/annotation-service' ] + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[1].path' | tee /dev/stderr) + [ "${actual}" = '/' ] +} + @test "server/ingress: labels gets added to object" { cd `chart_dir` diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7a0533cd9..d7edb969d 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -2,6 +2,41 @@ load _helpers +#-------------------------------------------------------------------- +# disable / enable server deployment + +@test "server/StatefulSet: disabled server.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: disabled server.enabled random string" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=blabla' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: enabled server.enabled explicit true" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- + @test "server/standalone-StatefulSet: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ @@ -413,6 +448,62 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# log level + +@test "server/standalone-StatefulSet: default log level to empty" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .name' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "server/standalone-StatefulSet: log level can be changed" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set='server.logLevel=debug' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "debug" ] +} + +#-------------------------------------------------------------------- +# log format + +@test "server/standalone-StatefulSet: default log format to empty" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .name' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "server/standalone-StatefulSet: can set log format" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set='server.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} + #-------------------------------------------------------------------- # extraEnvironmentVars @@ -426,21 +517,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -449,21 +532,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] } #-------------------------------------------------------------------- @@ -1491,3 +1566,59 @@ load _helpers } + +#-------------------------------------------------------------------- +# enterprise license autoload support +@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] +} + +@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] +} + +@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] +} + +@test "server/StatefulSet: blank secretName does not set env var" { + cd `chart_dir` + + # setting secretName=null + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=null' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] + + # omitting secretName + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] +} diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 499f7326c..9dade3db3 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -300,3 +300,26 @@ load _helpers yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) [ "${actual}" = 'true' ] } + +@test "ui/Service: default is no nodePort" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "ui/Service: can set nodePort" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceNodePort=123' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "123" ] +} diff --git a/values.openshift.yaml b/values.openshift.yaml new file mode 100644 index 000000000..96198fe9b --- /dev/null +++ b/values.openshift.yaml @@ -0,0 +1,18 @@ +# These overrides are appropriate defaults for deploying this chart on OpenShift + +global: + openshift: true + +injector: + image: + repository: "registry.connect.redhat.com/hashicorp/vault-k8s" + tag: "0.10.2-ubi" + + agentImage: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.7.3-ubi" + +server: + image: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.7.3-ubi" diff --git a/values.schema.json b/values.schema.json new file mode 100644 index 000000000..db3b80679 --- /dev/null +++ b/values.schema.json @@ -0,0 +1,806 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "csi": { + "type": "object", + "properties": { + "daemonSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "updateStrategy": { + "type": "object", + "properties": { + "maxUnavailable": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + }, + "debug": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "pod": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "tolerations": { + "type": ["null", "string"] + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + } + } + }, + "global": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "imagePullSecrets": { + "type": "array" + }, + "openshift": { + "type": "boolean" + }, + "psp": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enable": { + "type": "boolean" + } + } + }, + "tlsDisable": { + "type": "boolean" + } + } + }, + "injector": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + }, + "agentDefaults": { + "type": "object", + "properties": { + "cpuLimit": { + "type": "string" + }, + "cpuRequest": { + "type": "string" + }, + "memLimit": { + "type": "string" + }, + "memRequest": { + "type": "string" + }, + "template": { + "type": "string" + } + } + }, + "agentImage": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "authPath": { + "type": "string" + }, + "certs": { + "type": "object", + "properties": { + "caBundle": { + "type": "string" + }, + "certName": { + "type": "string" + }, + "keyName": { + "type": "string" + }, + "secretName": { + "type": [ + "null", + "string" + ] + } + } + }, + "enabled": { + "type": "boolean" + }, + "externalVaultAddr": { + "type": "string" + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraLabels": { + "type": "object" + }, + "failurePolicy": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "leaderElector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ttl": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "namespaceSelector": { + "type": "object" + }, + "nodeSelector": { + "type": ["null", "string"] + }, + "objectSelector": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "revokeOnShutdown": { + "type": "boolean" + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "tolerations": { + "type": [ + "null", + "string" + ] + } + } + }, + "server": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "auditStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "authDelegator": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "dataStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "dev": { + "type": "object", + "properties": { + "devRootToken": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + }, + "enabled": { + "type": "boolean" + }, + "enterpriseLicense": { + "type": "object", + "properties": { + "secretKey": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, + "extraArgs": { + "type": "string" + }, + "extraContainers": { + "type": [ + "null", + "array" + ] + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraInitContainers": { + "type": [ + "null", + "array" + ] + }, + "extraLabels": { + "type": "object" + }, + "extraSecretEnvironmentVars": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "ha": { + "type": "object", + "properties": { + "apiAddr": { + "type": [ + "null", + "string" + ] + }, + "config": { + "type": "string" + }, + "disruptionBudget": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxUnavailable": { + "type": [ + "null", + "integer" + ] + } + } + }, + "enabled": { + "type": "boolean" + }, + "raft": { + "type": "object", + "properties": { + "config": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "setNodeId": { + "type": "boolean" + } + } + }, + "replicas": { + "type": "integer" + } + } + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "extraPaths": { + "type": "array" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array" + } + } + } + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "networkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + } + } + }, + "nodeSelector": { + "type": [ + "null", + "string" + ] + }, + "postStart": { + "type": "array" + }, + "preStopSleepSeconds": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "route": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "labels": { + "type": "object" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "port": { + "type": "integer" + }, + "targetPort": { + "type": "integer" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "standalone": { + "type": "object", + "properties": { + "config": { + "type": "string" + }, + "enabled": { + "type": [ + "string", + "boolean" + ] + } + } + }, + "statefulSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "tolerations": { + "type": [ + "null", + "string" + ] + }, + "updateStrategyType": { + "type": "string" + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + } + } + }, + "ui": { + "type": "object", + "properties": { + "activeVaultPodOnly": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "externalPort": { + "type": "integer" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "serviceNodePort": { + "type": [ + "null", + "integer" + ] + }, + "serviceType": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + } +} diff --git a/values.yaml b/values.yaml index f00818c5d..a46a82868 100644 --- a/values.yaml +++ b/values.yaml @@ -29,6 +29,9 @@ injector: replicas: 1 + # Configures the port the injector should listen on + port: 8080 + # If multiple replicas are specified, by default a leader-elector side-car # will be created so that only one injector attempts to create TLS certificates. leaderElector: @@ -49,7 +52,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.8.0" + tag: "0.10.2" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,12 +60,26 @@ injector: # required. agentImage: repository: "vault" - tag: "1.6.2" + tag: "1.7.3" + + # The default values for the injected Vault Agent containers. + agentDefaults: + # For more information on configuring resources, see the K8s documentation: + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + cpuLimit: "500m" + cpuRequest: "250m" + memLimit: "128Mi" + memRequest: "64Mi" + + # Default template type for secrets when no custom template is specified. + # Possible values include: "json" and "map". + template: "map" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" - # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info + # Configures the log verbosity of the injector. + # Supported log levels include: trace, debug, info, warn, error logLevel: "info" # Configures the log format of the injector. Supported log formats: "standard", "json". @@ -80,6 +97,15 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the # API Version of the WebHook. @@ -159,19 +185,38 @@ injector: # This should be a YAML map of the labels to apply to the injector extraLabels: {} + # Should the injector pods run on the host network (useful when using + # an alternate CNI in EKS) + hostNetwork: false + # Injector service specific config service: # Extra annotations to attach to the injector service annotations: {} server: + # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details + enabled: true + + # [Enterprise Only] This value refers to a Kubernetes secret that you have + # created that contains your enterprise license. If you are not using an + # enterprise image or if you plan to introduce the license key via another + # route, then leave secretName blank ("") or set it to null. + # Requires Vault Enterprise 1.8 or later. + enterpriseLicense: + # The name of the Kubernetes secret that holds the enterprise license. The + # secret must be in the same namespace that Vault is installed into. + secretName: "" + # The key within the Kubernetes secret that holds the enterprise license. + secretKey: "license" + # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. image: repository: "vault" - tag: "1.6.2" + tag: "1.7.9" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -179,6 +224,14 @@ server: # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" + # Configure the logging verbosity for the Vault server. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "" + + # Configure the logging format for the Vault server. + # Supported log formats include: standard, json + logFormat: "" + resources: {} # resources: # requests: @@ -205,7 +258,12 @@ server: hosts: - host: chart-example.local paths: [] - + ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation tls: [] # - secretName: chart-example-tls # hosts: @@ -310,6 +368,7 @@ server: # secretName: vault # secretKey: AWS_SECRET_ACCESS_KEY + # Deprecated: please use 'volumes' instead. # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. @@ -599,6 +658,8 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Settings for the statefulSet used to run Vault. statefulSet: @@ -623,6 +684,7 @@ ui: serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 + targetPort: 8200 # loadBalancerSourceRanges: # - 10.0.0.0/16 @@ -634,3 +696,103 @@ ui: # This can either be YAML or a YAML-formatted multi-line templated string map # of the annotations to apply to the ui service annotations: {} + +# secrets-store-csi-driver-provider-vault +csi: + # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # + # Requires installing the secrets-store-csi-driver separately, see: + # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver + # + # With the driver and provider installed, you can mount Vault secrets into volumes + # similar to the Vault Agent injector, and you can also sync those secrets into + # Kubernetes secrets. + enabled: false + + image: + repository: "hashicorp/vault-csi-provider" + tag: "0.3.0" + pullPolicy: IfNotPresent + + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: tls + # secret: + # secretName: vault-tls + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - name: tls + # mountPath: "/vault/tls" + # readOnly: true + + resources: {} + # resources: + # requests: + # cpu: 50m + # memory: 128Mi + # limits: + # cpu: 50m + # memory: 128Mi + + # Settings for the daemonSet used to run the provider. + daemonSet: + updateStrategy: + type: RollingUpdate + maxUnavailable: "" + # Extra annotations for the daemonSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the daemonSet. + annotations: {} + + pod: + # Extra annotations for the provider pods. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the pod. + annotations: {} + + # Toleration Settings for provider pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: null + + serviceAccount: + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + + # Used to configure readinessProbe for the pods. + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + # Used to configure livenessProbe for the pods. + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + + # Enables debug logging. + debug: false + + # Pass arbitrary additional arguments to vault-csi-provider. + extraArgs: [] From 8582cb359c32918fcb9a4b6b479132d056db4904 Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 14/31] Explain this fork in the README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index f95b26fc3..3b063ecd4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +# MaaS Vault + +This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. + # Vault Helm Chart > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If From 9ad36a1c69121d3160953618558f2c6de6c7b5ed Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 15/31] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 19 ++++++++++++++----- templates/server-service.yaml | 3 +++ values.yaml | 8 ++++++-- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3b063ecd4..603b405d4 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart @@ -43,7 +43,16 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm install vault hashicorp/vault ``` -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more -detailed installation instructions. +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + +## Customizations + +This Helm chart has been customized in the following ways: + +### Support LoadBalancerIP Field + +The Service spec in the **server-service.yaml** file now allows setting a +specific IP address when the Service type is set to `LoadBalancer` and a +**maas.lbAddress** value has been provided. diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 00996aa25..2e44ddf06 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -22,6 +22,9 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} + {{- if and (.Values.maas.lbAddress) (eq (.Values.server.service.type | toString) "LoadBalancer") }} + loadBalancerIP: {{ .Values.maas.lbAddress }} + {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true diff --git a/values.yaml b/values.yaml index 44869da78..3e66511e9 100644 --- a/values.yaml +++ b/values.yaml @@ -487,8 +487,8 @@ server: # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. + # Configures the service type for the main Vault service. Can be ClusterIP, + # NodePort, or LoadBalancer. #type: ClusterIP # The externalTrafficPolicy can be set to either Cluster or Local @@ -501,6 +501,10 @@ server: # will be random if left blank. #nodePort: 30000 + # If type is set to "LoadBalancer", a specific IP address can be attached + # to the load balancer, will be random if left blank. + #loadBalancerIP: + # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to From 6ee557e9bee8600432cada8f68e277ab52112582 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 16/31] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 6 ++++++ templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 28 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 731119a91..597f8496b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -90,6 +90,11 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} + {{- if .Values.server.logrotate }} + - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + configMap: + name: {{ template "vault.fullname" . }}-logrotate-config + {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -216,6 +221,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 3e66511e9..66a3f88e3 100644 --- a/values.yaml +++ b/values.yaml @@ -705,6 +705,8 @@ server: # YAML-formatted multi-line templated string map of the annotations to apply # to the statefulSet. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Vault UI ui: From d5313bf2c1fe81112d5f01574cdca6c675fecc8b Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 17/31] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/_helpers.tpl | 9 ++++++--- templates/datadog-audit-configmap.yaml | 10 ++++++++++ templates/logrotate-config-configmap.yaml | 20 -------------------- templates/logrotate-configmap.yaml | 10 ++++++++++ 4 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 templates/datadog-audit-configmap.yaml delete mode 100644 templates/logrotate-config-configmap.yaml create mode 100644 templates/logrotate-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 597f8496b..5b523c9db 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -90,10 +90,13 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} - {{- if .Values.server.logrotate }} - - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + {{- if .Values.server.logrotate.enabled }} + - name: {{ template "vault.fullname" . }}-logrotate-config configMap: - name: {{ template "vault.fullname" . }}-logrotate-config + name: {{ template "vault.fullname" . }}-logrotate-configmap + - name: {{ template "vault.fullname" . }}-datadog-config + configMap: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} diff --git a/templates/datadog-audit-configmap.yaml b/templates/datadog-audit-configmap.yaml new file mode 100644 index 000000000..5190d7fb7 --- /dev/null +++ b/templates/datadog-audit-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap + namespace: {{ .Release.Namespace }} +data: + conf.yaml: |- +{{ .Values.server.logrotate.datadogsidecar.config | indent 6 }} +{{ end }} diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file diff --git a/templates/logrotate-configmap.yaml b/templates/logrotate-configmap.yaml new file mode 100644 index 000000000..0e90cd293 --- /dev/null +++ b/templates/logrotate-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-configmap + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: |- +{{ .Values.server.logrotate.config.logRotateConf | indent 6 }} +{{ end }} From 7f03e7c0d64c85bff5d557d5f74882d56924aaf5 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 18/31] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - values.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5b523c9db..e5ea9264d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,7 +224,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* diff --git a/values.yaml b/values.yaml index 66a3f88e3..50fe6a37f 100644 --- a/values.yaml +++ b/values.yaml @@ -254,7 +254,6 @@ server: # limits: # memory: 256Mi # cpu: 250m - # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. # If deployment is on OpenShift, the following block is ignored. From 0e796d4cc388a214c9827892af55187fe78fb629 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 21 Feb 2020 14:50:42 -0500 Subject: [PATCH 19/31] Update to 0.4.0 --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 7a4e86f59..86a5beb6f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ name: vault version: 0.17.1 appVersion: 1.8.4 kubeVersion: ">= 1.14.0-0" -description: Official HashiCorp Vault Chart +description: Install and configure Vault on Kubernetes. home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] From a99988dc20e81edeee4302aeea838dd039c08d42 Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 20/31] Explain this fork in the README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 603b405d4..db4b88b15 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. # Vault Helm Chart From d7767ac3b6953b9f826efd3d9dcd93b660c73e4f Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 21/31] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index db4b88b15..603b405d4 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart From f8fc3b413db12566212ca4de62db2f0f41df2a8e Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 22/31] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 1 + templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 23 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e5ea9264d..5b523c9db 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,6 +224,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 50fe6a37f..845761a30 100644 --- a/values.yaml +++ b/values.yaml @@ -697,6 +697,8 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Settings for the statefulSet used to run Vault. statefulSet: From 8e98540db8d5fbd5e75066a18b0caacadc732e22 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 23/31] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/logrotate-config-configmap.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file From 3562df65937dc705ff577d0366b331a92189b6b6 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 24/31] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5b523c9db..e5ea9264d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,7 +224,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* From d92becff3551dcdbe615aaa1bc3087035d92438b Mon Sep 17 00:00:00 2001 From: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:54:46 -0400 Subject: [PATCH 25/31] feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham --- README.md | 1 + templates/injector-deployment.yaml | 7 +++++++ templates/server-ha-standby-service.yaml | 2 +- test/unit/injector-deployment.bats | 2 +- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 603b405d4..03afc2b3a 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,7 @@ Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + ## Customizations This Helm chart has been customized in the following ways: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f4a796bf0..c705f2a98 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -138,6 +138,13 @@ spec: successThreshold: 1 timeoutSeconds: 5 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} + {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} args: diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index fef92a1b2..dbba9d653 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -39,4 +39,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 0f475dfca..9a634c301 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -695,4 +695,4 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] -} \ No newline at end of file +} From fa13d7d0cb97a4133eedccae36f067cb13292604 Mon Sep 17 00:00:00 2001 From: adhish2001 Date: Thu, 14 Jul 2022 10:58:01 -0400 Subject: [PATCH 26/31] fix: deploy_local.sh error with file --- templates/injector-deployment.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index c705f2a98..e1b6d7b57 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -185,5 +185,8 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} - {{- include "imagePullSecrets" . | nindent 6 }} + {{- if .Values.global.imagePullSecrets }} {{- include "imagePullSecrets" . | nindent 6 }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end } {{ end }} From e4b72082f188cd3cfaf025b9b4441c5cd1a1b9ef Mon Sep 17 00:00:00 2001 From: adhish2001 Date: Thu, 14 Jul 2022 12:39:30 -0400 Subject: [PATCH 27/31] minor changes --- templates/injector-deployment.yaml | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index e1b6d7b57..0d3c89158 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -138,13 +138,6 @@ spec: successThreshold: 1 timeoutSeconds: 5 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} args: @@ -185,8 +178,5 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} - {{- if .Values.global.imagePullSecrets }} {{- include "imagePullSecrets" . | nindent 6 }} - imagePullSecrets: - {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} - {{- end } -{{ end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{ end }} \ No newline at end of file From 7f26aa5471a0df679268961fa79a12041de6a9ea Mon Sep 17 00:00:00 2001 From: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:25:38 -0400 Subject: [PATCH 28/31] Datago 30304/upgrading vault to 1.9.2 (#14) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 --- .circleci/config.yml | 11 +- .github/workflows/acceptance.yaml | 34 +++ .github/workflows/jira.yaml | 23 +- .../workflows/setup-test-tools/action.yaml | 18 ++ .github/workflows/tests.yaml | 25 ++ CHANGELOG.md | 29 ++- CONTRIBUTING.md | 12 +- Chart.yaml | 5 +- templates/_helpers.tpl | 15 ++ templates/csi-daemonset.yaml | 3 + templates/injector-deployment.yaml | 19 +- templates/injector-disruptionbudget.yaml | 20 ++ templates/injector-leader-endpoint.yaml | 14 - templates/injector-role.yaml | 2 +- templates/server-route.yaml | 3 +- templates/server-statefulset.yaml | 2 +- templates/tests/server-test.yaml | 15 +- test/acceptance/_helpers.bash | 32 +-- test/acceptance/csi.bats | 17 +- test/acceptance/injector-leader-elector.bats | 11 +- test/acceptance/server-ha-enterprise-dr.bats | 16 +- .../acceptance/server-ha-enterprise-perf.bats | 16 +- test/acceptance/server-ha-raft.bats | 8 +- test/acceptance/server-ha.bats | 11 +- test/acceptance/server.bats | 4 +- test/kind/config.yaml | 13 + test/unit/csi-daemonset.bats | 23 ++ test/unit/injector-deployment.bats | 55 +++- test/unit/injector-disruptionbudget.bats | 32 +++ test/unit/injector-leader-elector.bats | 105 -------- test/unit/server-ha-disruptionbudget.bats | 4 +- test/unit/server-route.bats | 38 +++ test/unit/server-statefulset.bats | 23 +- test/unit/server-test.bats | 241 ++++++++++++++++++ values.openshift.yaml | 6 +- values.schema.json | 56 ++-- values.yaml | 50 ++-- 37 files changed, 742 insertions(+), 269 deletions(-) create mode 100644 .github/workflows/acceptance.yaml create mode 100644 .github/workflows/setup-test-tools/action.yaml create mode 100644 .github/workflows/tests.yaml create mode 100644 templates/injector-disruptionbudget.yaml delete mode 100644 templates/injector-leader-endpoint.yaml create mode 100755 test/unit/injector-disruptionbudget.bats create mode 100644 test/unit/server-test.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 8de4c83c1..70c2453fb 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -85,16 +85,7 @@ jobs: workflows: version: 2 - build_and_test: - jobs: - - bats-unit-test - - chart-verifier - - acceptance: - requires: - - bats-unit-test - filters: - branches: - only: main + # Note: unit and acceptance tests are now being run in GitHub Actions update-helm-charts-index: jobs: - update-helm-charts-index: diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml new file mode 100644 index 000000000..644875e26 --- /dev/null +++ b/.github/workflows/acceptance.yaml @@ -0,0 +1,34 @@ +name: Acceptance Tests + +on: + push: + branches: + - main + workflow_dispatch: {} + +jobs: + kind: + strategy: + fail-fast: false + matrix: + kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Setup test tools + uses: ./.github/workflows/setup-test-tools + + - name: Create K8s Kind Cluster + uses: helm/kind-action@v1.2.0 + with: + config: test/kind/config.yaml + node_image: kindest/node:v${{ matrix.kind-k8s-version }} + + # Skip CSI tests if K8s version < 1.16.x + - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV + - if: ${{ env.K8S_MINOR < 16 }} + run: echo "SKIP_CSI=true" >> $GITHUB_ENV + + - run: bats ./test/acceptance -t + env: + VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index 0c8e5bf6e..eb369f335 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -13,21 +13,6 @@ jobs: runs-on: ubuntu-latest name: Jira sync steps: - - name: Check if community user - if: github.event.action == 'opened' - id: vault-team-role - run: | - TEAM=vault - ROLE="$(hub api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')" - if [[ -n ${ROLE} ]]; then - echo "Actor ${{ github.actor }} is a ${TEAM} team member, skipping ticket creation" - else - echo "Actor ${{ github.actor }} is not a ${TEAM} team member" - fi - echo "::set-output name=role::${ROLE}" - env: - GITHUB_TOKEN: ${{ secrets.JIRA_SYNC_GITHUB_TOKEN }} - - name: Login uses: atlassian/gajira-login@v2.0.0 env: @@ -46,7 +31,7 @@ jobs: fi - name: Create ticket - if: github.event.action == 'opened' && !steps.vault-team-role.outputs.role + if: github.event.action == 'opened' uses: tomhjp/gh-action-jira-create@v0.2.0 with: project: VAULT @@ -63,7 +48,7 @@ jobs: uses: tomhjp/gh-action-jira-search@v0.2.1 with: # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and issuetype = "GH Issue" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' + jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - name: Sync comment if: github.event.action == 'created' && steps.search.outputs.issue @@ -77,11 +62,11 @@ jobs: uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: Done + transition: Close - name: Reopen ticket if: github.event.action == 'reopened' && steps.search.outputs.issue uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: "To Do" + transition: "Pending Triage" diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml new file mode 100644 index 000000000..3fa285416 --- /dev/null +++ b/.github/workflows/setup-test-tools/action.yaml @@ -0,0 +1,18 @@ +name: Setup common testing tools +description: Install bats and python-yq + +runs: + using: "composite" + steps: + - uses: actions/setup-node@v2 + with: + node-version: '14' + - run: npm install -g bats@${BATS_VERSION} + shell: bash + env: + BATS_VERSION: '1.5.0' + - run: bats -v + shell: bash + - uses: actions/setup-python@v2 + - run: pip install yq + shell: bash diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml new file mode 100644 index 000000000..0aba6ee30 --- /dev/null +++ b/.github/workflows/tests.yaml @@ -0,0 +1,25 @@ +name: Tests + +on: [push, workflow_dispatch] + +jobs: + bats-unit-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: ./.github/workflows/setup-test-tools + - run: bats ./test/unit -t + + chart-verifier: + runs-on: ubuntu-latest + env: + CHART_VERIFIER_VERSION: '1.2.1' + steps: + - uses: actions/checkout@v2 + - name: Setup test tools + uses: ./.github/workflows/setup-test-tools + - uses: actions/setup-go@v2 + with: + go-version: '1.17.4' + - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: bats ./test/chart -t diff --git a/CHANGELOG.md b/CHANGELOG.md index 286e60714..bfb3af04f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,32 @@ ## Unreleased +## 0.19.0 (January 20th, 2022) + +CHANGES: +* Vault image default 1.9.2 +* Vault K8s image default 0.14.2 + +Features: +* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) +* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) +* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) +* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) + +Improvements: +* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) +* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) +* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686) + +## 0.18.0 (November 17th, 2021) + +CHANGES: +* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) +* Vault image default 1.9.0 +* Vault K8s image default 0.14.1 + +Improvements: +* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) + ## 0.17.1 (October 25th, 2021) Improvements: @@ -46,7 +73,7 @@ Improvements: ## 0.14.0 (July 28th, 2021) Features: -* Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) +* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) Improvements: * Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f1c160000..ad31ac92d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -13,13 +13,14 @@ rules to get in the way of that. That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure that your contribution won't clash or be obviated by Vault's normal direction. A great way to do this -is via the [Vault Google Group][2]. Sometimes Vault devs are in `#vault-tool` -on Freenode, too. +is via the [Vault Discussion Forum][1]. This document will cover what we're looking for in terms of reporting issues. By addressing all the points we're looking for, it raises the chances we can quickly merge or address your contributions. +[1]: https://discuss.hashicorp.com/c/vault + ## Issues ### Reporting an Issue @@ -237,3 +238,10 @@ Here are some examples of common test patterns: ``` Here we are check the length of the command output to see if the anything is rendered. This style can easily be switched to check that a file is rendered instead. + +## Contributor License Agreement + +We require that all contributors sign our Contributor License Agreement ("CLA") +before we can accept the contribution. + +[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla) diff --git a/Chart.yaml b/Chart.yaml index 248ab9b13..9f1440436 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,10 +1,9 @@ apiVersion: v2 name: vault -version: 0.17.1 -appVersion: 1.8.4 +version: 0.19.0 +appVersion: 1.9.2 kubeVersion: ">= 1.14.0-0" description: Install and configure Vault on Kubernetes. - home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e5ea9264d..dd53fd5a6 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -316,6 +316,21 @@ Sets the injector node selector for pod placement {{- end }} {{- end -}} +{{/* +Sets the injector deployment update strategy +*/}} +{{- define "injector.strategy" -}} + {{- if .Values.injector.strategy }} + strategy: + {{- $tp := typeOf .Values.injector.strategy }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.strategy . | nindent 4 | trim }} + {{- else }} + {{- toYaml .Values.injector.strategy | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra pod annotations */}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index a6461fbd2..f0bf639f3 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -27,6 +27,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} {{ template "csi.pod.annotations" . }} spec: + {{- if .Values.csi.priorityClassName }} + priorityClassName: {{ .Values.csi.priorityClassName }} + {{- end }} serviceAccountName: {{ template "vault.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} containers: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 0d3c89158..d58fc03fa 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -17,6 +17,7 @@ spec: app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook + {{ template "injector.strategy" . }} template: metadata: labels: @@ -109,6 +110,10 @@ spec: value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" + {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} + - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL + value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" + {{- end }} {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: @@ -137,7 +142,13 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} + {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} args: @@ -166,12 +177,6 @@ spec: successThreshold: 1 timeoutSeconds: 5 {{- end }} -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml new file mode 100644 index 000000000..59c998551 --- /dev/null +++ b/templates/injector-disruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if .Values.injector.podDisruptionBudget }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} +{{- end -}} diff --git a/templates/injector-leader-endpoint.yaml b/templates/injector-leader-endpoint.yaml deleted file mode 100644 index 42c4c0ae7..000000000 --- a/templates/injector-leader-endpoint.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true")}} -# This is created here so it can be cleaned up easily, since if -# the endpoint is left around the leader won't expire for about a minute. -apiVersion: v1 -kind: Endpoints -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader - annotations: - deprecated: "true" - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 446efaf59..e7e383d16 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} rules: - apiGroups: [""] - resources: ["secrets", "configmaps", "endpoints"] + resources: ["secrets", "configmaps"] verbs: - "create" - "get" diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 63055db39..e122d936b 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -9,6 +9,7 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -27,7 +28,7 @@ spec: port: targetPort: 8200 tls: - termination: passthrough + {{- toYaml .Values.server.route.tls | nindent 4 }} {{- end }} {{- end }} {{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 031b17905..cbcda967d 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -41,7 +41,7 @@ spec: {{- if .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }} {{- end }} - terminationGracePeriodSeconds: 10 + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} serviceAccountName: {{ template "vault.serviceAccount.name" . }} {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 66aa178f5..d983b9df6 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,4 +1,6 @@ -{{- if .Values.server.enabled }} +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} apiVersion: v1 kind: Pod metadata: @@ -15,6 +17,7 @@ spec: env: - name: VAULT_ADDR value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh - -c @@ -35,6 +38,14 @@ spec: fi exit 0 - + volumeMounts: + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 8}} + {{- end }} + volumes: + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 4}} + {{- end }} restartPolicy: Never {{- end }} +{{- end }} diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index 466a51738..db8b05145 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -40,35 +40,37 @@ helm_install_ha() { ${BATS_TEST_DIRNAME}/../.. } -# wait for consul to be running +# wait for consul to be ready wait_for_running_consul() { + kubectl wait --for=condition=Ready --timeout=5m pod -l app=consul,component=client +} + +wait_for_sealed_vault() { + POD_NAME=$1 + check() { - # This requests the pod and checks whether the status is running - # and the ready state is true. If so, it outputs the name. Otherwise - # it outputs empty. Therefore, to check for success, check for nonzero - # string length. - kubectl get pods -l component=client -o json | \ - jq -r '.items[0] | select( - .status.phase == "Running" and - ([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1 - ) | .metadata.name' + sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') + if [ "$sealed_status" == "true" ]; then + return 0 + fi + return 1 } for i in $(seq 60); do - if [ -n "$(check ${POD_NAME})" ]; then - echo "consul clients are ready." + if check ${POD_NAME}; then + echo "Vault on ${POD_NAME} is running." return fi - echo "Waiting for ${POD_NAME} to be ready..." + echo "Waiting for Vault on ${POD_NAME} to be running..." sleep 2 done - echo "consul clients never became ready." + echo "Vault on ${POD_NAME} never became running." return 1 } -# wait for a pod to be ready +# wait for a pod to be running wait_for_running() { POD_NAME=$1 diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index d222ca274..c7c6549e2 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,18 +2,27 @@ load _helpers +check_skip_csi() { + if [ ! -z ${SKIP_CSI} ]; then + skip "Skipping CSI tests" + fi +} + @test "csi: testing deployment" { + check_skip_csi + cd `chart_dir` kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=0.2.0 - helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/v${CSI_DRIVER_VERSION}/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + CSI_DRIVER_VERSION=1.0.0 + helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ - --set linux.image.pullPolicy="IfNotPresent" + --set linux.image.pullPolicy="IfNotPresent" \ + --set syncSecret.enabled=true # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ @@ -49,6 +58,8 @@ load _helpers # Clean up teardown() { + check_skip_csi + if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 6f9f0b41f..0f91e02a3 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -12,8 +12,7 @@ load _helpers helm install "$(name_prefix)" \ --wait \ --timeout=5m \ - --set="injector.replicas=3" \ - --set="injector.leaderElector.useContainer=true" . + --set="injector.replicas=3" . kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) @@ -23,21 +22,15 @@ load _helpers tries=0 until [ $tries -ge 60 ] do - ## The new internal leader mechanism uses a ConfigMap owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name) leader=$(kubectl get pods $owner -o json | jq -r .metadata.name) [ -n "${leader}" ] && [ "${leader}" != "null" ] && break - - ## Also check the old leader-elector container - old_leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" - [ -n "${old_leader}" ] && break - ((++tries)) sleep .5 done # Check the leader name is valid - i.e. one of the 3 pods - [[ " ${pods[@]} " =~ " ${leader} " || " ${pods[@]} " =~ " ${old_leader} " ]] + [[ " ${pods[@]} " =~ " ${leader} " ]] } diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index c9a5d1993..54a310f3a 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -15,9 +15,7 @@ load _helpers wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-east-0 local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.initialized') @@ -50,7 +48,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] @@ -77,16 +75,14 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-west-0 local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.initialized') @@ -119,7 +115,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index b42bb50d0..5ba78c9fe 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,16 +8,14 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-east-0 local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.initialized') @@ -50,7 +48,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] @@ -77,16 +75,14 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-west-0 local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.initialized') @@ -119,7 +115,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index 9f9f3decd..f06ca8701 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -11,9 +11,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') @@ -112,6 +110,10 @@ setup() { teardown() { if [[ ${CLEANUP:-true} == "true" ]] then + # If the test failed, print some debug output + if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then + kubectl logs -l app.kubernetes.io/name=vault + fi helm delete vault kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 3d6295988..4180f8c4a 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -10,9 +10,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') @@ -91,7 +89,7 @@ setup() { helm install consul \ https://github.com/hashicorp/consul-helm/archive/v0.28.0.tar.gz \ - --set 'ui.enabled=false' \ + --set 'ui.enabled=false' wait_for_running_consul } @@ -100,6 +98,11 @@ setup() { teardown() { if [[ ${CLEANUP:-true} == "true" ]] then + # If the test failed, print some debug output + if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then + kubectl logs -l app=consul + kubectl logs -l app.kubernetes.io/name=vault + fi helm delete vault helm delete consul kubectl delete --all pvc diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 84a4e7d99..1e944a04e 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -13,9 +13,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') diff --git a/test/kind/config.yaml b/test/kind/config.yaml index 250966401..8b18a3a5f 100644 --- a/test/kind/config.yaml +++ b/test/kind/config.yaml @@ -5,3 +5,16 @@ nodes: - role: worker - role: worker - role: worker +# These apiServer settings are included for running the CSI provider on K8s +# prior to 1.21 +kubeadmConfigPatches: + - | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: ClusterConfiguration + metadata: + name: config + apiServer: + extraArgs: + "service-account-issuer": "https://kubernetes.default.svc.cluster.local" + "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" + "service-account-api-audiences": "https://kubernetes.default.svc.cluster.local" diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 5cfd8a7e8..dd88d829a 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,29 @@ load _helpers [ "${actual}" = "false" ] } +# priorityClassName + +@test "csi/daemonset: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.priorityClassName=armaggeddon' \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + # serviceAccountName reference name @test "csi/daemonset: serviceAccountName reference name" { cd `chart_dir` diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 9a634c301..6443ca495 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -168,7 +168,7 @@ load _helpers [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } -@test "injector/deployment: manual TLS adds volume mount" { +@test "injector/deployment: manual TLS adds volume mount" { cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -696,3 +696,56 @@ load _helpers yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] } +@test "injector/deployment: agent default template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "injector/deployment: can set agent template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.templateConfig.staticSecretRenderInterval=1m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "1m" ] +} + +@test "injector/deployment: strategy default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.strategy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/deployment: strategy set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set="injector.strategy=testing" \ + . | tee /dev/stderr | + yq -r '.spec.strategy' | tee /dev/stderr) + [ "${actual}" = "testing" ] +} + +@test "injector/deployment: strategy can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.strategy.rollingUpdate.maxUnavailable=1' \ + . | tee /dev/stderr | + yq -r '.spec.strategy.rollingUpdate.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "1" ] +} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats new file mode 100755 index 000000000..a0cee27d7 --- /dev/null +++ b/test/unit/injector-disruptionbudget.bats @@ -0,0 +1,32 @@ +#!/usr/bin/env bats + +load _helpers + +@test "injector/DisruptionBudget: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.maxUnavailable=3' \ + . | tee /dev/stderr | + yq '.spec.maxUnavailable == 3' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index 75ab2982c..b6fa4ae62 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -166,108 +166,3 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } - -#-------------------------------------------------------------------- -# Old leader-elector container support -# Note: deprecated and will be removed soon - -@test "injector/deployment: leader elector - sidecar is created only when enabled" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - -@test "injector/deployment: leader elector image name is configurable" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.image.repository=SomeOtherImage" \ - --set "injector.leaderElector.image.tag=SomeOtherTag" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:SomeOtherTag" ] -} - -@test "injector/deployment: leader elector TTL is configurable" { - cd `chart_dir` - # Default value 60s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=60s" ] - - # Configured to 30s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.ttl=30s" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=30s" ] -} - -@test "injector/leader-endpoint: created/skipped as appropriate" { - cd `chart_dir` - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "global.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 6cf21f200..9271c019f 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -16,7 +16,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-disruptionbudget.yaml \ - --set 'globa.enabled=false' \ + --set 'global.enabled=false' \ --set 'server.ha.enabled=false' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -96,4 +96,4 @@ load _helpers . | tee /dev/stderr | yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] -} \ No newline at end of file +} diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index d141fb635..53e1e619b 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -141,3 +141,41 @@ load _helpers yq -r '.spec.to.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } + +@test "server/route: OpenShift - route termination mode set to default passthrough" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "passthrough" ] +} + +@test "server/route: OpenShift - route termination mode set to edge" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.termination=edge' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "edge" ] +} + +@test "server/route: OpenShift - route custom tls entry" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ + . | tee /dev/stderr | + yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) + [ "${actual}" = "Redirect" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b93905188..0a83ec6a1 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -537,7 +537,7 @@ load _helpers cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.stanadlone.enabled=true' \ + --set 'server.standalone.enabled=true' \ --set 'server.extraEnvironmentVars.FOO=bar' \ --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ . | tee /dev/stderr | @@ -1385,6 +1385,27 @@ load _helpers [[ "${actual}" = *"foobar"* ]] } +#-------------------------------------------------------------------- +# terminationGracePeriodSeconds +@test "server/standalone-StatefulSet: terminationGracePeriodSeconds default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr) + [[ "${actual}" = "10" ]] +} + +@test "server/standalone-StatefulSet: terminationGracePeriodSeconds 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.terminationGracePeriodSeconds=30' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr) + [[ "${actual}" = "30" ]] +} + #-------------------------------------------------------------------- # preStop @test "server/standalone-StatefulSet: preStop sleep duration default" { diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats new file mode 100644 index 000000000..5fd65d561 --- /dev/null +++ b/test/unit/server-test.bats @@ -0,0 +1,241 @@ +#!/usr/bin/env bats + +load _helpers + +#-------------------------------------------------------------------- +# disable / enable server deployment + +@test "server/server-test-Pod: disabled server.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/server-test-Pod: disabled server.enabled random string" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=blabla' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/server-test-Pod: enabled server.enabled explicit true" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- + +@test "server/standalone-server-test-Pod: default server.standalone.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: enable with server.standalone.enabled true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-server-test-Pod: enable with server.ha.enabled true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-server-test-Pod: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-server-test-Pod: image defaults to server.image.repository:tag" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=1.2.3' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:1.2.3" ] + + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=1.2.3' \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:1.2.3" ] +} + +@test "server/standalone-server-test-Pod: image tag defaults to latest" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:latest" ] + + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=' \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:latest" ] +} + +@test "server/standalone-server-test-Pod: default imagePullPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "IfNotPresent" ] +} + +@test "server/standalone-server-test-Pod: Custom imagePullPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.pullPolicy=Always' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "Always" ] +} + +#-------------------------------------------------------------------- +# resources + +@test "server/standalone-server-test-Pod: default resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].resources' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +#-------------------------------------------------------------------- +# volumes + +@test "server/standalone-server-test-Pod: server.volumes adds volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.volumes[0].name=plugins' \ + --set 'server.volumes[0].emptyDir=\{\}' \ + . | tee /dev/stderr | + yq -r '.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.emptyDir' | tee /dev/stderr) + [ "${actual}" = "{}" ] +} + +#-------------------------------------------------------------------- +# volumeMounts + +@test "server/standalone-server-test-Pod: server.volumeMounts adds volumeMount" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.volumeMounts[0].name=plugins' \ + --set 'server.volumeMounts[0].mountPath=/usr/local/libexec/vault' \ + --set 'server.volumeMounts[0].readOnly=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/usr/local/libexec/vault" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# extraEnvironmentVars + +@test "server/standalone-server-test-Pod: set extraEnvironmentVars" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.extraEnvironmentVars.FOO=bar' \ + --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].env' | tee /dev/stderr) + + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] + + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] + + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.extraEnvironmentVars.FOO=bar' \ + --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].env' | tee /dev/stderr) + + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] + + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] +} diff --git a/values.openshift.yaml b/values.openshift.yaml index 4db41c2e2..d24ac6e21 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.0-ubi" + tag: "0.14.2-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.4-ubi" + tag: "1.9.2-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.4-ubi" + tag: "1.9.2-ubi" diff --git a/values.schema.json b/values.schema.json index 4ddbedfaf..15440431a 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,12 @@ "string" ] }, + "kubeletRootDir": { + "type": "string" + }, + "providersDir": { + "type": "string" + }, "updateStrategy": { "type": "object", "properties": { @@ -24,15 +30,12 @@ "type": "string" } } - }, - "providersDir": { - "type": "string" - }, - "kubeletRootDir": { - "type": "string" } } }, + "priorityClassName": { + "type": "string" + }, "debug": { "type": "boolean" }, @@ -205,6 +208,9 @@ "properties": { "exitOnRetryFailure": { "type": "boolean" + }, + "staticSecretRenderInterval": { + "type": "string" } } } @@ -287,23 +293,6 @@ "properties": { "enabled": { "type": "boolean" - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "ttl": { - "type": "string" - }, - "useContainer": { - "type": "boolean" } } }, @@ -334,6 +323,9 @@ "objectSelector": { "type": "object" }, + "podDisruptionBudget": { + "type": "object" + }, "port": { "type": "integer" }, @@ -360,6 +352,12 @@ } } }, + "strategy": { + "type": [ + "object", + "string" + ] + }, "tolerations": { "type": [ "null", @@ -614,6 +612,9 @@ "labels": { "type": "object" }, + "pathType": { + "type": "string" + }, "tls": { "type": "array" } @@ -739,6 +740,9 @@ "enabled": { "type": "boolean" }, + "externalTrafficPolicy": { + "type": "string" + }, "port": { "type": "integer" }, @@ -792,6 +796,9 @@ } } }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, "tolerations": { "type": [ "null", @@ -834,6 +841,9 @@ "externalPort": { "type": "integer" }, + "externalTrafficPolicy": { + "type": "string" + }, "publishNotReadyAddresses": { "type": "boolean" }, diff --git a/values.yaml b/values.yaml index 845761a30..027a90053 100644 --- a/values.yaml +++ b/values.yaml @@ -37,16 +37,6 @@ injector: # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - # Note: The deployment of the leader-elector container will soon be removed - # from this chart since vault-k8s now uses an internal mechanism to - # determine leadership. - # To enable the deployment of the leader-elector container for use with - # vault-k8s 0.12.0 and earlier, set `useContainer=true` - useContainer: false - image: - repository: "gcr.io/google_containers/leader-elector" - tag: "0.4" - ttl: 60s # If true, will enable a node exporter metrics endpoint at /metrics. metrics: @@ -59,7 +49,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.0" + tag: "0.14.2" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -67,7 +57,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.4" + tag: "1.9.6" # The default values for the injected Vault Agent containers. agentDefaults: @@ -85,6 +75,7 @@ injector: # Default values within Agent's template_config stanza. templateConfig: exitOnRetryFailure: true + staticSecretRenderInterval: "" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" @@ -208,6 +199,21 @@ injector: # Extra annotations to attach to the injector service annotations: {} + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + podDisruptionBudget: {} + # podDisruptionBudget: + # maxUnavailable: 1 + + # strategy for updating the deployment. This can be a multi-line string or a + # YAML map. + strategy: {} + # strategy: | + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + server: # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details enabled: true @@ -230,7 +236,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.4" + tag: "1.9.6" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -298,7 +304,7 @@ server: # - chart-example.local # OpenShift only - create a route to expose the service - # The created route will be of type passthrough + # By default the created route will be of type passthrough route: enabled: false @@ -309,6 +315,11 @@ server: labels: {} annotations: {} host: chart-example.local + # tls will be passed directly to the route's TLS config, which + # can be used to configure other termination methods that terminate + # TLS at the router + tls: + termination: passthrough # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth @@ -376,6 +387,10 @@ server: # Number of seconds after which the probe times out. timeoutSeconds: 3 + # Optional duration in seconds the pod needs to terminate gracefully. + # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 10 + # Used to set the sleep time during the preStop step preStopSleepSeconds: 5 @@ -531,7 +546,7 @@ server: annotations: {} # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unseal, Vault must + # logs. Once Vault is deployed, initialized and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit # See https://www.vaultproject.io/docs/audit/index.html to know more @@ -756,7 +771,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.3.0" + tag: "0.4.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -809,6 +824,9 @@ csi: # in a PodSpec. tolerations: [] + # Priority class for csi pods + priorityClassName: "" + serviceAccount: # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the From c575574628584f315389dca1535e8d70a83f16d9 Mon Sep 17 00:00:00 2001 From: xiaocongji <85846543+xiaocongji@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:47:22 -0400 Subject: [PATCH 29/31] feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- .circleci/config.yml | 2 +- .github/workflows/acceptance.yaml | 2 +- CHANGELOG.md | 20 ++ Chart.yaml | 8 +- README.md | 2 +- templates/_helpers.tpl | 86 ++++++- templates/csi-clusterrole.yaml | 3 +- templates/csi-clusterrolebinding.yaml | 3 +- templates/csi-daemonset.yaml | 9 +- templates/csi-serviceaccount.yaml | 6 +- templates/injector-certs-secret.yaml | 6 +- templates/injector-clusterrole.yaml | 5 +- templates/injector-clusterrolebinding.yaml | 3 +- templates/injector-deployment.yaml | 39 +-- templates/injector-disruptionbudget.yaml | 2 +- templates/injector-mutating-webhook.yaml | 21 +- templates/injector-network-policy.yaml | 5 +- templates/injector-psp-role.yaml | 5 +- templates/injector-psp-rolebinding.yaml | 5 +- templates/injector-psp.yaml | 5 +- templates/injector-role.yaml | 6 +- templates/injector-rolebinding.yaml | 6 +- templates/injector-service.yaml | 3 +- templates/injector-serviceaccount.yaml | 3 +- templates/server-clusterrolebinding.yaml | 4 +- templates/server-config-configmap.yaml | 4 +- templates/server-discovery-role.yaml | 4 +- templates/server-discovery-rolebinding.yaml | 4 +- templates/server-disruptionbudget.yaml | 6 +- templates/server-ha-active-service.yaml | 7 +- templates/server-ha-standby-service.yaml | 7 +- templates/server-headless-service.yaml | 5 +- templates/server-ingress.yaml | 5 +- templates/server-psp-role.yaml | 4 +- templates/server-psp-rolebinding.yaml | 4 +- templates/server-psp.yaml | 4 +- templates/server-service.yaml | 5 +- templates/server-serviceaccount.yaml | 2 +- templates/server-statefulset.yaml | 9 +- templates/tests/server-test.yaml | 2 +- templates/ui-service.yaml | 6 +- test/acceptance/csi.bats | 3 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/unit/csi-clusterrole.bats | 2 +- test/unit/csi-clusterrolebinding.bats | 4 +- test/unit/csi-daemonset.bats | 53 ++++- test/unit/csi-serviceaccount.bats | 19 +- test/unit/injector-deployment.bats | 37 ++- test/unit/injector-disruptionbudget.bats | 27 ++- test/unit/injector-leader-elector.bats | 33 +++ test/unit/injector-mutating-webhook.bats | 223 ++++++++++++++++-- test/unit/injector-psp-role.bats | 4 +- test/unit/injector-psp-rolebinding.bats | 4 +- test/unit/injector-psp.bats | 4 +- test/unit/injector-service.bats | 2 +- test/unit/schema.bats | 16 +- test/unit/server-ha-active-service.bats | 17 ++ test/unit/server-ha-disruptionbudget.bats | 24 ++ test/unit/server-ha-standby-service.bats | 17 ++ test/unit/server-ha-statefulset.bats | 75 +++++- test/unit/server-headless-service.bats | 19 ++ test/unit/server-ingress.bats | 10 +- test/unit/server-route.bats | 46 +++- test/unit/server-service.bats | 7 + test/unit/server-serviceaccount.bats | 2 +- test/unit/server-statefulset.bats | 25 +- test/unit/server-test.bats | 13 +- test/unit/ui-service.bats | 12 + values.openshift.yaml | 6 +- values.schema.json | 80 ++++++- values.yaml | 113 +++++++-- 72 files changed, 1046 insertions(+), 196 deletions(-) create mode 100644 test/unit/server-headless-service.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 70c2453fb..7582bdc21 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 644875e26..2261ea63a 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -11,7 +11,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index bfb3af04f..7b7783a94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,25 @@ ## Unreleased +## 0.20.0 (May 16th, 2022) + +CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Vault default image to 1.10.3 +* CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 +* Earliest Kubernetes version tested is now 1.16 +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) + +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) + ## 0.19.0 (January 20th, 2022) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index 9f1440436..fc5527d10 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: vault -version: 0.19.0 -appVersion: 1.9.2 -kubeVersion: ">= 1.14.0-0" -description: Install and configure Vault on Kubernetes. +version: 0.20.0 +appVersion: 1.10.3 +kubeVersion: ">= 1.16.0-0" +description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] diff --git a/README.md b/README.md index 03afc2b3a..49ded6e8b 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index dd53fd5a6..a50fed899 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -31,6 +31,50 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. @@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} {{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} @@ -256,6 +301,37 @@ Sets the injector affinity for pod placement {{ end }} {{- end -}} +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} @@ -380,13 +456,13 @@ Sets extra injector service annotations Sets extra injector webhook annotations */}} {{- define "injector.webhookAnnotations" -}} - {{- if .Values.injector.webhookAnnotations }} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} annotations: - {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} {{- if eq $tp "string" }} - {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} {{- else }} - {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} {{- end }} {{- end }} {{- end -}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index a19e520f5..ec6a3d2b9 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index 63d69c7b1..d5b62a5f0 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index f0bf639f3..5c21752d6 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -8,6 +9,9 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: @@ -25,6 +29,9 @@ spec: labels: app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} {{ template "csi.pod.annotations" . }} spec: {{- if .Values.csi.priorityClassName }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index ee127481b..8d6fa5329 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,5 +9,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.serviceAccount.annotations" . }} {{- end }} diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 78363be55..e88685b5e 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,10 +1,14 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: name: vault-injector-certs + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 4ff25abe5..6a0d6be1a 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10,7 +11,7 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: + verbs: - "get" - "list" - "watch" diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 35d30b393..4c193f8a2 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index d58fc03fa..588efe400 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment @@ -30,6 +31,7 @@ spec: {{ template "injector.annotations" . }} spec: {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} {{ template "injector.tolerations" . }} {{ template "injector.nodeselector" . }} {{- if .Values.injector.priorityClassName }} @@ -142,41 +144,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 59c998551..b44fd7300 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.injector.podDisruptionBudget }} -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index de7dd5622..f873f61c9 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} @@ -14,10 +15,11 @@ metadata: {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} sideEffects: None - admissionReviewVersions: - - "v1beta1" - - "v1" + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc @@ -29,15 +31,12 @@ webhooks: apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] -{{- if .Values.injector.namespaceSelector }} +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} namespaceSelector: -{{ toYaml .Values.injector.namespaceSelector | indent 6}} +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} -{{- if .Values.injector.objectSelector }} +{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }} objectSelector: -{{ toYaml .Values.injector.objectSelector | indent 6}} -{{ end }} -{{- with .Values.injector.failurePolicy }} - failurePolicy: {{.}} +{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}} {{ end }} {{ end }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 7a399a538..68892d23b 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -19,3 +21,4 @@ spec: - port: 8080 protocol: TCP {{ end }} +{{ end }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 20c87bb2a..5d23c7556 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -15,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index d6d0d5e24..4f6b0a851 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index c024ac107..1eee2fcd0 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -41,3 +43,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index e7e383d16..08c8264cc 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,8 +1,11 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -23,3 +26,4 @@ rules: - "patch" - "delete" {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index aa8179420..ea0db11b9 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,8 +1,11 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -16,3 +19,4 @@ subjects: name: {{ template "vault.fullname" . }}-agent-injector namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 3138b7a5b..5e747d6f1 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index a28d38fab..ebc57b56f 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e5e0f5fec..e045b9ec3 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,3 +23,4 @@ subjects: name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} +{{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index b8093ad03..f40c69608 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} apiVersion: v1 kind: ConfigMap @@ -36,3 +37,4 @@ data: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4a39cec21..9ca23dd4c 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,3 +18,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} +{{ end }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 47526650b..6e22e4c2b 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -25,3 +26,4 @@ subjects: namespace: {{ .Release.Namespace }} {{ end }} {{ end }} +{{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3c45cc04e..d940fa4da 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,9 +1,10 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} @@ -22,3 +23,4 @@ spec: component: server {{- end -}} {{- end -}} +{{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index c2a4f0227..90761a468 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -22,7 +24,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} @@ -40,3 +42,4 @@ spec: vault-active: "true" {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index dbba9d653..03260ffaf 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -22,7 +24,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} @@ -39,4 +41,5 @@ spec: component: server vault-active: "false" {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index a37c63957..fffaaacbb 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service @@ -16,7 +17,7 @@ metadata: {{ template "vault.service.annotations" .}} spec: clusterIP: None - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 48c76a828..c81e5f5ce 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,9 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} @@ -72,3 +74,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index fd12e1eb3..b8eb897e5 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index b2a43c834..fded9fbc6 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 2d9426819..d210af351 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -45,3 +46,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 2e44ddf06..68207a2db 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service @@ -27,7 +28,7 @@ spec: {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 925b166bb..2d1a104bf 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index cbcda967d..518a19336 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if ne .mode "" }} +{{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet @@ -36,6 +37,7 @@ spec: {{ template "vault.annotations" . }} spec: {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} {{ template "vault.tolerations" . }} {{ template "vault.nodeselector" . }} {{- if .Values.server.priorityClassName }} @@ -108,7 +110,11 @@ spec: fieldRef: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr }} + {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - name: VAULT_RAFT_NODE_ID valueFrom: @@ -206,3 +212,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} +{{ end }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index d983b9df6..56dbee78c 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index ea27de282..d45afdda4 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,7 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if eq (.Values.ui.enabled | toString) "true" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + apiVersion: v1 kind: Service metadata: @@ -34,4 +35,3 @@ spec: {{- include "service.loadBalancer" .Values.ui }} {{- end -}} {{- end }} -{{- end }} diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c7c6549e2..bf6f85b5e 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -18,7 +18,8 @@ check_skip_csi() { # Install Secrets Store CSI driver CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version="${CSI_DRIVER_VERSION}" --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 54a310f3a..5cc1a9b06 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5ba78c9fe..6deec78f9 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 68ea7ce78..2bed54136 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -29,5 +29,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index cff3a3699..ccd98c55a 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.roleRef.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } # ClusterRoleBinding service account name @@ -40,5 +40,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index dd88d829a..6893b06ac 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -27,7 +27,30 @@ load _helpers --set "global.enabled=false" \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] +} + +# priorityClassName + +@test "csi/daemonset: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.priorityClassName=armaggeddon' \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] } # priorityClassName @@ -61,7 +84,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } # Image @@ -318,6 +341,32 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# Extra Labels + +@test "csi/daemonset: specify csi.daemonSet.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + #-------------------------------------------------------------------- # volumes diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 22ba06df2..41c17349f 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } @test "csi/serviceAccount: specify annotations" { @@ -56,4 +56,19 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} + +# serviceAccount extraLabels + +@test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 6443ca495..f69a585b0 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -26,12 +26,22 @@ load _helpers local actual=$( (helm template \ --show-only templates/injector-deployment.yaml \ --set 'global.enabled=false' \ - --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "injector/deployment: enable with injector.enabled true and global.enabled false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.enabled=false' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ @@ -157,7 +167,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] + [ "${value}" = "release-name-vault-agent-injector-cfg" ] # helm template does uses current context namespace and ignores namespace flags, so # discover the targeted namespace so we can check the rendered value correctly. @@ -165,7 +175,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] + [ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: manual TLS adds volume mount" { @@ -452,6 +462,27 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "injector/deployment: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "injector/deployment: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.topologySpreadConstraints[0].foo=bar,injector.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # tolerations diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index a0cee27d7..4373d839f 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,16 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { cd `chart_dir` local actual=$(helm template \ @@ -21,12 +31,25 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + +@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.19.5 \ . | tee /dev/stderr | - yq '.spec.minAvailable == 2' | tee /dev/stderr) + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index b6fa4ae62..bbd482985 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -87,6 +87,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/certs-secret: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/role: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -127,6 +138,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/role: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/rolebinding: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -166,3 +188,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/rolebinding: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 1e6e150d0..ef9bf8321 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -53,103 +53,274 @@ load _helpers [ "${actual}" = "\"\"" ] } -@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" { +@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.webhook=null' \ + --set 'injector.failurePolicy=Fail' \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set objectSelector" { +@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.objectSelector.matchLabels.injector=true' \ + --set 'injector.webhook.failurePolicy=Fail' \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { +@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "\"Ignore\"" ] + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Exact\"" ] } -@test "injector/MutatingWebhookConfiguration: can set failurePolicy" { +@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.failurePolicy=Fail' \ + --set 'injector.webhook.matchPolicy=Equivalent' \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) - [ "${actual}" = "\"Fail\"" ] + [ "${actual}" = "\"Equivalent\"" ] +} + +@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "30" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.timeoutSeconds=50' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "50" ] } #-------------------------------------------------------------------- # annotations -@test "injector/MutatingWebhookConfiguration: default annotations" { +@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ . | tee /dev/stderr | yq -r '.metadata.annotations' | tee /dev/stderr) [ "${actual}" = "null" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations.foo=bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +@test "injector/MutatingWebhookConfiguration: default webhook.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations.foo=bar' \ + --set 'injector.webhookAnnotations.invalid=invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations=foo: bar' \ + --set 'injector.webhookAnnotations=invalid: invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# namespaceSelector + +@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# objectSelector + +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.objectSelector.matchLabels.injector=true' \ + --set 'injector.objectSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index c6dc522af..8e7acd7d5 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-Role: disable with global.enabled" { +@test "injector/PodSecurityPolicy-Role: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-role.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index f8a8255fb..88bfe7900 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" { +@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-rolebinding.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats index fa14b0f1e..a415358b2 100644 --- a/test/unit/injector-psp.bats +++ b/test/unit/injector-psp.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy: disable with global.enabled" { +@test "injector/PodSecurityPolicy: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp.yaml \ @@ -31,7 +31,7 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/PodSecurityPolicy: annotations are templated correctly by default" { diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index ad4800991..027eaa080 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -52,7 +52,7 @@ load _helpers --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/Service: generic annotations" { diff --git a/test/unit/schema.bats b/test/unit/schema.bats index a42614bf6..9a61d7d5a 100644 --- a/test/unit/schema.bats +++ b/test/unit/schema.bats @@ -7,9 +7,9 @@ load _helpers # schema, setting it as a string fails 'helm template'. @test "schema: csi enabled datatype" { cd `chart_dir` - run helm template . --set csi.enabled="nope" + run helm template . --set csi.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set csi.enabled=true [ "$status" -eq 0 ] @@ -17,9 +17,9 @@ load _helpers @test "schema: injector enabled datatype" { cd `chart_dir` - run helm template . --set injector.enabled="nope" + run helm template . --set injector.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set injector.enabled=true [ "$status" -eq 0 ] @@ -27,9 +27,9 @@ load _helpers @test "schema: server enabled datatype" { cd `chart_dir` - run helm template . --set server.enabled="nope" + run helm template . --set server.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set server.enabled=true [ "$status" -eq 0 ] @@ -37,9 +37,9 @@ load _helpers @test "schema: ui enabled datatype" { cd `chart_dir` - run helm template . --set ui.enabled="nope" + run helm template . --set ui.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set ui.enabled=true [ "$status" -eq 0 ] diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index a835c9d9c..80e26dd4e 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -197,3 +197,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-active-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 9271c019f..bd71ca241 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -97,3 +97,27 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.19.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 7dfd5d7fd..df0f9071e 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -208,3 +208,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-standby-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index cc77e7e39..342fa433d 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -417,7 +417,7 @@ load _helpers #-------------------------------------------------------------------- # VAULT_CLUSTER_ADDR renders -@test "server/ha-StatefulSet: cluster addr renders" { +@test "server/ha-StatefulSet: clusterAddr not set" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -428,7 +428,52 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to null" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=null' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=https://test.example.com:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://test.example.com:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url with environment variable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] } #-------------------------------------------------------------------- @@ -540,6 +585,32 @@ load _helpers [ "${actual}" = "1" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/ha-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/ha-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations + @test "server/ha-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats new file mode 100644 index 000000000..4e2d13537 --- /dev/null +++ b/test/unit/server-headless-service.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/headless-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 4132c16a7..aade5d57c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -165,7 +165,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -180,7 +180,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -194,7 +194,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { @@ -209,7 +209,7 @@ load _helpers --kube-version 1.18.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -224,7 +224,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 53e1e619b..1daea2684 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -99,7 +99,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -112,7 +112,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -125,7 +125,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -139,7 +139,45 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] +} + +@test "server/route: OpenShift - route termination mode set to default passthrough" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "passthrough" ] +} + +@test "server/route: OpenShift - route termination mode set to edge" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.termination=edge' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "edge" ] +} + +@test "server/route: OpenShift - route custom tls entry" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ + . | tee /dev/stderr | + yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) + [ "${actual}" = "Redirect" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 4695f2fff..5208f6e30 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -175,6 +175,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] } @test "server/Service: type empty by default" { diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 29e18b56f..fbc2b94bf 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,7 +26,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0a83ec6a1..a240e3dad 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -784,6 +784,29 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/standalone-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/standalone-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations @test "server/standalone-StatefulSet: tolerations not set by default" { cd `chart_dir` @@ -1640,7 +1663,7 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 5fd65d561..de82f84c3 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -66,14 +66,25 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/standalone-server-test-Pod: disable with global.enabled" { +@test "server/standalone-server-test-Pod: not disabled with global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ --set 'global.enabled=false' \ + --set 'server.enabled=true' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index f439aecfb..f73bbce3f 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -53,6 +53,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "ui/Service: 'disable with global, enable with ui.enabled'" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'global.enabled=false' \ + --set 'server.enabled=true' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "ui/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.openshift.yaml b/values.openshift.yaml index d24ac6e21..e59bb8677 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.2-ubi" + tag: "0.16.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.10.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.10.3-ubi" diff --git a/values.schema.json b/values.schema.json index 15440431a..87a02f803 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "kubeletRootDir": { "type": "string" }, @@ -40,7 +43,10 @@ "type": "boolean" }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "extraArgs": { "type": "array" @@ -88,6 +94,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "tolerations": { "type": [ "null", @@ -128,6 +137,9 @@ "object", "string" ] + }, + "extraLabels": { + "type": "object" } } }, @@ -257,7 +269,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalVaultAddr": { "type": "string" @@ -365,6 +380,39 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": "object" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "webhookAnnotations": { "type": [ "object", @@ -472,7 +520,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "enterpriseLicense": { "type": "object", @@ -522,7 +573,10 @@ ] }, "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "disruptionBudget": { "type": "object", @@ -545,7 +599,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": "boolean" @@ -740,6 +797,9 @@ "enabled": { "type": "boolean" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "externalTrafficPolicy": { "type": "string" }, @@ -775,7 +835,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": [ @@ -836,7 +899,10 @@ ] }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalPort": { "type": "integer" diff --git a/values.yaml b/values.yaml index 027a90053..fcb1be9f2 100644 --- a/values.yaml +++ b/values.yaml @@ -26,7 +26,8 @@ global: injector: # True if you want to enable vault agent injection. - enabled: true + # @default: global.enabled + enabled: "-" replicas: 1 @@ -49,7 +50,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.2" + tag: "0.16.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +58,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.6" + tag: "1.10.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -90,6 +91,61 @@ injector: # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -99,6 +155,8 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector @@ -109,13 +167,7 @@ injector: # vault-sidecar-injector: enabled objectSelector: {} - # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - + # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} @@ -166,6 +218,12 @@ injector: component: webhook topologyKey: kubernetes.io/hostname + # Topology settings for injector pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for injector pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. @@ -215,8 +273,9 @@ injector: # type: RollingUpdate server: - # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details - enabled: true + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" # [Enterprise Only] This value refers to a Kubernetes secret that you have # created that contains your enterprise license. If you are not using an @@ -236,7 +295,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.6" + tag: "1.10.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -454,6 +513,12 @@ server: component: server topologyKey: kubernetes.io/hostname + # Topology settings for server pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for server pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. @@ -505,6 +570,9 @@ server: # NodePort, or LoadBalancer. #type: ClusterIP + # Do not wait for pods to be ready + publishNotReadyAddresses: true + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. @@ -627,6 +695,11 @@ server: # If set to null, this will be set to the Pod IP Address apiAddr: null + # Set the cluster_addr confuguration for Vault HA + # See https://www.vaultproject.io/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where # Vault's persistence is external (such as Consul), enabling Raft mode will create # persistent volumes for Vault to store data according to the configuration under server.dataStorage. @@ -771,7 +844,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.4.0" + tag: "1.1.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -812,6 +885,9 @@ csi: providersDir: "/etc/kubernetes/secrets-store-csi-providers" # Kubelet host path kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} pod: # Extra annotations for the provider pods. This can either be YAML or a @@ -824,6 +900,11 @@ csi: # in a PodSpec. tolerations: [] + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + # Priority class for csi pods priorityClassName: "" @@ -833,6 +914,10 @@ csi: # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + # Used to configure readinessProbe for the pods. readinessProbe: # When a probe fails, Kubernetes will try failureThreshold times before giving up From ba08a0dd0f2d10aa84632d4fd4f3cfe4cea76868 Mon Sep 17 00:00:00 2001 From: xiaocongji <85846543+xiaocongji@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:29:43 -0400 Subject: [PATCH 30/31] DATAGO-59401: Upgrading vault to 1.11.x (#18) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) * Fix CSI acceptance tests (#728) * Update minimum required helm version in readme (#730) Co-authored-by: Tom Proctor * Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault * Set default object selector for webhooks to exclude injector itself (#736) Set default object selector for webhooks to exclude injector itself If `injector.failurePolicy` is set to `Fail`, there is a race condition where if the mutating webhook config is setup before the injector, then the injector can fail to start because it tries to inject itself. We can work around this by ignoring the injector pod in in the webhook by default. Thanks to @joeyslalom for the object selector to exclude the pod. Fixes https://github.com/hashicorp/vault-k8s/issues/258 * Prepare for release 0.20.1 (#739) Prepare for release 0.20.1 Improvements: * `vault-k8s` updated to 0.16.1 CHANGES: * `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) Co-authored-by: Theron Voran * Mention minimum helm version in changelog (#742) Also add a features section to 0.20.0 * Start testing against Kubernetes 1.24 (#744) Start testing against Kubernetes 1.24 Update .github/workflows/acceptance.yaml Remove skip csi Co-authored-by: Theron Voran * Update .helmignore (#732) Review .helmignore file, ignore CI in chart * Set VAULT_ADDR env var for CSI Provider pods (#745) * Support to add annotations in injector serviceaccount (#753) * changelog++ (#757) * jira-sync: transition to "Closed" not "Close" (#758) * Add support for nodePort for active and standby services (#610) * Feat/adding pod and container security context (#750) Allow the injector's pod- and container-level securityContext to be fully specified by the user, via new options `injector.securityContext.pod` and `injector.securityContext.container` with more complete defaults. Deprecates `injector.uid` and `injector.gid`. If `injector.uid` or `injector.gid` are set by the user, the old pod securityContext settings will be used. Otherwise the new defaults and settings are used. Co-authored-by: Theron Voran * Changelog and schema update for active/standby node port (#761) * Changelog and schema update for active/standby node port Follow-up to https://github.com/hashicorp/vault-helm/pull/610 * changelog++ and json schema update (#762) Changelog updates for #750, and json schema update. * Update jira sync (#768) * csi/server.statefulset: custom security context (#767) csi/server.statefulset: custom security context This adds flexibility to have custom pod template and container `securityContext` and preserves current default values and behavior. Fixes https://github.com/hashicorp/vault-helm/issues/663. This also is a way to address https://github.com/hashicorp/vault-helm/pull/599 so that people can specify, for example, the CSI to run in a privileged container for OpenShift. This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750 and builds on the same principles. Side note: I am not able to run `helm schema-gen` since it is unmaintained and does not work with M1 Macs. * Prepare for 0.21.0 release (#771) Prepare for 0.21.0 release CHANGES: * `vault-k8s` updated to 0.17.0. (this) * `vault-csi-provider` updated to 1.2.0 (this) * `vault` updated to 1.11.2 (this) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: * server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) * DOC: Minor typos fixes (#669) Co-authored-by: Tom Proctor * update values comments for server.securityContext (#778) Since container is empty for openshift. * CI: run acceptance tests on push to any (#781) * Add support for the Prometheus Operator (#772) support collecting Vault server metrics by deploying PrometheusOperator CustomResources. Co-authored-by: Sam Weston Co-authored-by: Theron Voran * Update vault-k8s to 1.0.0 (#784) Update vault-k8s to 1.0.0 Also update Kubernetes versions tested against, including adding 1.25 Update consul in tests for Kubernetes 1.25 support * Prepare for 0.22.0 release (#785) Prepare for 0.21.1 release * Update Vault to 1.11.3 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * Datago 30304/upgrading vault to 1.9.2 (#14) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 * feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * chore(59401): Upgrade vault to 1.11.x --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Aleksey Co-authored-by: Bruno Padilha <1850071+brunopadz@users.noreply.github.com> Co-authored-by: Jack Halford Co-authored-by: ChrisFraun Co-authored-by: Alex Khaerov Co-authored-by: Sam Weston Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 Co-authored-by: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> --- .github/workflows/acceptance.yaml | 16 +- .github/workflows/jira.yaml | 4 +- .github/workflows/tests.yaml | 4 +- .helmignore | 26 ++- CHANGELOG.md | 43 +++- Chart.yaml | 4 +- Makefile | 4 +- README.md | 3 +- templates/_helpers.tpl | 174 +++++++++++++- templates/csi-daemonset.yaml | 9 + templates/injector-deployment.yaml | 14 +- templates/injector-mutating-webhook.yaml | 5 +- templates/injector-serviceaccount.yaml | 1 + templates/prometheus-prometheusrules.yaml | 26 +++ templates/prometheus-servicemonitor.yaml | 44 ++++ templates/server-clusterrolebinding.yaml | 8 +- templates/server-ha-active-service.yaml | 5 +- templates/server-ha-standby-service.yaml | 4 +- templates/server-headless-service.yaml | 1 + templates/server-serviceaccount.yaml | 6 +- templates/server-statefulset.yaml | 13 +- test/acceptance/csi.bats | 1 - test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/acceptance/server-ha.bats | 14 +- test/acceptance/server-telemetry.bats | 90 ++++++++ test/acceptance/server-test/telemetry.yaml | 28 +++ test/unit/csi-daemonset.bats | 85 +++++++ test/unit/injector-deployment.bats | 186 +++++++++++++++ test/unit/injector-disruptionbudget.bats | 1 - test/unit/injector-mutating-webhook.bats | 6 +- test/unit/injector-serviceaccount.bats | 10 + test/unit/prometheus-prometheusrules.bats | 68 ++++++ test/unit/prometheus-servicemonitor.bats | 125 ++++++++++ test/unit/server-clusterrolebinding.bats | 1 + test/unit/server-ha-active-service.bats | 4 +- test/unit/server-ha-standby-service.bats | 4 +- test/unit/server-statefulset.bats | 61 +++++ values.openshift.yaml | 6 +- values.schema.json | 110 ++++++++- values.yaml | 215 ++++++++++++++++-- 41 files changed, 1332 insertions(+), 105 deletions(-) create mode 100644 templates/prometheus-prometheusrules.yaml create mode 100644 templates/prometheus-servicemonitor.yaml create mode 100644 test/acceptance/server-telemetry.bats create mode 100644 test/acceptance/server-test/telemetry.yaml create mode 100755 test/unit/prometheus-prometheusrules.bats create mode 100755 test/unit/prometheus-servicemonitor.bats diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 2261ea63a..042bfd1d5 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -1,17 +1,13 @@ name: Acceptance Tests -on: - push: - branches: - - main - workflow_dispatch: {} +on: [push, workflow_dispatch] jobs: kind: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.13, 1.23.10, 1.24.4, 1.25.0] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -23,12 +19,8 @@ jobs: with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} + version: v0.14.0 - # Skip CSI tests if K8s version < 1.16.x - - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV - - if: ${{ env.K8S_MINOR < 16 }} - run: echo "SKIP_CSI=true" >> $GITHUB_ENV - - - run: bats ./test/acceptance -t + - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index eb369f335..fc03b2188 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -40,7 +40,7 @@ jobs: description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" # customfield_10089 is Issue Link custom field # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "runtime"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' + extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - name: Search if: github.event.action != 'opened' @@ -62,7 +62,7 @@ jobs: uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: Close + transition: Closed - name: Reopen ticket if: github.event.action == 'reopened' && steps.search.outputs.issue diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 0aba6ee30..53a1f039e 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -8,7 +8,7 @@ jobs: steps: - uses: actions/checkout@v2 - uses: ./.github/workflows/setup-test-tools - - run: bats ./test/unit -t + - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest @@ -22,4 +22,4 @@ jobs: with: go-version: '1.17.4' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - - run: bats ./test/chart -t + - run: bats --tap --timing ./test/chart diff --git a/.helmignore b/.helmignore index d1180d2fb..4007e2435 100644 --- a/.helmignore +++ b/.helmignore @@ -1,4 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs .git/ +.gitignore .terraform/ -bin/ +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# CI and test +.circleci/ +.github/ +.gitlab-ci.yml test/ diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b7783a94..aa0e4b734 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,43 @@ ## Unreleased + +## 0.22.0 (September 8th, 2022) + +Features: +* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) + +Changes: +* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785) + +## 0.21.0 (August 10th, 2022) + +CHANGES: +* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) +* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) + +Features: +* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) +* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) + +## 0.20.1 (May 25th, 2022) +CHANGES: +* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) + +Improvements: +* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) + +Bugs: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) + ## 0.20.0 (May 16th, 2022) CHANGES: @@ -9,8 +47,10 @@ CHANGES: * CSI provider default image to 1.1.0 * Vault K8s default image to 0.16.0 * Earliest Kubernetes version tested is now 1.16 +* Helm 3.6+ now required + +Features: * Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) -* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) @@ -19,6 +59,7 @@ Improvements: * Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) * server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) * server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) ## 0.19.0 (January 20th, 2022) diff --git a/Chart.yaml b/Chart.yaml index fc5527d10..4289e6c7d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.20.0 -appVersion: 1.10.3 +version: 0.22.0 +appVersion: 1.11.3 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/Makefile b/Makefile index fb35f977f..afa801370 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.20.2 +KIND_K8S_VERSION?=v1.25.0 # Generate json schema for chart values. See test/README.md for more details. values-schema: @@ -72,7 +72,7 @@ acceptance: ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} endif - bats test/${ACCEPTANCE_TESTS} + bats --tap --timing test/${ACCEPTANCE_TESTS} # this target is for provisioning the GKE cluster # it is run in the docker container above when the test-provision target is invoked diff --git a/README.md b/README.md index 49ded6e8b..1c8959607 100644 --- a/README.md +++ b/README.md @@ -25,8 +25,7 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: - * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible - it works with earlier versions but this chart is untested for those versions. + * **Helm 3.6+** * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index a50fed899..bcc6496c0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -58,6 +58,32 @@ Compute if the server is enabled. (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} {{- end -}} +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverServiceAccountEnabled" -}} +{{- $_ := set . "serverServiceAccountEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true" ) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverAuthDelegator" -}} +{{- $_ := set . "serverAuthDelegator" + (and + (eq (.Values.server.authDelegator.enabled | toString) "true" ) + (or (eq (.Values.server.serviceAccount.create | toString) "true") + (not (eq .Values.server.serviceAccount.name ""))) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute if the server service is enabled. */}} @@ -96,7 +122,9 @@ template logic. */}} {{- define "vault.mode" -}} {{- template "vault.serverEnabled" . -}} - {{- if .Values.injector.externalVaultAddr -}} + {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} + {{- $_ := set . "mode" "external" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} @@ -452,6 +480,103 @@ Sets extra injector service annotations {{- end }} {{- end -}} +{{/* +securityContext for the injector pod level. +*/}} +{{- define "injector.securityContext.pod" -}} + {{- if .Values.injector.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.injector.gid | default 1000 }} + runAsUser: {{ .Values.injector.uid | default 100 }} + fsGroup: {{ .Values.injector.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector container level. +*/}} +{{- define "injector.securityContext.container" -}} + {{- if .Values.injector.securityContext.container}} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset pod template. +*/}} +{{- define "server.statefulSet.securityContext.pod" -}} + {{- if .Values.server.statefulSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.server.gid | default 1000 }} + runAsUser: {{ .Values.server.uid | default 100 }} + fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset vault container +*/}} +{{- define "server.statefulSet.securityContext.container" -}} + {{- if .Values.server.statefulSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + {{- end }} +{{- end -}} + + +{{/* +Sets extra injector service account annotations +*/}} +{{- define "injector.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra injector webhook annotations */}} @@ -467,6 +592,22 @@ Sets extra injector webhook annotations {{- end }} {{- end -}} +{{/* +Set's the injector webhook objectSelector +*/}} +{{- define "injector.objectSelector" -}} + {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}} + {{ if $v }} + objectSelector: + {{- $tp := typeOf $v -}} + {{ if eq $tp "string" }} + {{ tpl $v . | indent 6 | trim }} + {{ else }} + {{ toYaml $v | indent 6 | trim }} + {{ end }} + {{ end }} +{{ end }} + {{/* Sets extra ui service annotations */}} @@ -657,6 +798,37 @@ Sets extra CSI daemonset annotations {{- end }} {{- end -}} +{{/* +Sets CSI daemonset securityContext for pod template +*/}} +{{- define "csi.daemonSet.securityContext.pod" -}} + {{- if .Values.csi.daemonSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for container +*/}} +{{- define "csi.daemonSet.securityContext.container" -}} + {{- if .Values.csi.daemonSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }} + {{- end }} + {{- end }} +{{- end -}} + + {{/* Sets the injector toleration for pod placement */}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 5c21752d6..d131aac5f 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -34,6 +34,7 @@ spec: {{- end -}} {{ template "csi.pod.annotations" . }} spec: + {{ template "csi.daemonSet.securityContext.pod" . }} {{- if .Values.csi.priorityClassName }} priorityClassName: {{ .Values.csi.priorityClassName }} {{- end }} @@ -42,6 +43,7 @@ spec: containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} + {{ template "csi.daemonSet.securityContext.container" . }} image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" imagePullPolicy: {{ .Values.csi.image.pullPolicy }} args: @@ -50,6 +52,13 @@ spec: {{- if .Values.csi.extraArgs }} {{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- end }} + env: + - name: VAULT_ADDR + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- end }} volumeMounts: - name: providervol mountPath: "/provider" diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 588efe400..e69ba72ef 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -38,29 +38,25 @@ spec: priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.injector.gid | default 1000 }} - runAsUser: {{ .Values.injector.uid | default 100 }} {{- end }} containers: - name: sidecar-injector {{ template "injector.resources" . }} image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" - {{- if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false - {{- end }} + {{- template "injector.securityContext.container" . }} env: - name: AGENT_INJECT_LISTEN value: {{ printf ":%v" .Values.injector.port }} - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR - {{- if .Values.injector.externalVaultAddr }} + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index f873f61c9..3d3fd3678 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -35,8 +35,5 @@ webhooks: namespaceSelector: {{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} -{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }} - objectSelector: -{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}} -{{ end }} +{{- template "injector.objectSelector" . -}} {{ end }} diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index ebc57b56f..d1919b936 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -9,4 +9,5 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.serviceAccount.annotations" . }} {{ end }} diff --git a/templates/prometheus-prometheusrules.yaml b/templates/prometheus-prometheusrules.yaml new file mode 100644 index 000000000..572f1a05a --- /dev/null +++ b/templates/prometheus-prometheusrules.yaml @@ -0,0 +1,26 @@ +{{ if and (.Values.serverTelemetry.prometheusRules.rules) + (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) +}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + groups: + - name: {{ include "vault.fullname" . }} + rules: + {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} +{{- end }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml new file mode 100644 index 000000000..323e51fb9 --- /dev/null +++ b/templates/prometheus-servicemonitor.yaml @@ -0,0 +1,44 @@ +{{ template "vault.mode" . }} +{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if eq .mode "ha" }} + vault-active: "true" + {{- else }} + vault-internal: "true" + {{- end }} + endpoints: + - port: {{ include "vault.scheme" . }} + interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + scheme: {{ include "vault.scheme" . | lower }} + path: /v1/sys/metrics + params: + format: + - prometheus + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{ end }} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e045b9ec3..8cdd61143 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,6 +1,5 @@ -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{ template "vault.serverAuthDelegator" . }} +{{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,5 +21,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} -{{ end }} -{{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 90761a468..ef212376d 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -14,6 +14,7 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-active: "true" annotations: {{ template "vault.service.annotations" .}} spec: @@ -29,8 +30,8 @@ spec: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} + {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.activeNodePort }} {{- end }} - name: https-internal port: 8201 diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 03260ffaf..e6d66af84 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -29,8 +29,8 @@ spec: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} + {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.standbyNodePort }} {{- end }} - name: https-internal port: 8201 diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index fffaaacbb..b03f491e3 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -13,6 +13,7 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-internal: "true" annotations: {{ template "vault.service.annotations" .}} spec: diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 2d1a104bf..c0d32d190 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,6 +1,5 @@ -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} +{{ template "vault.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -13,4 +12,3 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "vault.serviceAccount.annotations" . }} {{ end }} -{{ end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 518a19336..afc48d695 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -48,13 +48,7 @@ spec: {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} - {{- if not .Values.global.openshift }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.server.gid | default 1000 }} - runAsUser: {{ .Values.server.uid | default 100 }} - fsGroup: {{ .Values.server.gid | default 1000 }} - {{- end }} + {{- template "server.statefulSet.securityContext.pod" . }} volumes: {{ template "vault.volumes" . }} - name: home @@ -72,10 +66,7 @@ spec: - "/bin/sh" - "-ec" args: {{ template "vault.args" . }} - {{- if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false - {{- end }} + {{- template "server.statefulSet.securityContext.container" . }} env: - name: HOST_IP valueFrom: diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index bf6f85b5e..84742d5d0 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -12,7 +12,6 @@ check_skip_csi() { check_skip_csi cd `chart_dir` - kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 5cc1a9b06..f09bbb1fc 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 6deec78f9..8b5c1be30 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 4180f8c4a..6876e0f5b 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -87,8 +87,18 @@ setup() { kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - helm install consul \ - https://github.com/hashicorp/consul-helm/archive/v0.28.0.tar.gz \ + helm repo add hashicorp https://helm.releases.hashicorp.com + helm repo update + + CONSUL_HELM_VERSION=v0.48.0 + + K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major) + K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor) + if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then + CONSUL_HELM_VERSION=v0.32.1 + fi + helm install consul hashicorp/consul \ + --version $CONSUL_HELM_VERSION \ --set 'ui.enabled=false' wait_for_running_consul diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats new file mode 100644 index 000000000..a7c4e0dd7 --- /dev/null +++ b/test/acceptance/server-telemetry.bats @@ -0,0 +1,90 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/telemetry: prometheusOperator" { + cd `chart_dir` + helm --namespace acceptance uninstall $(name_prefix) || : + helm --namespace acceptance uninstall prometheus || : + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance + + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo update + helm install \ + --wait \ + --version 39.6.0 \ + prometheus prometheus-community/kube-prometheus-stack + + helm install \ + --wait \ + --values ./test/acceptance/server-test/telemetry.yaml \ + "$(name_prefix)" . + + wait_for_running $(name_prefix)-0 + + # Sealed, not initialized + wait_for_sealed_vault $(name_prefix)-0 + + # Vault Init + local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ + vault operator init -format=json -n 1 -t 1 | \ + jq -r '.unseal_keys_b64[0]') + [ "${token}" != "" ] + + # Vault Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + kubectl exec -ti ${pod} -- vault operator unseal ${token} + done + + wait_for_ready "$(name_prefix)-0" + + # Unsealed, initialized + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] + + local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] + + # unfortunately it can take up to 2 minutes for the vault prometheus job to appear + # TODO: investigate how reduce this. + local job_labels + local tries=0 + until [ $tries -ge 240 ] + do + job_labels=$( (kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ + -c prometheus \ + -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr ) + + # Ensure the expected job label was picked up by Prometheus + [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break + + ((++tries)) + sleep .5 + done + + + # Ensure the expected job is "up" + local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ + -c prometheus \ + -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \ + tee /dev/stderr ) + [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ] +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm uninstall $(name_prefix) + helm uninstall prometheus + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml new file mode 100644 index 000000000..2925bc8f7 --- /dev/null +++ b/test/acceptance/server-test/telemetry.yaml @@ -0,0 +1,28 @@ +server: + standalone: + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + telemetry { + unauthenticated_metrics_access = "true" + } + } + + storage "file" { + path = "/vault/data" + } + + telemetry { + prometheus_retention_time = "30s", + disable_hostname = true + } + +serverTelemetry: + serviceMonitor: + enabled: true + interval: 15s diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 6893b06ac..59c08f248 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -586,3 +586,88 @@ load _helpers yq -r '.timeoutSeconds' | tee /dev/stderr) [ "${actual}" = "14" ] } + +@test "csi/daemonset: with only injector.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --release-name not-external-test \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] +} + +@test "csi/daemonset: with global.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://vault-outside" ] +} + +#-------------------------------------------------------------------- +# securityContext + +@test "csi/daemonset: default csi.daemonSet.securityContext.pod" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: default csi.daemonSet.securityContext.container" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.daemonSet.securityContext.pod yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.securityContext.pod.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.daemonSet.securityContext.container yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.securityContext.container.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.daemonSet.securityContext.container yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.securityContext.container=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index f69a585b0..6c21e40dd 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -209,6 +209,33 @@ load _helpers [ "${value}" = "http://vault-outside" ] } +@test "injector/deployment: with global.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://vault-outside" ] +} + +@test "injector/deployment: global.externalVaultAddr takes precendence over injector.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.externalVaultAddr=http://global-vault-outside' \ + --set 'injector.externalVaultAddr=http://injector-vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://global-vault-outside" ] +} + @test "injector/deployment: without externalVaultAddr" { cd `chart_dir` local object=$(helm template \ @@ -336,6 +363,165 @@ load _helpers [ "${value}" = "false" ] } +#-------------------------------------------------------------------- +# securityContext for pod and container + +# for backward compatibility +@test "injector/deployment: backward pod securityContext" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.uid=200' \ + --set 'injector.gid=4000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + + local value=$(echo $actual | yq -r .runAsUser | tee /dev/stderr) + [ "${value}" = "200" ] + + local value=$(echo $actual | yq -r .runAsGroup | tee /dev/stderr) + [ "${value}" = "4000" ] +} + +@test "injector/deployment: default pod securityContext" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + [ "${actual}" != "null" ] + + local value=$(echo $actual | yq -r .fsGroup | tee /dev/stderr) + [ "${value}" = "1000" ] + + local value=$(echo $actual | yq -r .runAsGroup | tee /dev/stderr) + [ "${value}" = "1000" ] + + local value=$(echo $actual | yq -r .runAsNonRoot | tee /dev/stderr) + [ "${value}" = "true" ] + + local value=$(echo $actual | yq -r .runAsUser | tee /dev/stderr) + [ "${value}" = "100" ] +} + +@test "injector/deployment: custom pod securityContext" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsNonRoot=true' \ + --set 'injector.securityContext.pod.runAsGroup=1001' \ + --set 'injector.securityContext.pod.runAsUser=1001' \ + --set 'injector.securityContext.pod.fsGroup=1000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr) + [ "${actual}" = "1001" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsNonRoot=false' \ + --set 'injector.securityContext.pod.runAsGroup=1000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.runAsNonRoot' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsUser=1001' \ + --set 'injector.securityContext.pod.fsGroup=1000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr) + [ "${actual}" = "1001" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsNonRoot=true' \ + --set 'injector.securityContext.pod.fsGroup=1001' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) + [ "${actual}" = "1001" ] +} + +@test "injector/deployment: custom pod securityContext from string" { + cd `chart_dir` + local multi=$(cat < 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ServiceAccount: generic annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --set 'injector.serviceAccount.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/prometheus-prometheusrules.bats b/test/unit/prometheus-prometheusrules.bats new file mode 100755 index 000000000..87736cfcb --- /dev/null +++ b/test/unit/prometheus-prometheusrules.bats @@ -0,0 +1,68 @@ +#!/usr/bin/env bats + +load _helpers + +@test "prometheus/PrometheusRules-server: assertDisabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "prometheus/PrometheusRules-server: assertDisabled with rules-defined=false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "prometheus/PrometheusRules-server: assertEnabled with rules-defined=true" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules.baz=qux' \ + .) | tee /dev/stderr ) + + [ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ] + [ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-vault" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules.foo')" = "bar" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules.baz')" = "qux" ] +} + +@test "prometheus/PrometheusRules-server: assertSelectors default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] + [ "$(echo "$output" | yq -r '.metadata.labels.release')" = "prometheus" ] +} + +@test "prometheus/PrometheusRules-server: assertSelectors overrides" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.selectors.baz=qux' \ + --set 'serverTelemetry.prometheusRules.selectors.bar=foo' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "6" ] + [ "$(echo "$output" | yq -r '.metadata.labels | has("app")')" = "false" ] + [ "$(echo "$output" | yq -r '.metadata.labels | has("kube-prometheus-stack")')" = "false" ] + [ "$(echo "$output" | yq -r '.metadata.labels.baz')" = "qux" ] + [ "$(echo "$output" | yq -r '.metadata.labels.bar')" = "foo" ] +} diff --git a/test/unit/prometheus-servicemonitor.bats b/test/unit/prometheus-servicemonitor.bats new file mode 100755 index 000000000..5d92c89d2 --- /dev/null +++ b/test/unit/prometheus-servicemonitor.bats @@ -0,0 +1,125 @@ +#!/usr/bin/env bats + +load _helpers + +@test "prometheus/ServiceMonitor-server: assertDisabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "prometheus/ServiceMonitor-server: assertEnabled global" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=false' \ + --set 'global.serverTelemetry.prometheusOperator=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "prometheus/ServiceMonitor-server: assertEnabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "prometheus/ServiceMonitor-server: assertScrapeTimeout default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr | + yq -r '.spec.endpoints[0].scrapeTimeout' | tee /dev/stderr) + [ "${actual}" = "10s" ] +} + +@test "prometheus/ServiceMonitor-server: assertScrapeTimeout update" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.scrapeTimeout=60s' \ + . ) | tee /dev/stderr | + yq -r '.spec.endpoints[0].scrapeTimeout' | tee /dev/stderr) + [ "${actual}" = "60s" ] +} + +@test "prometheus/ServiceMonitor-server: assertInterval default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr | + yq -r '.spec.endpoints[0].interval' | tee /dev/stderr) + [ "${actual}" = "30s" ] +} + +@test "prometheus/ServiceMonitor-server: assertInterval update" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.interval=60s' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].interval')" = "60s" ] +} + +@test "prometheus/ServiceMonitor-server: assertSelectors default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] + [ "$(echo "$output" | yq -r '.metadata.labels.release')" = "prometheus" ] +} + +@test "prometheus/ServiceMonitor-server: assertSelectors override" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.selectors.baz=qux' \ + --set 'serverTelemetry.serviceMonitor.selectors.bar=foo' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "6" ] + [ "$(echo "$output" | yq -r '.metadata.labels | has("app")')" = "false" ] + [ "$(echo "$output" | yq -r '.metadata.labels.baz')" = "qux" ] + [ "$(echo "$output" | yq -r '.metadata.labels.bar')" = "foo" ] +} + +@test "prometheus/ServiceMonitor-server: assertEndpoints noTLS" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'global.tlsDisable=true' \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] + [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "http" ] +} + +@test "prometheus/ServiceMonitor-server: assertEndpoints TLS" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'global.tlsDisable=false' \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] + [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ] +} diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index bf0a4d858..9d05aeaf1 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -65,6 +65,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-clusterrolebinding.yaml \ + --set 'server.enabled=false' \ --set 'injector.externalVaultAddr=http://vault-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index 80e26dd4e..d74e74913 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -119,7 +119,7 @@ load _helpers --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.type=NodePort' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.activeNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "30009" ] @@ -130,7 +130,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.activeNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "null" ] diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index df0f9071e..045560ce9 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -130,7 +130,7 @@ load _helpers --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.type=NodePort' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.standbyNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "30009" ] @@ -141,7 +141,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.standbyNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "null" ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index a240e3dad..549fcb751 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1723,3 +1723,64 @@ load _helpers yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) [ "${actual}" = '' ] } + +#-------------------------------------------------------------------- +# securityContext + +@test "server/standalone-StatefulSet: default statefulSet.securityContext.pod" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: default statefulSet.securityContext.container" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.pod yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.pod.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.container yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.container.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.pod yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.pod=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.container yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.container=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/values.openshift.yaml b/values.openshift.yaml index e59bb8677..c932a6897 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.16.0-ubi" + tag: "1.0.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.10.3-ubi" + tag: "1.11.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.10.3-ubi" + tag: "1.11.3-ubi" diff --git a/values.schema.json b/values.schema.json index 87a02f803..8ffc62f0f 100644 --- a/values.schema.json +++ b/values.schema.json @@ -23,6 +23,23 @@ "providersDir": { "type": "string" }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, "updateStrategy": { "type": "object", "properties": { @@ -106,6 +123,9 @@ } } }, + "priorityClassName": { + "type": "string" + }, "readinessProbe": { "type": "object", "properties": { @@ -163,6 +183,9 @@ "enabled": { "type": "boolean" }, + "externalVaultAddr": { + "type": "string" + }, "imagePullSecrets": { "type": "array" }, @@ -336,6 +359,15 @@ ] }, "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "podDisruptionBudget": { + "type": "object" + }, + "podDisruptionBudget": { "type": "object" }, "podDisruptionBudget": { @@ -356,6 +388,23 @@ "revokeOnShutdown": { "type": "boolean" }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, "service": { "type": "object", "properties": { @@ -367,6 +416,17 @@ } } }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, "strategy": { "type": [ "object", @@ -406,7 +466,10 @@ "type": "object" }, "objectSelector": { - "type": "object" + "type": [ + "object", + "string" + ] }, "timeoutSeconds": { "type": "integer" @@ -572,6 +635,12 @@ "string" ] }, + "clusterAddr": { + "type": [ + "null", + "string" + ] + }, "config": { "type": [ "string", @@ -782,6 +851,9 @@ }, "labels": { "type": "object" + }, + "tls": { + "type": "object" } } }, @@ -806,8 +878,20 @@ "port": { "type": "integer" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "targetPort": { "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "activeNodePort": { + "type": "integer" + }, + "standbyNodePort": { + "type": "integer" } } }, @@ -856,6 +940,23 @@ "object", "string" ] + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } } } }, @@ -869,6 +970,13 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, "updateStrategyType": { "type": "string" }, diff --git a/values.yaml b/values.yaml index fcb1be9f2..837cfff00 100644 --- a/values.yaml +++ b/values.yaml @@ -4,15 +4,23 @@ global: # enabled is the master enabled switch. Setting this to true or false # will enable or disable all the components within this chart by default. enabled: true + # Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] # imagePullSecrets: # - name: image-pull-secret + # TLS for end-to-end encrypted transport tlsDisable: true + + # External vault server address for the injector and CSI provider to use. + # Setting this will disable deployment of a vault server. + externalVaultAddr: "" + # If deploying to OpenShift openshift: false + # Create PodSecurityPolicy for pods psp: enable: false @@ -24,6 +32,11 @@ global: seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + serverTelemetry: + # Enable integration with the Prometheus Operator + # See the top level serverTelemetry section below before enabling this feature. + prometheusOperator: false + injector: # True if you want to enable vault agent injection. # @default: global.enabled @@ -43,14 +56,13 @@ injector: metrics: enabled: false - # External vault server address for the injector to use. Setting this will - # disable deployment of a vault server along with the injector. + # Deprecated: Please use global.externalVaultAddr instead. externalVaultAddr: "" # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.16.0" + tag: "1.0.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -58,7 +70,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.10.3" + tag: "1.11.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -91,15 +103,15 @@ injector: # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false - webhook: + webhook: # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy # failurePolicy: Ignore - # matchPolicy specifies the approach to accepting changes based on the rules of + # matchPolicy specifies the approach to accepting changes based on the rules of # the MutatingWebhookConfiguration. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy # for more details. @@ -113,7 +125,7 @@ injector: # for more details. # timeoutSeconds: 30 - + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -132,7 +144,12 @@ injector: # objectSelector: # matchLabels: # vault-sidecar-injector: enabled - objectSelector: {} + objectSelector: | + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - {{ template "vault.name" . }}-agent-injector # Extra annotations to attach to the webhook annotations: {} @@ -170,7 +187,7 @@ injector: # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} - + certs: # secretName is the name of the secret that has the TLS certificate and # private key to serve the injector webhook. If this is null, then the @@ -180,7 +197,7 @@ injector: # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA # that signed the TLS certificate that the webhook serves. This must be set - # if secretName is non-null, unless an external service like cert-manager is + # if secretName is non-null unless an external service like cert-manager is # keeping the caBundle updated. caBundle: "" @@ -190,6 +207,21 @@ injector: certName: tls.crt keyName: tls.key + # Security context for the pod template and the injector container + # The default pod securityContext is: + # runAsNonRoot: true + # runAsGroup: {{ .Values.injector.gid | default 1000 }} + # runAsUser: {{ .Values.injector.uid | default 100 }} + # fsGroup: {{ .Values.injector.gid | default 1000 }} + # and for container is + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + securityContext: + pod: {} + container: {} + resources: {} # resources: # requests: @@ -205,7 +237,7 @@ injector: # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods - # This can either be multi-line string or YAML matching the PodSpec's affinity field. + # This can either be a multi-line string or YAML matching the PodSpec's affinity field. # Commenting out or setting as empty the affinity variable, will allow # deployment of multiple replicas to single node services such as Minikube. affinity: | @@ -257,6 +289,10 @@ injector: # Extra annotations to attach to the injector service annotations: {} + # Injector serviceAccount specific config + serviceAccount: + # Extra annotations to attach to the injector serviceAccount + annotations: {} # A disruption budget limits the number of pods of a replicated application # that are down simultaneously from voluntary disruptions podDisruptionBudget: {} @@ -295,7 +331,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.10.3" + tag: "1.11.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -409,7 +445,7 @@ server: extraContainers: null # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation + # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation shareProcessNamespace: false # extraArgs is a string containing additional Vault server arguments. @@ -559,10 +595,10 @@ server: service: enabled: true # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default the Vault service will + # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled # Kubernetes will create a "headless" service. Headless services can be - # used to communicate with pods directly through DNS instead of a round robin + # used to communicate with pods directly through DNS instead of a round-robin # load balancer. # clusterIP: None @@ -583,9 +619,15 @@ server: # will be random if left blank. #nodePort: 30000 - # If type is set to "LoadBalancer", a specific IP address can be attached - # to the load balancer, will be random if left blank. - #loadBalancerIP: + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #activeNodePort: 30001 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #standbyNodePort: 30002 # Port on which Vault server is listening port: 8200 @@ -614,7 +656,7 @@ server: annotations: {} # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unsealed, Vault must + # logs. Once Vault is deployed, initialized, and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit # See https://www.vaultproject.io/docs/audit/index.html to know more @@ -666,6 +708,10 @@ server: tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} } storage "file" { path = "/vault/data" @@ -681,7 +727,13 @@ server: # crypto_key = "vault-helm-unseal-key" #} - # Run Vault in "HA" mode. There are no storage requirements unless audit log + # Example configuration for enabling Prometheus metrics in your config. + #telemetry { + # prometheus_retention_time = "30s", + # disable_hostname = true + #} + + # Run Vault in "HA" mode. There are no storage requirements unless the audit log # persistence is required. In HA mode Vault will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul # Helm project by default. It is possible to manually configure Vault to use a @@ -722,6 +774,10 @@ server: tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} } storage "raft" { @@ -763,6 +819,14 @@ server: # crypto_key = "vault-helm-unseal-key" #} + # Example configuration for enabling Prometheus metrics. + # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. + # You may wish to enable unauthenticated metrics in the listener block above. + #telemetry { + # prometheus_retention_time = "30s", + # disable_hostname = true + #} + # A disruption budget limits the number of pods of a replicated application # that are down simultaneously from voluntary disruptions disruptionBudget: @@ -794,8 +858,23 @@ server: # YAML-formatted multi-line templated string map of the annotations to apply # to the statefulSet. annotations: {} - # A boolean flag to setup logrotate as a side car continer - logrotate: null + + # Set the pod and container security contexts. + # If not set, these will default to, and for *not* OpenShift: + # pod: + # runAsNonRoot: true + # runAsGroup: {{ .Values.server.gid | default 1000 }} + # runAsUser: {{ .Values.server.uid | default 100 }} + # fsGroup: {{ .Values.server.gid | default 1000 }} + # container: + # allowPrivilegeEscalation: false + # + # If not set, these will default to, and for OpenShift: + # pod: {} + # container: {} + securityContext: + pod: {} + container: {} # Vault UI ui: @@ -844,7 +923,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.1.0" + tag: "1.2.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -888,6 +967,10 @@ csi: # Extra labels to attach to the vault-csi-provider daemonSet # This should be a YAML map of the labels to apply to the csi provider daemonSet extraLabels: {} + # security context for the pod template and container in the csi provider daemonSet + securityContext: + pod: {} + container: {} pod: # Extra annotations for the provider pods. This can either be YAML or a @@ -947,4 +1030,88 @@ csi: debug: false # Pass arbitrary additional arguments to vault-csi-provider. + # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # for the available command line flags. extraArgs: [] + +# Vault is able to collect and publish various runtime metrics. +# Enabling this feature requires setting adding `telemetry{}` stanza to +# the Vault configuration. There are a few examples included in the `config` sections above. +# +# For more information see: +# https://www.vaultproject.io/docs/configuration/telemetry +# https://www.vaultproject.io/docs/internals/telemetry +serverTelemetry: + # Enable support for the Prometheus Operator. Currently, this chart does not support + # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # in the `listener "tcp"{}` stanza + # telemetry { + # unauthenticated_metrics_access = "true" + # } + # + # See the `standalone.config` for a more complete example of this. + # + # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # + # example: + # telemetry { + # prometheus_retention_time = "30s", + # disable_hostname = true + # } + # + # Configuration for monitoring the Vault server. + serviceMonitor: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + # + # Instructions on how to install the Helm chart can be found here: + # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack + # More information can be found here: + # https://github.com/prometheus-operator/prometheus-operator + # https://github.com/prometheus-operator/kube-prometheus + + # Enable deployment of the Vault Server ServiceMonitor CustomResource. + enabled: false + + # Selector labels to add to the ServiceMonitor. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Interval at which Prometheus scrapes metrics + interval: 30s + + # Timeout for Prometheus scrapes + scrapeTimeout: 10s + + prometheusRules: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false + + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Some example rules. + rules: {} + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical From da146703f68166953212fa97edce25dd39142684 Mon Sep 17 00:00:00 2001 From: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Date: Thu, 17 Aug 2023 15:28:39 -0400 Subject: [PATCH 31/31] DATAGO-59809: Upgrade vault to 1.12.1 (#20) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) * Fix CSI acceptance tests (#728) * Update minimum required helm version in readme (#730) Co-authored-by: Tom Proctor * Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault * Set default object selector for webhooks to exclude injector itself (#736) Set default object selector for webhooks to exclude injector itself If `injector.failurePolicy` is set to `Fail`, there is a race condition where if the mutating webhook config is setup before the injector, then the injector can fail to start because it tries to inject itself. We can work around this by ignoring the injector pod in in the webhook by default. Thanks to @joeyslalom for the object selector to exclude the pod. Fixes https://github.com/hashicorp/vault-k8s/issues/258 * Prepare for release 0.20.1 (#739) Prepare for release 0.20.1 Improvements: * `vault-k8s` updated to 0.16.1 CHANGES: * `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) Co-authored-by: Theron Voran * Mention minimum helm version in changelog (#742) Also add a features section to 0.20.0 * Start testing against Kubernetes 1.24 (#744) Start testing against Kubernetes 1.24 Update .github/workflows/acceptance.yaml Remove skip csi Co-authored-by: Theron Voran * Update .helmignore (#732) Review .helmignore file, ignore CI in chart * Set VAULT_ADDR env var for CSI Provider pods (#745) * Support to add annotations in injector serviceaccount (#753) * changelog++ (#757) * jira-sync: transition to "Closed" not "Close" (#758) * Add support for nodePort for active and standby services (#610) * Feat/adding pod and container security context (#750) Allow the injector's pod- and container-level securityContext to be fully specified by the user, via new options `injector.securityContext.pod` and `injector.securityContext.container` with more complete defaults. Deprecates `injector.uid` and `injector.gid`. If `injector.uid` or `injector.gid` are set by the user, the old pod securityContext settings will be used. Otherwise the new defaults and settings are used. Co-authored-by: Theron Voran * Changelog and schema update for active/standby node port (#761) * Changelog and schema update for active/standby node port Follow-up to https://github.com/hashicorp/vault-helm/pull/610 * changelog++ and json schema update (#762) Changelog updates for #750, and json schema update. * Update jira sync (#768) * csi/server.statefulset: custom security context (#767) csi/server.statefulset: custom security context This adds flexibility to have custom pod template and container `securityContext` and preserves current default values and behavior. Fixes https://github.com/hashicorp/vault-helm/issues/663. This also is a way to address https://github.com/hashicorp/vault-helm/pull/599 so that people can specify, for example, the CSI to run in a privileged container for OpenShift. This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750 and builds on the same principles. Side note: I am not able to run `helm schema-gen` since it is unmaintained and does not work with M1 Macs. * Prepare for 0.21.0 release (#771) Prepare for 0.21.0 release CHANGES: * `vault-k8s` updated to 0.17.0. (this) * `vault-csi-provider` updated to 1.2.0 (this) * `vault` updated to 1.11.2 (this) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: * server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) * DOC: Minor typos fixes (#669) Co-authored-by: Tom Proctor * update values comments for server.securityContext (#778) Since container is empty for openshift. * CI: run acceptance tests on push to any (#781) * Add support for the Prometheus Operator (#772) support collecting Vault server metrics by deploying PrometheusOperator CustomResources. Co-authored-by: Sam Weston Co-authored-by: Theron Voran * Update vault-k8s to 1.0.0 (#784) Update vault-k8s to 1.0.0 Also update Kubernetes versions tested against, including adding 1.25 Update consul in tests for Kubernetes 1.25 support * Prepare for 0.22.0 release (#785) Prepare for 0.21.1 release * Update Vault to 1.11.3 * Add server.hostNetwork option (#775) * [COMPLIANCE] Add MPL 2.0 LICENSE (#800) Co-authored-by: hashicorp-copywrite[bot] * Prepare to release to 0.22.1 (#803) * Prepare to release to 0.22.1 * Revert chart verifier update for now * Remove unused jobs from CircleCI config * Fix CircleCI config (#804) * Fix CircleCI config * Add manual trigger option * Add extraLabels for Vault server serviceAccount (#806) * Quote `.server.ha.clusterAddr` value (#810) * Support selectively disabling active/standby services and service discovery role (#811) * server: Allow disabling the instance selector for services (#813) * Prepare for 0.23.0 release (#814) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * Datago 30304/upgrading vault to 1.9.2 (#14) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 * feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * DATAGO-59401: Upgrading vault to 1.11.x (#18) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) * Fix CSI acceptance tests (#728) * Update minimum required helm version in readme (#730) Co-authored-by: Tom Proctor * Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault * Set default object selector for webhooks to exclude injector itself (#736) Set default object selector for webhooks to exclude injector itself If `injector.failurePolicy` is set to `Fail`, there is a race condition where if the mutating webhook config is setup before the injector, then the injector can fail to start because it tries to inject itself. We can work around this by ignoring the injector pod in in the webhook by default. Thanks to @joeyslalom for the object selector to exclude the pod. Fixes https://github.com/hashicorp/vault-k8s/issues/258 * Prepare for release 0.20.1 (#739) Prepare for release 0.20.1 Improvements: * `vault-k8s` updated to 0.16.1 CHANGES: * `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) Co-authored-by: Theron Voran * Mention minimum helm version in changelog (#742) Also add a features section to 0.20.0 * Start testing against Kubernetes 1.24 (#744) Start testing against Kubernetes 1.24 Update .github/workflows/acceptance.yaml Remove skip csi Co-authored-by: Theron Voran * Update .helmignore (#732) Review .helmignore file, ignore CI in chart * Set VAULT_ADDR env var for CSI Provider pods (#745) * Support to add annotations in injector serviceaccount (#753) * changelog++ (#757) * jira-sync: transition to "Closed" not "Close" (#758) * Add support for nodePort for active and standby services (#610) * Feat/adding pod and container security context (#750) Allow the injector's pod- and container-level securityContext to be fully specified by the user, via new options `injector.securityContext.pod` and `injector.securityContext.container` with more complete defaults. Deprecates `injector.uid` and `injector.gid`. If `injector.uid` or `injector.gid` are set by the user, the old pod securityContext settings will be used. Otherwise the new defaults and settings are used. Co-authored-by: Theron Voran * Changelog and schema update for active/standby node port (#761) * Changelog and schema update for active/standby node port Follow-up to https://github.com/hashicorp/vault-helm/pull/610 * changelog++ and json schema update (#762) Changelog updates for #750, and json schema update. * Update jira sync (#768) * csi/server.statefulset: custom security context (#767) csi/server.statefulset: custom security context This adds flexibility to have custom pod template and container `securityContext` and preserves current default values and behavior. Fixes https://github.com/hashicorp/vault-helm/issues/663. This also is a way to address https://github.com/hashicorp/vault-helm/pull/599 so that people can specify, for example, the CSI to run in a privileged container for OpenShift. This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750 and builds on the same principles. Side note: I am not able to run `helm schema-gen` since it is unmaintained and does not work with M1 Macs. * Prepare for 0.21.0 release (#771) Prepare for 0.21.0 release CHANGES: * `vault-k8s` updated to 0.17.0. (this) * `vault-csi-provider` updated to 1.2.0 (this) * `vault` updated to 1.11.2 (this) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: * server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) * DOC: Minor typos fixes (#669) Co-authored-by: Tom Proctor * update values comments for server.securityContext (#778) Since container is empty for openshift. * CI: run acceptance tests on push to any (#781) * Add support for the Prometheus Operator (#772) support collecting Vault server metrics by deploying PrometheusOperator CustomResources. Co-authored-by: Sam Weston Co-authored-by: Theron Voran * Update vault-k8s to 1.0.0 (#784) Update vault-k8s to 1.0.0 Also update Kubernetes versions tested against, including adding 1.25 Update consul in tests for Kubernetes 1.25 support * Prepare for 0.22.0 release (#785) Prepare for 0.21.1 release * Update Vault to 1.11.3 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * Datago 30304/upgrading vault to 1.9.2 (#14) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 * feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * chore(59401): Upgrade vault to 1.11.x --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Aleksey Co-authored-by: Bruno Padilha <1850071+brunopadz@users.noreply.github.com> Co-authored-by: Jack Halford Co-authored-by: ChrisFraun Co-authored-by: Alex Khaerov Co-authored-by: Sam Weston Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 Co-authored-by: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Aleksey Co-authored-by: Bruno Padilha <1850071+brunopadz@users.noreply.github.com> Co-authored-by: Jack Halford Co-authored-by: ChrisFraun Co-authored-by: Alex Khaerov Co-authored-by: Sam Weston Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: hashicorp-copywrite[bot] Co-authored-by: Aleksandr Titov <26012167+AleksandrTitov@users.noreply.github.com> Co-authored-by: Steven Kriegler <61625851+justusbunsi@users.noreply.github.com> Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 Co-authored-by: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> Co-authored-by: xiaocongji <85846543+xiaocongji@users.noreply.github.com> --- .circleci/config.yml | 76 +++++-------------- .github/workflows/acceptance.yaml | 8 +- .../workflows/setup-test-tools/action.yaml | 8 +- .github/workflows/tests.yaml | 8 +- CHANGELOG.md | 21 +++++ Chart.yaml | 4 +- LICENSE.md => LICENSE | 2 + Makefile | 1 - templates/server-discovery-role.yaml | 2 +- templates/server-discovery-rolebinding.yaml | 2 +- templates/server-ha-active-service.yaml | 4 + templates/server-ha-standby-service.yaml | 6 +- templates/server-service.yaml | 2 + templates/server-serviceaccount.yaml | 3 + templates/server-statefulset.yaml | 5 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/unit/server-discovery-role.bats | 41 ++++++++++ test/unit/server-discovery-rolebinding.bats | 41 ++++++++++ test/unit/server-ha-active-service.bats | 30 ++++++++ test/unit/server-ha-standby-service.bats | 30 ++++++++ test/unit/server-ha-statefulset.bats | 16 ++++ test/unit/server-headless-service.bats | 18 +++++ test/unit/server-service.bats | 17 +++++ test/unit/server-serviceaccount.bats | 10 +++ test/unit/server-statefulset.bats | 22 ++++++ test/unit/ui-service.bats | 1 - values.openshift.yaml | 6 +- values.schema.json | 41 +++++++++- values.yaml | 33 ++++++-- 30 files changed, 376 insertions(+), 90 deletions(-) rename LICENSE.md => LICENSE (99%) create mode 100755 test/unit/server-discovery-role.bats create mode 100755 test/unit/server-discovery-rolebinding.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 7582bdc21..ca48a33d4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -3,68 +3,19 @@ orbs: slack: circleci/slack@3.4.2 jobs: - bats-unit-test: - docker: - # This image is built from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 - steps: - - checkout - - run: bats ./test/unit -t - - chart-verifier: - docker: - - image: docker.mirror.hashicorp.services/cimg/go:1.16 - environment: - BATS_VERSION: "1.3.0" - CHART_VERIFIER_VERSION: "1.2.1" - steps: - - checkout - - run: - name: install chart-verifier - command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - - run: - name: install bats - command: | - curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz - tar -zxf /tmp/bats.tgz -C /tmp - sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local - - run: - name: run chart-verifier tests - command: bats ./test/chart -t - - acceptance: - docker: - # This image is build from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 - - steps: - - checkout - - run: - name: terraform init & apply - command: | - echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json - export GOOGLE_CREDENTIALS=vault-helm-test.json - make provision-cluster - - run: - name: Run acceptance tests - command: bats ./test/acceptance -t - - - run: - name: terraform destroy - command: | - export GOOGLE_CREDENTIALS=vault-helm-test.json - make destroy-cluster - when: always update-helm-charts-index: docker: - - image: docker.mirror.hashicorp.services/circleci/golang:1.15.3 + - image: docker.mirror.hashicorp.services/cimg/go:1.19.2 steps: - checkout - run: name: verify Chart version matches tag version + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | - GO111MODULE=on go get github.com/mikefarah/yq/v2 - git_tag=$(echo "${CIRCLE_TAG#v}") + go install github.com/mikefarah/yq/v2@latest + export TAG=${RELEASE_TAG:-$CIRCLE_TAG} + git_tag=$(echo "${TAG#v}") chart_tag=$(yq r Chart.yaml version) if [ "${git_tag}" != "${chart_tag}" ]; then echo "chart version (${chart_tag}) did not match git version (${git_tag})" @@ -72,17 +23,25 @@ jobs: fi - run: name: update helm-charts index + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" +parameters: + release-tag: + type: string + default: "" + description: "The tag to release, including v, e.g. v0.22.1" + workflows: version: 2 # Note: unit and acceptance tests are now being run in GitHub Actions @@ -95,3 +54,8 @@ workflows: only: /^v.*/ branches: ignore: /.*/ + manual-trigger-update-helm-charts-index: + when: << pipeline.parameters.release-tag >> + jobs: + - update-helm-charts-index: + context: helm-charts-trigger-vault diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 042bfd1d5..648616b35 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,19 +7,19 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.13, 1.23.10, 1.24.4, 1.25.0] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.2.0 + uses: helm/kind-action@v1.4.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.14.0 + version: v0.16.0 - run: bats --tap --timing ./test/acceptance env: diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml index 3fa285416..8c69e3db8 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/workflows/setup-test-tools/action.yaml @@ -6,13 +6,15 @@ runs: steps: - uses: actions/setup-node@v2 with: - node-version: '14' + node-version: '16' - run: npm install -g bats@${BATS_VERSION} shell: bash env: - BATS_VERSION: '1.5.0' + BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 + with: + python-version: '3.10' - run: pip install yq shell: bash diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 53a1f039e..bcabd1d64 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -6,7 +6,7 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit @@ -15,11 +15,11 @@ jobs: env: CHART_VERIFIER_VERSION: '1.2.1' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: - go-version: '1.17.4' + go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - run: bats --tap --timing ./test/chart diff --git a/CHANGELOG.md b/CHANGELOG.md index aa0e4b734..631553f81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,26 @@ ## Unreleased +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) + +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + +## 0.22.1 (October 26th, 2022) + +Changes: +* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) +* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) ## 0.22.0 (September 8th, 2022) diff --git a/Chart.yaml b/Chart.yaml index 4289e6c7d..f42a831e4 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.22.0 -appVersion: 1.11.3 +version: 0.23.0 +appVersion: 1.12.1 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/LICENSE.md b/LICENSE similarity index 99% rename from LICENSE.md rename to LICENSE index 82b4de97c..74f38c010 100644 --- a/LICENSE.md +++ b/LICENSE @@ -1,3 +1,5 @@ +Copyright (c) 2018 HashiCorp, Inc. + Mozilla Public License, version 2.0 1. Definitions diff --git a/Makefile b/Makefile index afa801370..e423f3529 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,6 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance - # filter bats unit tests to run. UNIT_TESTS_FILTER?='.*' diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 9ca23dd4c..4dba09df1 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 6e22e4c2b..280ec6ca2 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index ef212376d..7def2a0e8 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -38,9 +39,12 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "true" {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e6d66af84..50fca4bc1 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -37,9 +38,12 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "false" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 68207a2db..e4aee81de 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -41,7 +41,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server {{- end }} {{- end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index c0d32d190..580a95375 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -10,5 +10,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "vault.serviceAccount.annotations" . }} {{ end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index afc48d695..a4ec05a28 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -49,6 +49,9 @@ spec: shareProcessNamespace: true {{ end }} {{- template "server.statefulSet.securityContext.pod" . }} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- end }} volumes: {{ template "vault.volumes" . }} - name: home @@ -102,7 +105,7 @@ spec: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR {{- if .Values.server.ha.clusterAddr }} - value: {{ .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" {{- end }} diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index f09bbb1fc..11effe99c 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 8b5c1be30..7eaf0ccf0 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats new file mode 100755 index 000000000..11473a081 --- /dev/null +++ b/test/unit/server-discovery-role.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRole: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRole: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRole: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats new file mode 100755 index 000000000..568c24072 --- /dev/null +++ b/test/unit/server-discovery-rolebinding.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRoleBinding: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d74e74913..d78f5d457 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -35,6 +35,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: disable with server.service.active.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.active.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ @@ -214,3 +226,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-active-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 045560ce9..669831411 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -46,6 +46,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: disable with server.service.standby.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.standby.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ @@ -225,3 +237,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-standby-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 342fa433d..06a0ca0a0 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -476,6 +476,22 @@ load _helpers [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] } +@test "server/ha-StatefulSet: clusterAddr gets quoted" { + cd `chart_dir` + local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' + local rendered=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set "server.ha.clusterAddr=${customUrl}" \ + . | tee /dev/stderr | \ + grep -F "${customUrl}" | tee /dev/stderr) + +local value=$(echo $rendered | + yq -Y '.' | tee /dev/stderr) + [ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] +} + #-------------------------------------------------------------------- # VAULT_RAFT_NODE_ID renders diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 4e2d13537..0794d0e49 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -17,3 +17,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/headless-Service: instance selector cannot be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 5208f6e30..70a544598 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -431,3 +431,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index fbc2b94bf..2c826032e 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -117,3 +117,13 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/serviceAccount: specify server.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 549fcb751..6206e115e 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1784,3 +1784,25 @@ load _helpers yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# hostNetwork + +@test "server/StatefulSet: server.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: server.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index f73bbce3f..384098f89 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -385,4 +385,3 @@ load _helpers [ "${actual}" = "null" ] } - diff --git a/values.openshift.yaml b/values.openshift.yaml index c932a6897..02985ed39 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.0.0-ubi" + tag: "1.1.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.3-ubi" + tag: "1.12.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.3-ubi" + tag: "1.12.1-ubi" diff --git a/values.schema.json b/values.schema.json index 8ffc62f0f..d953b82f8 100644 --- a/values.schema.json +++ b/values.schema.json @@ -370,9 +370,6 @@ "podDisruptionBudget": { "type": "object" }, - "podDisruptionBudget": { - "type": "object" - }, "port": { "type": "integer" }, @@ -860,6 +857,14 @@ "service": { "type": "object", "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "annotations": { "type": [ "object", @@ -875,12 +880,28 @@ "externalTrafficPolicy": { "type": "string" }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" }, "publishNotReadyAddresses": { "type": "boolean" }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "targetPort": { "type": "integer" }, @@ -907,8 +928,19 @@ "create": { "type": "boolean" }, + "extraLabels": { + "type": "object" + }, "name": { "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, @@ -991,6 +1023,9 @@ "null", "array" ] + }, + "hostNetwork": { + "type": "boolean" } } }, diff --git a/values.yaml b/values.yaml index 837cfff00..f6769794c 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.0.0" + tag: "1.1.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -70,7 +70,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.11.3" + tag: "1.12.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -125,7 +125,6 @@ injector: # for more details. # timeoutSeconds: 30 - # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -331,7 +330,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.11.3" + tag: "1.12.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -594,6 +593,19 @@ server: # Enables a headless service to be used by the Vault Statefulset service: enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labelled themselves as the cluster leader with `vault-active: "true"` + active: + enabled: true + # Enable or disable the vault-standby service, which selects Vault pods that + # have labelled themselves as a cluster follower with `vault-active: "false"` + standby: + enabled: true + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled @@ -849,6 +861,14 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true # A boolean flag to setup logrotate as a side car continer logrotate: null @@ -876,6 +896,9 @@ server: pod: {} container: {} + # Should the server pods run on the host network + hostNetwork: false + # Vault UI ui: # True if you want to create a Service entry for the Vault UI. @@ -923,7 +946,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.0" + tag: "1.2.1" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered