diff --git a/.circleci/config.yml b/.circleci/config.yml index ca48a33d4..f4344171d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + version: 2.1 orbs: slack: circleci/slack@3.4.2 @@ -21,17 +24,24 @@ jobs: echo "chart version (${chart_tag}) did not match git version (${git_tag})" exit 1 fi + - run: + name: install gh tool + command: | + version="2.22.1" + curl --show-error --silent --location --output "gh.tar.gz" "https://github.com/cli/cli/releases/download/v${version}/gh_${version}_linux_amd64.tar.gz" + tar -xvzf gh.tar.gz && mkdir -p bin && mv "gh_${version}_linux_amd64/bin/gh" bin/ + - run: name: update helm-charts index environment: RELEASE_TAG: << pipeline.parameters.release-tag >> command: | - curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ - -X POST \ - -H 'Content-Type: application/json' \ - -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ - "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" + export GITHUB_TOKEN="${HELM_CHARTS_GITHUB_TOKEN}" + ./bin/gh workflow run publish-charts.yml \ + --repo hashicorp/helm-charts \ + --ref main \ + -f SOURCE_TAG="${CIRCLE_TAG}" \ + -f SOURCE_REPO="${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}" - slack/status: fail_only: true failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index b24b36b2c..746c03c5f 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + contact_links: - name: Ask a question url: https://discuss.hashicorp.com/c/vault diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 648616b35..e3c28e3f7 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,19 +7,19 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] + kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.4.0 + uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.16.0 + version: v0.17.0 - run: bats --tap --timing ./test/acceptance env: diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index fc03b2188..ad6237c51 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -1,3 +1,4 @@ +name: Jira Sync on: issues: types: [opened, closed, deleted, reopened] @@ -5,68 +6,12 @@ on: types: [opened, closed, reopened] issue_comment: # Also triggers when commenting on a PR from the conversation view types: [created] - -name: Jira Sync - jobs: sync: - runs-on: ubuntu-latest - name: Jira sync - steps: - - name: Login - uses: atlassian/gajira-login@v2.0.0 - env: - JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - - - name: Preprocess - if: github.event.action == 'opened' || github.event.action == 'created' - id: preprocess - run: | - if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then - echo "::set-output name=type::PR" - else - echo "::set-output name=type::ISS" - fi - - - name: Create ticket - if: github.event.action == 'opened' - uses: tomhjp/gh-action-jira-create@v0.2.0 - with: - project: VAULT - issuetype: "GH Issue" - summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}" - description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" - # customfield_10089 is Issue Link custom field - # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - - - name: Search - if: github.event.action != 'opened' - id: search - uses: tomhjp/gh-action-jira-search@v0.2.1 - with: - # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - - - name: Sync comment - if: github.event.action == 'created' && steps.search.outputs.issue - uses: tomhjp/gh-action-jira-comment@v0.2.0 - with: - issue: ${{ steps.search.outputs.issue }} - comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}" - - - name: Close ticket - if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: Closed - - - name: Reopen ticket - if: github.event.action == 'reopened' && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: "Pending Triage" + uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main + secrets: + JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} + JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} + JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} + with: + teams-array: '["ecosystem", "foundations"]' diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml index 8c69e3db8..7683deb7d 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/workflows/setup-test-tools/action.yaml @@ -4,7 +4,7 @@ description: Install bats and python-yq runs: using: "composite" steps: - - uses: actions/setup-node@v2 + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: '16' - run: npm install -g bats@${BATS_VERSION} @@ -13,7 +13,7 @@ runs: BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: '3.10' - run: pip install yq diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index bcabd1d64..5bfd153ae 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -6,19 +6,19 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest env: - CHART_VERIFIER_VERSION: '1.2.1' + CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v3 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} diff --git a/CHANGELOG.md b/CHANGELOG.md index 631553f81..788803eb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,17 @@ ## Unreleased +## 0.24.0 (April 6, 2023) + +Changes: +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 + +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + ## 0.23.0 (November 28th, 2022) Changes: diff --git a/Chart.yaml b/Chart.yaml index f42a831e4..a4f7485d5 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,11 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + apiVersion: v2 name: vault -version: 0.23.0 -appVersion: 1.12.1 -kubeVersion: ">= 1.16.0-0" +version: 0.24.0 +appVersion: 1.13.1 +kubeVersion: ">= 1.22.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png @@ -12,3 +15,5 @@ sources: - https://github.com/hashicorp/vault-helm - https://github.com/hashicorp/vault-k8s - https://github.com/hashicorp/vault-csi-provider +annotations: + charts.openshift.io/name: HashiCorp Vault diff --git a/Makefile b/Makefile index e423f3529..560022064 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.25.0 +KIND_K8S_VERSION?=v1.26.3 # Generate json schema for chart values. See test/README.md for more details. values-schema: diff --git a/README.md b/README.md index 1c8959607..2cffb757d 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: * **Helm 3.6+** - * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index bcc6496c0..aca803d6d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to @@ -59,7 +64,7 @@ Compute if the server is enabled. {{- end -}} {{/* -Compute if the server auth delegator serviceaccount is enabled. +Compute if the server serviceaccount is enabled. */}} {{- define "vault.serverServiceAccountEnabled" -}} {{- $_ := set . "serverServiceAccountEnabled" @@ -783,6 +788,16 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + {{/* Sets extra CSI daemonset annotations */}} diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml new file mode 100644 index 000000000..cb373f833 --- /dev/null +++ b/templates/csi-agent-configmap.yaml @@ -0,0 +1,29 @@ +{{- template "vault.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index ec6a3d2b9..6d979ea40 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index d5b62a5f0..d5a934688 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index d131aac5f..4a53599fd 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: apps/v1 @@ -50,7 +55,23 @@ spec: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} {{- if .Values.csi.extraArgs }} - {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} + env: + - name: VAULT_ADDR + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- end }} + env: + - name: VAULT_ADDR + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} {{- end }} env: - name: VAULT_ADDR @@ -62,9 +83,10 @@ spec: volumeMounts: - name: providervol mountPath: "/provider" - - name: mountpoint-dir - mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - mountPropagation: HostToContainer + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} {{- if .Values.csi.volumeMounts }} {{- toYaml .Values.csi.volumeMounts | nindent 12}} {{- end }} @@ -86,15 +108,57 @@ spec: periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "vault.name" . }}-agent + image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - vault + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: VAULT_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: VAULT_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} volumes: - name: providervol hostPath: path: {{ .Values.csi.daemonSet.providersDir }} - - name: mountpoint-dir - hostPath: - path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - {{- if .Values.csi.volumes }} - {{- toYaml .Values.csi.volumes | nindent 8}} - {{- end }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} {{- include "imagePullSecrets" . | nindent 6 }} {{- end }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index 8d6fa5329..25e123ee9 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: v1 diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index e88685b5e..3e5ddb7b9 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 6a0d6be1a..d5682dd76 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 4c193f8a2..9253e4f0a 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index e69ba72ef..e51c11c22 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} # Deployment for the injector @@ -125,21 +130,37 @@ spec: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} readinessProbe: httpGet: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index b44fd7300..6ae714bae 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,5 +1,10 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.injector.podDisruptionBudget }} -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index 3d3fd3678..d03cd136d 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 68892d23b..4c3b08782 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.openshift | toString) "true" }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 5d23c7556..65d8e9ba9 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index 4f6b0a851..48a3a26a2 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index 1eee2fcd0..0eca9a87c 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 08c8264cc..df7b0ed74 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index ea0db11b9..0848e43d8 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 5e747d6f1..5b2069286 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index d1919b936..9b5c2f6ed 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 diff --git a/templates/prometheus-prometheusrules.yaml b/templates/prometheus-prometheusrules.yaml index 572f1a05a..7e58a0e52 100644 --- a/templates/prometheus-prometheusrules.yaml +++ b/templates/prometheus-prometheusrules.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ if and (.Values.serverTelemetry.prometheusRules.rules) (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 323e51fb9..60f2729a0 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} --- diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 8cdd61143..b694129b5 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.serverAuthDelegator" . }} {{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index f40c69608..5d29e98d6 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4dba09df1..adae42a2b 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 280ec6ca2..853ee870c 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index d940fa4da..3ff11099b 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,10 +1,15 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" -}} {{- if .serverEnabled -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 7def2a0e8..58d540fd5 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 50fca4bc1..b9f643586 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index b03f491e3..c4eca7af7 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index c81e5f5ce..3aba66885 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if not .Values.global.openshift }} {{ template "vault.mode" . }} {{- if ne .mode "external" }} @@ -12,13 +17,7 @@ {{- $servicePort := .Values.server.service.port -}} {{- $pathType := .Values.server.ingress.pathType -}} {{- $kubeVersion := .Capabilities.KubeVersion.Version }} -{{ if semverCompare ">= 1.19.0-0" $kubeVersion }} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end }} kind: Ingress metadata: name: {{ template "vault.fullname" . }} @@ -56,22 +55,15 @@ spec: {{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} pathType: {{ $pathType }} - {{ end }} backend: - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} service: name: {{ $serviceName }} port: number: {{ $servicePort }} - {{ else }} - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{ end }} {{- end }} {{- end }} {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml index 5f4c21a4b..62d4ae1ac 100644 --- a/templates/server-network-policy.yaml +++ b/templates/server-network-policy.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index b8eb897e5..0c8c983ea 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index fded9fbc6..9b975d556 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index d210af351..567e66245 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml index e122d936b..3f35aefe2 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.global.openshift }} {{- if ne .mode "external" }} {{- if .Values.server.route.enabled -}} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index e4aee81de..647b7d350 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 580a95375..e154f8dc2 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.serverServiceAccountEnabled" . }} {{- if .serverServiceAccountEnabled -}} apiVersion: v1 diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index a4ec05a28..7ab7de8e2 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} @@ -143,12 +148,15 @@ spec: name: https-internal - containerPort: 8202 name: {{ include "vault.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} {{- if .Values.server.readinessProbe.enabled }} readinessProbe: {{- if .Values.server.readinessProbe.path }} httpGet: path: {{ .Values.server.readinessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.readinessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} {{- else }} # Check status; unsealed vault servers return 0 @@ -169,7 +177,7 @@ spec: livenessProbe: httpGet: path: {{ .Values.server.livenessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.livenessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 56dbee78c..59b150109 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index d45afdda4..4b2e8f7e4 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.uiEnabled" . -}} diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index db8b05145..490cdeb29 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # name_prefix returns the prefix of the resources within Kubernetes. name_prefix() { printf "vault" diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml index fed1137f7..2fd86032a 100644 --- a/test/acceptance/csi-test/nginx.yaml +++ b/test/acceptance/csi-test/nginx.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml index e793bde64..d52fab1bc 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -1,5 +1,8 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # The "Hello World" Vault SecretProviderClass -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: vault-kv @@ -7,7 +10,6 @@ spec: provider: vault parameters: roleName: "kv-role" - vaultAddress: http://vault:8200 objects: | - objectName: "bar" secretPath: "secret/data/kv1" diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl index 48b670ea7..07bb74972 100644 --- a/test/acceptance/csi-test/vault-policy.hcl +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + path "secret/data/kv1" { capabilities = ["read"] } \ No newline at end of file diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 84742d5d0..c617b8068 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -16,20 +16,28 @@ check_skip_csi() { kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ - --version="${CSI_DRIVER_VERSION}" + # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly + # so we can see Agent's cache working. + CSI_DRIVER_VERSION=1.3.2 + helm install secrets-store-csi-driver secrets-store-csi-driver \ + --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version=$CSI_DRIVER_VERSION \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ - --set syncSecret.enabled=true + --set tokenRequests[0].audience="vault" \ + --set enableSecretRotation=true \ + --set rotationPollInterval=5s # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ --namespace=acceptance \ --set="server.dev.enabled=true" \ --set="csi.enabled=true" \ - --set="injector.enabled=false" . + --set="csi.debug=true" \ + --set="csi.agent.logLevel=debug" \ + --set="injector.enabled=false" \ + . kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider @@ -37,10 +45,7 @@ check_skip_csi() { cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ - disable_iss_validation=true' + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ @@ -54,6 +59,22 @@ check_skip_csi() { result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) [[ "$result" == "hello1" ]] + + for i in $(seq 10); do + sleep 2 + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "returning cached response: path=/v1/auth/kubernetes/login")" ]; then + echo "Agent returned a cached login response" + return + fi + + echo "Waiting for a cached response from Agent..." + done + + # Print the logs and fail the test + echo "Failed to find a log for a cached Agent response" + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider + exit 1 } # Clean up diff --git a/test/acceptance/injector-test/bootstrap.sh b/test/acceptance/injector-test/bootstrap.sh index d738fd28d..96f161710 100755 --- a/test/acceptance/injector-test/bootstrap.sh +++ b/test/acceptance/injector-test/bootstrap.sh @@ -1,4 +1,7 @@ #!/bin/sh +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + OUTPUT=/tmp/output.txt diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index d665383c7..50a3b5f89 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index caf8605d2..cacc99411 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: Service diff --git a/test/acceptance/injector-test/pgdump-policy.hcl b/test/acceptance/injector-test/pgdump-policy.hcl index 88a6cd66a..60da677b1 100644 --- a/test/acceptance/injector-test/pgdump-policy.hcl +++ b/test/acceptance/injector-test/pgdump-policy.hcl @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + path "database/creds/db-backup" { capabilities = ["read"] } diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 11effe99c..911cf8dfe 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 7eaf0ccf0..c63f76368 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-test/annotations-overrides.yaml b/test/acceptance/server-test/annotations-overrides.yaml index 459576a97..5aba0f9f0 100644 --- a/test/acceptance/server-test/annotations-overrides.yaml +++ b/test/acceptance/server-test/annotations-overrides.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: annotations: | environment: production diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 2925bc8f7..557008425 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: standalone: config: | @@ -18,7 +21,7 @@ server: } telemetry { - prometheus_retention_time = "30s", + prometheus_retention_time = "30s" disable_hostname = true } diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash index fb9db31da..4d2465750 100644 --- a/test/chart/_helpers.bash +++ b/test/chart/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # chart_dir returns the directory for the chart chart_dir() { echo ${BATS_TEST_DIRNAME}/../.. diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index 63c793951..6d35f690a 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -6,9 +6,9 @@ setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" export CHART_VOLUME=vault-helm-chart-src - local IMAGE="quay.io/redhat-certification/chart-verifier:1.2.1" + local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1" # chart-verifier requires an openshift version if a cluster isn't available - local OPENSHIFT_VERSION="4.8" + local OPENSHIFT_VERSION="4.12" local DISABLED_TESTS="chart-testing" local run_cmd="chart-verifier" @@ -40,7 +40,7 @@ teardown_file() { } @test "has-kubeversion" { - check_result v1.0/has-kubeversion + check_result v1.1/has-kubeversion } @test "is-helm-v3" { @@ -76,10 +76,19 @@ teardown_file() { } @test "images-are-certified" { - check_result v1.0/images-are-certified + check_result v1.1/images-are-certified +} + +@test "required-annotations-present" { + check_result v1.0/required-annotations-present } @test "chart-testing" { skip "Skipping since this test requires a kubernetes/openshift cluster" check_result v1.0/chart-testing } + +@test "signature-is-valid" { + skip "Chart is not signed : Signature verification not required" + check_result v1.0/signature-is-valid +} diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 98afeace2..472a97acd 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # This Dockerfile installs all the dependencies necessary to run the unit and # acceptance tests. This image also contains gcloud so you can run tests # against a GKE cluster easily. diff --git a/test/kind/config.yaml b/test/kind/config.yaml index 8b18a3a5f..5fef18a8c 100644 --- a/test/kind/config.yaml +++ b/test/kind/config.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 5c3570f27..d1de1a2e0 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + provider "google" { project = "${var.project}" } diff --git a/test/terraform/outputs.tf b/test/terraform/outputs.tf index 6435d2b78..3793987a3 100644 --- a/test/terraform/outputs.tf +++ b/test/terraform/outputs.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + output "cluster_id" { value = "${google_container_cluster.cluster.id}" } diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf index 971af4e59..df4832b66 100644 --- a/test/terraform/variables.tf +++ b/test/terraform/variables.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + variable "project" { default = "vault-helm-dev-246514" diff --git a/test/unit/_helpers.bash b/test/unit/_helpers.bash index 530b66e8c..5f8a94dfc 100644 --- a/test/unit/_helpers.bash +++ b/test/unit/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # chart_dir returns the directory for the chart chart_dir() { echo ${BATS_TEST_DIRNAME}/../.. diff --git a/test/unit/csi-agent-configmap.bats b/test/unit/csi-agent-configmap.bats new file mode 100644 index 000000000..4ae4a30b8 --- /dev/null +++ b/test/unit/csi-agent-configmap.bats @@ -0,0 +1,45 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/Agent-ConfigMap: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-agent-configmap.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Agent-ConfigMap: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-agent-config" ] +} + +@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --release-name not-external-test \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://not-external-test-vault.default.svc:8200" +} + +@test "csi/Agent-ConfigMap: Vault addr correctly set for externalVaultAddr" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://vault-outside" +} \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 59c08f248..b6752619d 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -88,24 +88,32 @@ load _helpers } # Image -@test "csi/daemonset: image is configurable" { +@test "csi/daemonset: images are configurable" { cd `chart_dir` - local actual=$(helm template \ + local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set "csi.enabled=true" \ - --set "csi.image.repository=SomeOtherImage" \ + --set "csi.image.repository=Image1" \ --set "csi.image.tag=0.0.1" \ + --set "csi.image.pullPolicy=PullPolicy1" \ + --set "csi.agent.image.repository=Image2" \ + --set "csi.agent.image.tag=0.0.2" \ + --set "csi.agent.image.pullPolicy=PullPolicy2" \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:0.0.1" ] + yq -r '.spec.template.spec.containers' | tee /dev/stderr) - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set "csi.enabled=true" \ - --set "csi.image.pullPolicy=SomePullPolicy" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) - [ "${actual}" = "SomePullPolicy" ] + local actual=$(echo $object | + yq -r '.[0].image' | tee /dev/stderr) + [ "${actual}" = "Image1:0.0.1" ] + local actual=$(echo $object | + yq -r '.[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy1" ] + local actual=$(echo $object | + yq -r '.[1].image' | tee /dev/stderr) + [ "${actual}" = "Image2:0.0.2" ] + local actual=$(echo $object | + yq -r '.[1].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy2" ] } @test "csi/daemonset: Custom imagePullSecrets" { @@ -402,21 +410,6 @@ load _helpers [ "${actual}" = "/etc/kubernetes/secrets-store-csi-providers" ] } -@test "csi/daemonset: csi kubeletRootDir default" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/var/lib/kubelet/pods" ] -} - @test "csi/daemonset: csi providersDir override " { cd `chart_dir` @@ -433,22 +426,6 @@ load _helpers [ "${actual}" = "/alt/csi-prov-dir" ] } -@test "csi/daemonset: csi kubeletRootDir override" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.daemonSet.kubeletRootDir=/alt/kubelet-root' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/alt/kubelet-root/pods" ] -} - #-------------------------------------------------------------------- # volumeMounts @@ -587,11 +564,39 @@ load _helpers [ "${actual}" = "14" ] } +@test "csi/daemonset: VAULT_ADDR defaults to Agent unix socket" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + +@test "csi/daemonset: VAULT_ADDR remains pointed to Agent unix socket if external Vault" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + @test "csi/daemonset: with only injector.externalVaultAddr" { cd `chart_dir` local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ + --set 'csi.agent.enabled=false' \ --release-name not-external-test \ --set 'injector.externalVaultAddr=http://vault-outside' \ . | tee /dev/stderr | @@ -607,6 +612,7 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ + --set 'csi.agent.enabled=false' \ --set 'global.externalVaultAddr=http://vault-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -671,3 +677,93 @@ load _helpers yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# Agent sidecar configurables + +@test "csi/daemonset: Agent sidecar enabled by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers | length' | tee /dev/stderr) + [ "${actual}" = "2" ] +} + +@test "csi/daemonset: Agent sidecar can pass extra args" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.extraArgs[0]=-config=extra-config.hcl' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].args[2]' | tee /dev/stderr) + [ "${actual}" = "-config=extra-config.hcl" ] +} + +@test "csi/daemonset: Agent log level settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logLevel=error' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "error" ] +} + +@test "csi/daemonset: Agent log format settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} + +@test "csi/daemonset: Agent default resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: Agent custom resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.resources.requests.memory=256Mi' \ + --set 'csi.agent.resources.requests.cpu=250m' \ + --set 'csi.agent.resources.limits.memory=512Mi' \ + --set 'csi.agent.resources.limits.cpu=500m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + local value=$(echo $object | + yq -r '.requests.memory' | tee /dev/stderr) + [ "${value}" = "256Mi" ] + + local value=$(echo $object | + yq -r '.requests.cpu' | tee /dev/stderr) + [ "${value}" = "250m" ] + + local value=$(echo $object | + yq -r '.limits.memory' | tee /dev/stderr) + [ "${value}" = "512Mi" ] + + local value=$(echo $object | + yq -r '.limits.cpu' | tee /dev/stderr) + [ "${value}" = "500m" ] +} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 6c21e40dd..5abe2846d 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -275,6 +275,135 @@ load _helpers [ "${value}" = "auth/k8s" ] } +@test "injector/deployment: default livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.livenessProbe.failureThreshold=100' \ + --set 'injector.livenessProbe.initialDelaySeconds=100' \ + --set 'injector.livenessProbe.periodSeconds=100' \ + --set 'injector.livenessProbe.successThreshold=100' \ + --set 'injector.livenessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.readinessProbe.failureThreshold=100' \ + --set 'injector.readinessProbe.initialDelaySeconds=100' \ + --set 'injector.readinessProbe.periodSeconds=100' \ + --set 'injector.readinessProbe.successThreshold=100' \ + --set 'injector.readinessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.startupProbe.failureThreshold=100' \ + --set 'injector.startupProbe.initialDelaySeconds=100' \ + --set 'injector.startupProbe.periodSeconds=100' \ + --set 'injector.startupProbe.successThreshold=100' \ + --set 'injector.startupProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + @test "injector/deployment: default logLevel" { cd `chart_dir` local object=$(helm template \ @@ -912,57 +1041,4 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] -} -@test "injector/deployment: agent default template_config.static_secret_render_interval" { - cd `chart_dir` - local object=$(helm template \ - --show-only templates/injector-deployment.yaml \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - - local value=$(echo $object | - yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "" ] -} - -@test "injector/deployment: can set agent template_config.static_secret_render_interval" { - cd `chart_dir` - local object=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set='injector.agentDefaults.templateConfig.staticSecretRenderInterval=1m' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - - local value=$(echo $object | - yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "1m" ] -} - -@test "injector/deployment: strategy default" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - . | tee /dev/stderr | - yq -r '.spec.strategy' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "injector/deployment: strategy set as string" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set="injector.strategy=testing" \ - . | tee /dev/stderr | - yq -r '.spec.strategy' | tee /dev/stderr) - [ "${actual}" = "testing" ] -} - -@test "injector/deployment: strategy can be set as YAML" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set 'injector.strategy.rollingUpdate.maxUnavailable=1' \ - . | tee /dev/stderr | - yq -r '.spec.strategy.rollingUpdate.maxUnavailable' | tee /dev/stderr) - [ "${actual}" = "1" ] -} +} \ No newline at end of file diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 16c43e742..72be93fcc 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -31,18 +31,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-disruptionbudget.yaml \ - --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.19.5 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { +@test "injector/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index bd71ca241..4cb3ae63b 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -98,19 +98,7 @@ load _helpers [ "${actual}" = "2" ] } -@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-disruptionbudget.yaml \ - --set 'server.ha.enabled=true' \ - --set 'server.ha.replicas=1' \ - --kube-version 1.19.5 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { +@test "server/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-disruptionbudget.yaml \ diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index aade5d57c..0cc5b266c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -197,7 +197,7 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { +@test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -206,9 +206,9 @@ load _helpers --set 'server.dev.enabled=false' \ --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ - --kube-version 1.18.3 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault" ] } @@ -227,32 +227,19 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { +@test "server/ingress: pathType is added to Kubernetes version == 1.26.3" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.19.0 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "ImplementationSpecific" ] } -@test "server/ingress: pathType is not added to Kubernetes versions < 1.19" { - cd `chart_dir` - - local actual=$(helm template \ - --show-only templates/server-ingress.yaml \ - --set 'server.ingress.enabled=true' \ - --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.18.3 \ - . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - @test "server/ingress: pathType is added to Kubernetes versions > 1.19" { cd `chart_dir` @@ -260,7 +247,7 @@ load _helpers --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=Prefix \ - --kube-version 1.20.0 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "Prefix" ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 6206e115e..7295c2500 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1806,3 +1806,193 @@ load _helpers yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# extraPorts + +@test "server/standalone-StatefulSet: adds extra ports" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.extraPorts[0].containerPort=1111' \ + --set 'server.extraPorts[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.containerPort' | tee /dev/stderr) + [ "${actual}" = "1111" ] + + local actual=$(echo $object | + yq -r '.name' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + +#-------------------------------------------------------------------- +# readinessProbe + +@test "server/StatefulSet: server.readinessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.readinessProbe.enabled=true' \ + --set 'server.readinessProbe.path=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + + +#-------------------------------------------------------------------- +# livenessProbe + +@test "server/StatefulSet: server.livenessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + +#-------------------------------------------------------------------- +# enterprise license autoload support +@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] +} + +@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] +} + +@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] +} + +@test "server/StatefulSet: blank secretName does not set env var" { + cd `chart_dir` + + # setting secretName=null + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=null' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] + + # omitting secretName + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] +} + +#-------------------------------------------------------------------- +# securityContext + +@test "server/standalone-StatefulSet: default statefulSet.securityContext.pod" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: default statefulSet.securityContext.container" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.pod yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.pod.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.container yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.container.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.pod yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.pod=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.container yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.container=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# hostNetwork + +@test "server/StatefulSet: server.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: server.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.openshift.yaml b/values.openshift.yaml index 02985ed39..da71dcfb9 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # These overrides are appropriate defaults for deploying this chart on OpenShift global: @@ -6,13 +9,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.1.0-ubi" + tag: "1.2.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" diff --git a/values.schema.json b/values.schema.json index d953b82f8..b6729cb3e 100644 --- a/values.schema.json +++ b/values.schema.json @@ -5,6 +5,40 @@ "csi": { "type": "object", "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, "daemonSet": { "type": "object", "properties": { @@ -367,9 +401,6 @@ "podDisruptionBudget": { "type": "object" }, - "podDisruptionBudget": { - "type": "object" - }, "port": { "type": "integer" }, @@ -599,6 +630,12 @@ "extraArgs": { "type": "string" }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, "extraContainers": { "type": [ "null", diff --git a/values.yaml b/values.yaml index f6769794c..d2465f214 100644 --- a/values.yaml +++ b/values.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # Available parameters and their default values for the Vault chart. global: @@ -62,7 +65,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.1.0" + tag: "1.2.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -70,7 +73,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.12.1" + tag: "1.13.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -90,6 +93,43 @@ injector: exitOnRetryFailure: true staticSecretRenderInterval: "" + # Used to define custom livenessProbe settings + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" @@ -183,6 +223,17 @@ injector: # vault-sidecar-injector: enabled objectSelector: {} + # Deprecated: please use 'webhook.objectSelector' instead + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} @@ -330,7 +381,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.12.1" + tag: "1.13.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -450,12 +501,20 @@ server: # extraArgs is a string containing additional Vault server arguments. extraArgs: "" + # extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: null + # - containerPort: 8300 + # name: http-monitoring + # Used to define custom readinessProbe settings readinessProbe: enabled: true # If you need to use a http path instead of the default exec # path: /v1/sys/health?standbyok=true + # Port number on which readinessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -470,6 +529,8 @@ server: livenessProbe: enabled: false path: "/v1/sys/health?standbyok=true" + # Port nuumber on which livenessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -741,7 +802,7 @@ server: # Example configuration for enabling Prometheus metrics in your config. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} @@ -835,7 +896,7 @@ server: # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. # You may wish to enable unauthenticated metrics in the listener block above. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} @@ -869,8 +930,6 @@ server: # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes serviceDiscovery: enabled: true - # A boolean flag to setup logrotate as a side car continer - logrotate: null # Settings for the statefulSet used to run Vault. statefulSet: @@ -896,6 +955,23 @@ server: pod: {} container: {} + # Set the pod and container security contexts. + # If not set, these will default to, and for *not* OpenShift: + # pod: + # runAsNonRoot: true + # runAsGroup: {{ .Values.server.gid | default 1000 }} + # runAsUser: {{ .Values.server.uid | default 100 }} + # fsGroup: {{ .Values.server.gid | default 1000 }} + # container: + # allowPrivilegeEscalation: false + # + # If not set, these will default to, and for OpenShift: + # pod: {} + # container: {} + securityContext: + pod: {} + container: {} + # Should the server pods run on the host network hostNetwork: false @@ -946,7 +1022,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.1" + tag: "1.3.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1010,6 +1086,26 @@ csi: # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} + agent: + enabled: true + extraArgs: [] + + image: + repository: "hashicorp/vault" + tag: "1.13.1" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m # Priority class for csi pods priorityClassName: "" @@ -1078,7 +1174,7 @@ serverTelemetry: # # example: # telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true # } #