Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NET-581 - Added vault namespace in helm #2841

Merged
merged 54 commits into from
Sep 8, 2023
Merged

NET-581 - Added vault namespace in helm #2841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
bc79b0a
added namespace
absolutelightning Aug 25, 2023
3ee878c
namespace in connect ca
absolutelightning Aug 28, 2023
10ec942
updated tests
absolutelightning Aug 29, 2023
9935a1b
fix test desc
absolutelightning Aug 29, 2023
4097b48
changelog
absolutelightning Aug 29, 2023
3f8c4f3
Update .changelog/2841.txt
absolutelightning Aug 29, 2023
5339dd9
Update charts/consul/values.yaml
absolutelightning Aug 29, 2023
c734284
Merge branch 'NET-581-Configure-Vault-namespaces-for-Connect-CA-via-H…
absolutelightning Aug 30, 2023
9e2f11d
removed new line added
absolutelightning Aug 30, 2023
9d2ba12
fix templates
absolutelightning Aug 30, 2023
8cc2117
bats test
absolutelightning Aug 30, 2023
01f3e95
fix double colon
absolutelightning Aug 30, 2023
6917abb
fix template
absolutelightning Aug 30, 2023
ad710bf
added 2 more tests
absolutelightning Aug 31, 2023
fdd7cf1
fixes bats tests
absolutelightning Aug 31, 2023
d3e0323
fix json in api gateway
absolutelightning Aug 31, 2023
7b3482b
updated bats test
absolutelightning Aug 31, 2023
532210d
Update charts/consul/values.yaml
absolutelightning Aug 31, 2023
fd469b6
fix client daemon set bats
absolutelightning Aug 31, 2023
7c870ea
Merge branch 'NET-581-Configure-Vault-namespaces-for-Connect-CA-via-H…
absolutelightning Aug 31, 2023
cac8d3a
fix bats test
absolutelightning Aug 31, 2023
c4a0f8a
fix bats
absolutelightning Aug 31, 2023
6c692df
api gateway fix
absolutelightning Sep 1, 2023
d05f340
fix bats
absolutelightning Sep 1, 2023
261f379
fix clientdaemon set and api gateway controller
absolutelightning Sep 1, 2023
3d9c05c
fix connect inject deployment
absolutelightning Sep 1, 2023
228b423
fix mesh gateway deployment
absolutelightning Sep 1, 2023
ef1710d
added tests for partition init job
absolutelightning Sep 1, 2023
0827f81
server acl init job tests added
absolutelightning Sep 1, 2023
306632b
fix server stateful bats
absolutelightning Sep 1, 2023
faec4c2
fix sync catalog
absolutelightning Sep 1, 2023
b1fd0fd
fix includes check
absolutelightning Sep 1, 2023
636208f
bats test fixes
absolutelightning Sep 1, 2023
666331a
fix connect inject
absolutelightning Sep 1, 2023
ffe4b1f
fix yaml
absolutelightning Sep 1, 2023
c8478a0
fix yaml
absolutelightning Sep 1, 2023
ecfff91
fix assertions in bats
absolutelightning Sep 1, 2023
959431f
fix client daemon set bats
absolutelightning Sep 1, 2023
8f52b7c
Update charts/consul/values.yaml
absolutelightning Sep 4, 2023
1f3e23a
Update charts/consul/templates/server-config-configmap.yaml
absolutelightning Sep 4, 2023
ed1026e
change yaml
absolutelightning Sep 4, 2023
825fb42
Merge branch 'NET-581-Configure-Vault-namespaces-for-Connect-CA-via-H…
absolutelightning Sep 4, 2023
b840d32
added addional config test
absolutelightning Sep 4, 2023
ed2573a
fix tests
absolutelightning Sep 4, 2023
a47a3d8
added more tests
absolutelightning Sep 4, 2023
8a7b8bd
fix bats
absolutelightning Sep 4, 2023
3c4291c
Update charts/consul/test/unit/server-config-configmap.bats
absolutelightning Sep 6, 2023
4523282
Update charts/consul/test/unit/server-config-configmap.bats
absolutelightning Sep 6, 2023
af7e617
Update .changelog/2841.txt
absolutelightning Sep 6, 2023
124cc4d
Update .changelog/2841.txt
absolutelightning Sep 6, 2023
4be3cea
added dummy commit to run CI
absolutelightning Sep 8, 2023
7c13074
pull
absolutelightning Sep 8, 2023
d6da52e
fix change log
absolutelightning Sep 8, 2023
5f6a200
fix comment
absolutelightning Sep 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changelog/2841.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```release-note:improvement
vault: Adds `namespace` to `secretsBackend.vault.connectCA` in Helm chart and annotation: "vault.hashicorp.com/namespace: namespace" to
absolutelightning marked this conversation as resolved.
Show resolved Hide resolved
secretsBackend.vault.agentAnnotations, if "vault.hashicorp.com/namespace" annotation is not present.
This provides a more convenient way to specify the Vault namespace than nested JSON in `connectCA.additionalConfig`.
```
6 changes: 2 additions & 4 deletions acceptance/tests/vault/vault_namespaces_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import (
// TestVault_VaultNamespace installs Vault, configures a Vault namespace, and then bootstraps it
// with secrets, policies, and Kube Auth Method.
// It then configures Consul to use vault as the backend and checks that it works
// with the vault namespace.
// with the vault namespace. Namespace is added in this via global.secretsBackend.vault.vaultNamespace.
func TestVault_VaultNamespace(t *testing.T) {
cfg := suite.Config()
ctx := suite.Environment().DefaultContext(t)
Expand Down Expand Up @@ -195,9 +195,7 @@ func TestVault_VaultNamespace(t *testing.T) {
"global.secretsBackend.vault.connectCA.address": vaultCluster.Address(),
"global.secretsBackend.vault.connectCA.rootPKIPath": connectCARootPath,
"global.secretsBackend.vault.connectCA.intermediatePKIPath": connectCAIntermediatePath,
"global.secretsBackend.vault.connectCA.additionalConfig": fmt.Sprintf(`"{\"connect\": [{ \"ca_config\": [{ \"namespace\": \"%s\"}]}]}"`, vaultNamespacePath),

"global.secretsBackend.vault.agentAnnotations": fmt.Sprintf("\"vault.hashicorp.com/namespace\": \"%s\"", vaultNamespacePath),
"global.secretsBackend.vault.vaultNamespace": vaultNamespacePath,
absolutelightning marked this conversation as resolved.
Show resolved Hide resolved

"global.acls.manageSystemACLs": "true",
"global.acls.bootstrapToken.secretName": bootstrapTokenSecret.Path,
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/api-gateway-controller-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ spec:
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{ end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/client-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }}
{{- with .Values.global.enterpriseLicense }}
"vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}"
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/connect-inject-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}
spec:
serviceAccountName: {{ template "consul.fullname" . }}-connect-injector
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/mesh-gateway-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }}
"prometheus.io/scrape": "true"
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/partition-init-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}
spec:
restartPolicy: Never
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/server-acl-init-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}
spec:
restartPolicy: Never
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/server-config-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ data:
"ca_file": "/consul/vault-ca/tls.crt",
{{- end }}
"intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}",
{{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

json structure is like this https://github.com/hashicorp/consul-k8s/pull/2841/files#diff-73787600ab1d7b64c9a865fad8d8520d230644c998b3bf9b5670ffdb8900bb2eR713.
was having trouble fetching keys from nested array of json. hence had to keep it as string.
@zalimeni

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@absolutelightning good catch, my example was off - but I think this is still possible, see this updated version.

From the link above, if you use:

{{- if (and (.vaultNamespace) (not (hasKey (default "" .connectCA.additionalConfig | fromJson).connect.ca_config "namespace"))) }}
  "namespace": "{{ .vaultNamespace }}",
{{- end }}

does that work?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Screenshot 2023-09-06 at 10 52 32 AM
This is not the correct syntax.
See -

consul-k8s/charts/consul/values.yaml

Lines 234 to 242 in 8f52b7c

# additionalConfig: |
# {
# "connect": [{
# "ca_config": [{
# "leaf_cert_ttl": "36h"
# }]
# }]
# }
# ```

its inside json array.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@absolutelightning ah, I'm sorry - that was unintuitive to me and I missed the []s this whole time. (I also suspect looking at Consul code on the server side that it's not strictly necessary and this is an example of our JSON->HCL parsing complexity... 😞)

This looks overly complicated to detect in Helm template syntax even w/ the first template function as a sort-of option, so I feel a "namespace" contains check is a reasonable trade-off, given how unlikely it is someone would use that as a value (which would cause us to skip the vaultNamespace addition).

cc @thisisnotashwin in case you have any other thoughts, since we discussed this before.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good! JSON parsing is a pain 😞

This looks overly complicated to detect in Helm template syntax even w/ the first template function as a sort-of option, so I feel a "namespace" contains check is a reasonable trade-off, given how unlikely it is someone would use that as a value (which would cause us to skip the vaultNamespace addition).

💯

"namespace": "{{ .vaultNamespace }}",
{{- end }}
"root_pki_path": "{{ .connectCA.rootPKIPath }}",
"auth_method": {
"type": "kubernetes",
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/server-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- if .Values.global.enterpriseLicense.secretName }}
{{- with .Values.global.enterpriseLicense }}
"vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}"
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/sync-catalog-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}
spec:
serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog
Expand Down
3 changes: 3 additions & 0 deletions charts/consul/templates/telemetry-collector-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,9 @@ spec:
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}

labels:
Expand Down
68 changes: 68 additions & 0 deletions charts/consul/test/unit/api-gateway-controller-deployment.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1035,6 +1035,74 @@ load _helpers
[ "${actual}" = "test" ]
}

@test "apiGateway/Deployment: vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=foo' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "vns" ]
}

@test "apiGateway/Deployment: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set and agentAnnotations are set without vaultNamespace annotation" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=foo' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'global.secretsBackend.vault.agentAnnotations=vault.hashicorp.com/agent-extra-secret: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "vns" ]
}

@test "apiGateway/Deployment: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set and agentAnnotations are also set with vaultNamespace annotation" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=foo' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'global.secretsBackend.vault.agentAnnotations="vault.hashicorp.com/namespace": bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "bar" ]
}
absolutelightning marked this conversation as resolved.
Show resolved Hide resolved

@test "apiGateway/Deployment: vault agent annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
Expand Down
65 changes: 65 additions & 0 deletions charts/consul/test/unit/client-daemonset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2320,6 +2320,71 @@ rollingUpdate:
[ "${actual}" = "foo" ]
}

@test "client/DaemonSet: vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/client-daemonset.yaml \
--set 'client.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "vns" ]
}

@test "client/DaemonSet: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is see and agentAnnotations are set without vaultNamespace annotation" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/client-daemonset.yaml \
--set 'client.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'global.secretsBackend.vault.agentAnnotations=vault.hashicorp.com/agent-extra-secret: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "vns" ]
}

@test "client/DaemonSet: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set and agentAnnotations are also set with vaultNamespace annotation" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/client-daemonset.yaml \
--set 'client.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'global.secretsBackend.vault.agentAnnotations=vault.hashicorp.com/namespace: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "bar" ]
}

@test "client/DaemonSet: vault gossip annotations are set when gossip encryption enabled" {
cd `chart_dir`
local object=$(helm template \
Expand Down
65 changes: 65 additions & 0 deletions charts/consul/test/unit/connect-inject-deployment.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1783,6 +1783,71 @@ load _helpers
[ "${actual}" = "" ]
}

@test "connectInject/Deployment: vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "vns" ]
}

@test "connectInject/Deployment: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is see and agentAnnotations are set without vaultNamespace annotation" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.secretsBackend.vault.agentAnnotations=vault.hashicorp.com/agent-extra-secret: bar' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "vns" ]
}

@test "connectInject/Deployment: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set and agentAnnotations are also set with vaultNamespace annotation" {
cd `chart_dir`
local cmd=$(helm template \
-s templates/connect-inject-deployment.yaml \
--set 'client.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.secretsBackend.vault.vaultNamespace=vns' \
--set 'global.secretsBackend.vault.agentAnnotations=vault.hashicorp.com/namespace: bar' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.tls.enableAutoEncrypt=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

local actual="$(echo $cmd |
yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)"
[ "${actual}" = "bar" ]
}

#--------------------------------------------------------------------
# enable-webhook-ca-update

Expand Down
Loading