From 21ce5245a35f25919e8db5b87145145dc79bdb20 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Nov 2022 14:10:21 +0000 Subject: [PATCH] Support selectively disabling active/standby services and service discovery role (#811) --- CHANGELOG.md | 2 + templates/server-discovery-role.yaml | 2 +- templates/server-discovery-rolebinding.yaml | 2 +- templates/server-ha-active-service.yaml | 2 + templates/server-ha-standby-service.yaml | 4 +- templates/server-statefulset.yaml | 1 - test/unit/server-discovery-role.bats | 41 +++++++++++++++++++++ test/unit/server-discovery-rolebinding.bats | 41 +++++++++++++++++++++ test/unit/server-ha-active-service.bats | 12 ++++++ test/unit/server-ha-standby-service.bats | 12 ++++++ values.schema.json | 27 ++++++++++++++ values.yaml | 13 +++++++ 12 files changed, 155 insertions(+), 4 deletions(-) create mode 100755 test/unit/server-discovery-role.bats create mode 100755 test/unit/server-discovery-rolebinding.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index d2862b7ab..96937b57a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 9ca23dd4c..4dba09df1 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 6e22e4c2b..280ec6ca2 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index ef212376d..849c867b7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -44,3 +45,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e6d66af84..e0750aa64 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -42,4 +43,5 @@ spec: vault-active: "false" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 8d556e827..a4ec05a28 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -52,7 +52,6 @@ spec: {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} - volumes: {{ template "vault.volumes" . }} - name: home diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats new file mode 100755 index 000000000..11473a081 --- /dev/null +++ b/test/unit/server-discovery-role.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRole: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRole: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRole: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats new file mode 100755 index 000000000..568c24072 --- /dev/null +++ b/test/unit/server-discovery-rolebinding.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRoleBinding: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d74e74913..6a2e34946 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -35,6 +35,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: disable with server.service.active.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.active.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 045560ce9..3a9a39f33 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -46,6 +46,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: disable with server.service.standby.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.standby.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.schema.json b/values.schema.json index 676efb7c9..2ba9ab84d 100644 --- a/values.schema.json +++ b/values.schema.json @@ -851,6 +851,14 @@ "service": { "type": "object", "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "annotations": { "type": [ "object", @@ -869,6 +877,14 @@ "publishNotReadyAddresses": { "type": "boolean" }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "targetPort": { "type": "integer" }, @@ -895,8 +911,19 @@ "create": { "type": "boolean" }, + "extraLabels": { + "type": "object" + }, "name": { "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, diff --git a/values.yaml b/values.yaml index a8a036c90..0045066c5 100644 --- a/values.yaml +++ b/values.yaml @@ -596,6 +596,14 @@ server: # Enables a headless service to be used by the Vault Statefulset service: enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labelled themselves as the cluster leader with `vault-active: "true"` + active: + enabled: true + # Enable or disable the vault-standby service, which selects Vault pods that + # have labelled themselves as a cluster follower with `vault-active: "false"` + standby: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled @@ -854,6 +862,11 @@ server: # Extra labels to attach to the serviceAccount # This should be a YAML map of the labels to apply to the serviceAccount extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true # Settings for the statefulSet used to run Vault. statefulSet: