diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 66bc3535e..3e6052b4e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -301,10 +301,10 @@ Sets extra ui service annotations Create the name of the service account to use */}} {{- define "vault.serviceAccount.name" -}} -{{- if .Values.server.serviceAccount.create -}} - {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} +{{- if .Values.global.serviceAccount.create -}} + {{ default (include "vault.fullname" .) .Values.global.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.server.serviceAccount.name }} + {{ default "default" .Values.global.serviceAccount.name }} {{- end -}} {{- end -}} @@ -312,13 +312,13 @@ Create the name of the service account to use Sets extra service account annotations */}} {{- define "vault.serviceAccount.annotations" -}} - {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} + {{- if and (ne .mode "dev") .Values.global.serviceAccount.annotations }} annotations: - {{- $tp := typeOf .Values.server.serviceAccount.annotations }} + {{- $tp := typeOf .Values.global.serviceAccount.annotations }} {{- if eq $tp "string" }} - {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- tpl .Values.global.serviceAccount.annotations . | nindent 4 }} {{- else }} - {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} + {{- toYaml .Values.global.serviceAccount.annotations | nindent 4 }} {{- end }} {{- end }} {{- end -}} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 1fcdc0a20..c3080ba2e 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -19,4 +18,3 @@ subjects: name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} -{{ end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index f92dbb246..e63e9246a 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,7 +1,6 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} +{{- if (eq (.Values.global.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount metadata: @@ -15,4 +14,3 @@ metadata: {{ template "vault.serviceAccount.annotations" . }} {{ end }} {{ end }} -{{ end }} diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index d0d2acf8a..bf0a4d858 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -61,12 +61,12 @@ load _helpers [ "${actual}" = "false" ] } -@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" { +@test "server/ClusterRoleBinding: also deploy with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-clusterrolebinding.yaml \ --set 'injector.externalVaultAddr=http://vault-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 29e18b56f..1d2c4bb37 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -8,7 +8,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ - --set 'server.serviceAccount.create=false' \ + --set 'global.serviceAccount.create=false' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -16,7 +16,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ - --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'global.serviceAccount.name=user-defined-ksa' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) [ "${actual}" = "user-defined-ksa" ] @@ -35,7 +35,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ - --set 'server.serviceAccount.annotations=foo: bar' \ + --set 'global.serviceAccount.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -43,7 +43,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.serviceAccount.annotations=foo: bar' \ + --set 'global.serviceAccount.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] @@ -51,7 +51,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.serviceAccount.annotations.foo=bar' \ + --set 'global.serviceAccount.annotations.foo=bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0b9f243a5..f1af30aed 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1407,16 +1407,16 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=false' \ - --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'global.serviceAccount.create=false' \ + --set 'global.serviceAccount.name=user-defined-ksa' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "user-defined-ksa" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=true' \ - --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'global.serviceAccount.create=true' \ + --set 'global.serviceAccount.name=user-defined-ksa' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "user-defined-ksa" ] @@ -1427,14 +1427,14 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=false' \ + --set 'global.serviceAccount.create=false' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "default" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=true' \ + --set 'global.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] diff --git a/values.yaml b/values.yaml index a9570520e..c2d56f5ef 100644 --- a/values.yaml +++ b/values.yaml @@ -22,6 +22,19 @@ global: apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # Definition of the serviceAccount used to run Vault. + # These options are also used when using an external Vault server to validate + # Kubernetes tokens. + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} injector: # True if you want to enable vault agent injection. @@ -526,17 +539,6 @@ server: # replicas. If you'd like a custom value, you can specify an override here. maxUnavailable: null - # Definition of the serviceAccount used to run Vault. - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # Extra annotations for the serviceAccount definition. This can either be - # YAML or a YAML-formatted multi-line templated string map of the - # annotations to apply to the serviceAccount. - annotations: {} # Settings for the statefulSet used to run Vault. statefulSet: