diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 000000000..e1bce111f --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,106 @@ +version: 2.1 +orbs: + slack: circleci/slack@3.4.2 + +jobs: + bats-unit-test: + docker: + # This image is built from test/docker/Test.dockerfile + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 + steps: + - checkout + - run: bats ./test/unit -t + + chart-verifier: + docker: + - image: docker.mirror.hashicorp.services/cimg/go:1.16 + environment: + BATS_VERSION: "1.3.0" + CHART_VERIFIER_VERSION: "1.0.0" + steps: + - checkout + - run: + name: install chart-verifier + command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: + name: install bats + command: | + curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz + tar -zxf /tmp/bats.tgz -C /tmp + sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local + - run: + name: run chart-verifier tests + command: bats ./test/chart -t + + acceptance: + docker: + # This image is build from test/docker/Test.dockerfile + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 + + steps: + - checkout + - run: + name: terraform init & apply + command: | + echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json + export GOOGLE_CREDENTIALS=vault-helm-test.json + make provision-cluster + - run: + name: Run acceptance tests + command: bats ./test/acceptance -t + + - run: + name: terraform destroy + command: | + export GOOGLE_CREDENTIALS=vault-helm-test.json + make destroy-cluster + when: always + update-helm-charts-index: + docker: + - image: docker.mirror.hashicorp.services/circleci/golang:1.15.3 + steps: + - checkout + - run: + name: verify Chart version matches tag version + command: | + GO111MODULE=on go get github.com/mikefarah/yq/v2 + git_tag=$(echo "${CIRCLE_TAG#v}") + chart_tag=$(yq r Chart.yaml version) + if [ "${git_tag}" != "${chart_tag}" ]; then + echo "chart version (${chart_tag}) did not match git version (${git_tag})" + exit 1 + fi + - run: + name: update helm-charts index + command: | + curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ + -X POST \ + -H 'Content-Type: application/json' \ + -H 'Accept: application/json' \ + -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" + - slack/status: + fail_only: true + failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" + +workflows: + version: 2 + build_and_test: + jobs: + - bats-unit-test + - chart-verifier + - acceptance: + requires: + - bats-unit-test + filters: + branches: + only: master + update-helm-charts-index: + jobs: + - update-helm-charts-index: + context: helm-charts-trigger-vault + filters: + tags: + only: /^v.*/ + branches: + ignore: /.*/ diff --git a/README.md b/README.md index 9b33e2e25..2cffb757d 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + ## Customizations This Helm chart has been customized in the following ways: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 4cd9df3c3..ce477e91c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -131,6 +131,8 @@ template logic. {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} + {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index aa6edc46c..043630f58 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -4,7 +4,6 @@ load _helpers @test "csi: testing deployment" { cd `chart_dir` - kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 7723a1565..3a66eac45 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -963,7 +963,6 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) [ "${value}" = "64Mi" ] - } @test "injector/deployment: can set agent default resources" { diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 67cde811b..851410ac9 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1857,3 +1857,59 @@ load _helpers yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) [ "${actual}" = "8200" ] } + +#-------------------------------------------------------------------- +# enterprise license autoload support +@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] +} + +@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] +} + +@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] +} + +@test "server/StatefulSet: blank secretName does not set env var" { + cd `chart_dir` + + # setting secretName=null + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=null' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] + + # omitting secretName + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] +} diff --git a/values.yaml b/values.yaml index 8955c887e..8bbe4972f 100644 --- a/values.yaml +++ b/values.yaml @@ -214,6 +214,15 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only