Merge pull request #13 from SolaceDev/DATAGO-30302/upgrading-vault-to…

…-1.8.11 Datago 30302/upgrading vault to 1.8.11
SolaceDev · Jul 15, 2022 · 3eca6fb · 3eca6fb
2 parents c4ab664 + b3cadd7
commit 3eca6fb
Show file tree

Hide file tree

Showing 46 changed files with 1,166 additions and 253 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -16,7 +16,7 @@ jobs:
       - image: docker.mirror.hashicorp.services/cimg/go:1.16
     environment:
       BATS_VERSION: "1.3.0"
-      CHART_VERIFIER_VERSION: "1.0.0"
+      CHART_VERIFIER_VERSION: "1.2.1"
     steps:
       - checkout
       - run:
@@ -94,7 +94,7 @@ workflows:
             - bats-unit-test
           filters:
             branches:
-              only: master
+              only: main
   update-helm-charts-index:
     jobs:
       - update-helm-charts-index:

diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ vaul-helm-dev-creds.json
 ./test/unit/vaul-helm-dev-creds.json
 ./test/acceptance/values.yaml
 ./test/acceptance/values.yml
+.idea
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,61 @@
 ## Unreleased
 
+## 0.17.1 (October 25th, 2021)
+
+Improvements:
+  * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634)
+
+## 0.17.0 (October 21st, 2021)
+
+KNOWN ISSUES:
+* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set
+
+CHANGES:
+* Vault image default 1.8.4
+* Vault K8s image default 0.14.0
+
+Improvements:
+* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590)
+* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626)
+* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630)
+
+Bugs:
+* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628)
+
+## 0.16.1 (September 29th, 2021)
+
+CHANGES:
+* Vault image default 1.8.3
+* Vault K8s image default 0.13.1
+
+## 0.16.0 (September 16th, 2021)
+
+CHANGES:
+* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`.
+
+Improvements:
+ * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603)
+ * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607)
+
+## 0.15.0 (August 23rd, 2021)
+
+Improvements:
+* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572)
+* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584)
+
+## 0.14.0 (July 28th, 2021)
+
+Features:
+* Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)
+
+Improvements:
+* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565)
+* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576)
+
 ## 0.13.0 (June 17th, 2021)
 
 Improvements:

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -26,7 +26,7 @@ quickly merge or address your contributions.
 
 * Make sure you test against the latest released version. It is possible
   we already fixed the bug you're experiencing. Even better is if you can test
-  against `master`, as bugs are fixed regularly but new versions are only
+  against `main`, as bugs are fixed regularly but new versions are only
   released every few months.
 
 * Provide steps to reproduce the issue, and if possible include the expected
@@ -121,7 +121,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
 start from a clean slate.
 
 **Note:** There is a Terraform configuration in the
-[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/master/test/terraform) directory
+[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
 that can be used to quickly bring up a GKE cluster and configure
 `kubectl` and `helm` locally. This can be used to quickly spin up a test
 cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes

diff --git a/Chart.yaml b/Chart.yaml
@@ -1,9 +1,10 @@
 apiVersion: v2
 name: vault
-version: 0.13.0
-appVersion: 1.7.3
+version: 0.17.1
+appVersion: 1.8.4
 kubeVersion: ">= 1.14.0-0"
-description: Official HashiCorp Vault Chart
+description: Install and configure Vault on Kubernetes.
+
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
 keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]

diff --git a/Makefile b/Makefile
@@ -4,6 +4,19 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
 ACCEPTANCE_TESTS?=acceptance
 
+
+# filter bats unit tests to run.
+UNIT_TESTS_FILTER?='.*'
+
+# set to 'true' to run acceptance tests locally in a kind cluster
+LOCAL_ACCEPTANCE_TESTS?=false
+
+# kind cluster name
+KIND_CLUSTER_NAME?=vault-helm
+
+# kind k8s version
+KIND_K8S_VERSION?=v1.20.2
+
 # Generate json schema for chart values. See test/README.md for more details.
 values-schema:
 	helm schema-gen values.yaml > values.schema.json
@@ -12,7 +25,7 @@ test-image:
 	@docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
 
 test-unit:
-	@docker run -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats /helm-test/test/unit
+	@docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit
 
 test-bats: test-unit test-acceptance
 
@@ -21,14 +34,19 @@ test: test-image test-bats
 # run acceptance tests on GKE
 # set google project/credential vars above
 test-acceptance:
+ifeq ($(LOCAL_ACCEPTANCE_TESTS),true)
+	make setup-kind acceptance
+else
 	@docker run -it -v ${PWD}:/helm-test \
 	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
 	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
 	-e KUBECONFIG=/helm-test/.kube/config \
+	-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
 	-w /helm-test \
 	$(TEST_IMAGE) \
 	make acceptance
-
+endif
+
 # destroy GKE cluster using terraform
 test-destroy:
 	@docker run -it -v ${PWD}:/helm-test \
@@ -51,7 +69,9 @@ test-provision:
 # this target is for running the acceptance tests
 # it is run in the docker container above when the test-acceptance target is invoked
 acceptance:
+ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
 	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
+endif
 	bats test/${ACCEPTANCE_TESTS}
 
 # this target is for provisioning the GKE cluster
@@ -66,4 +86,17 @@ provision-cluster:
 destroy-cluster:
 	terraform destroy -auto-approve
 
+# create a kind cluster for running the acceptance tests locally
+setup-kind:
+	kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \
+	kind create cluster \
+	--image kindest/node:${KIND_K8S_VERSION} \
+	--name ${KIND_CLUSTER_NAME}  \
+	--config $(CURDIR)/test/kind/config.yaml
+	kubectl config use-context kind-${KIND_CLUSTER_NAME}
+
+# delete the kind cluster
+delete-kind:
+	kind delete cluster --name ${KIND_CLUSTER_NAME} || :
+
 .PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster
diff --git a/README.md b/README.md
@@ -43,10 +43,9 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 $ helm install vault hashicorp/vault
 ```
 
-Please see the many options supported in the `values.yaml` file. These are also
-fully documented directly on the [Vault
-website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more
-detailed installation instructions.
+Please see the many options supported in the `values.yaml`
+file. These are also fully documented directly on the
+[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html).
 
 
 ## Customizations

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -232,7 +232,12 @@ Set's the affinity for pod placement when running in standalone and HA modes.
 {{- define "vault.affinity" -}}
   {{- if and (ne .mode "dev") .Values.server.affinity }}
       affinity:
-        {{ tpl .Values.server.affinity . | nindent 8 | trim }}
+        {{ $tp := typeOf .Values.server.affinity }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.server.affinity . | nindent 8 | trim }}
+        {{- else }}
+          {{- toYaml .Values.server.affinity | nindent 8 }}
+        {{- end }}
   {{ end }}
 {{- end -}}
 
@@ -242,17 +247,27 @@ Sets the injector affinity for pod placement
 {{- define "injector.affinity" -}}
   {{- if .Values.injector.affinity }}
       affinity:
-        {{ tpl .Values.injector.affinity . | nindent 8 | trim }}
+        {{ $tp := typeOf .Values.injector.affinity }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.injector.affinity . | nindent 8 | trim }}
+        {{- else }}
+          {{- toYaml .Values.injector.affinity | nindent 8 }}
+        {{- end }}
   {{ end }}
 {{- end -}}
 
 {{/*
-Set's the toleration for pod placement when running in standalone and HA modes.
+Sets the toleration for pod placement when running in standalone and HA modes.
 */}}
 {{- define "vault.tolerations" -}}
   {{- if and (ne .mode "dev") .Values.server.tolerations }}
       tolerations:
+      {{- $tp := typeOf .Values.server.tolerations }}
+      {{- if eq $tp "string" }}
         {{ tpl .Values.server.tolerations . | nindent 8 | trim }}
+      {{- else }}
+        {{- toYaml .Values.server.tolerations | nindent 8 }}
+      {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -262,7 +277,12 @@ Sets the injector toleration for pod placement
 {{- define "injector.tolerations" -}}
   {{- if .Values.injector.tolerations }}
       tolerations:
+      {{- $tp := typeOf .Values.injector.tolerations }}
+      {{- if eq $tp "string" }}
         {{ tpl .Values.injector.tolerations . | nindent 8 | trim }}
+      {{- else }}
+        {{- toYaml .Values.injector.tolerations | nindent 8 }}
+      {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -272,7 +292,12 @@ Set's the node selector for pod placement when running in standalone and HA mode
 {{- define "vault.nodeselector" -}}
   {{- if and (ne .mode "dev") .Values.server.nodeSelector }}
       nodeSelector:
-        {{ tpl .Values.server.nodeSelector . | indent 8 | trim }}
+      {{- $tp := typeOf .Values.server.nodeSelector }}
+      {{- if eq $tp "string" }}
+        {{ tpl .Values.server.nodeSelector . | nindent 8 | trim }}
+      {{- else }}
+        {{- toYaml .Values.server.nodeSelector | nindent 8 }}
+      {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -282,7 +307,12 @@ Sets the injector node selector for pod placement
 {{- define "injector.nodeselector" -}}
   {{- if .Values.injector.nodeSelector }}
       nodeSelector:
-        {{ tpl .Values.injector.nodeSelector . | indent 8 | trim }}
+      {{- $tp := typeOf .Values.injector.nodeSelector }}
+      {{- if eq $tp "string" }}
+        {{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }}
+      {{- else }}
+        {{- toYaml .Values.injector.nodeSelector | nindent 8 }}
+      {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -331,6 +361,21 @@ Sets extra injector service annotations
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets extra injector webhook annotations
+*/}}
+{{- define "injector.webhookAnnotations" -}}
+  {{- if .Values.injector.webhookAnnotations }}
+  annotations:
+    {{- $tp := typeOf .Values.injector.webhookAnnotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets extra ui service annotations
 */}}
@@ -527,7 +572,12 @@ Sets the injector toleration for pod placement
 {{- define "csi.pod.tolerations" -}}
   {{- if .Values.csi.pod.tolerations }}
       tolerations:
+      {{- $tp := typeOf .Values.csi.pod.tolerations }}
+      {{- if eq $tp "string" }}
         {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }}
+      {{- else }}
+        {{- toYaml .Values.csi.pod.tolerations | nindent 8 }}
+      {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -596,3 +646,55 @@ Inject extra environment populated by secrets, if populated
 {{ "https" }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+imagePullSecrets generates pull secrets from either string or map values.
+A map value must be indexable by the key 'name'.
+*/}}
+{{- define "imagePullSecrets" -}}
+{{- with .Values.global.imagePullSecrets -}}
+imagePullSecrets:
+{{- range . -}}
+{{- if typeIs "string" . }}
+  - name: {{ . }}
+{{- else if index . "name" }}
+  - name: {{ .name }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable.
+Supported inputs are Values.server.service and Values.ui
+*/}}
+{{- define "service.externalTrafficPolicy" -}}
+{{- $type := "" -}}
+{{- if .serviceType -}}
+{{- $type = .serviceType -}}
+{{- else if .type -}}
+{{- $type = .type -}}
+{{- end -}}
+{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }}
+  externalTrafficPolicy: {{ .externalTrafficPolicy }}
+{{- else }}
+{{- end }}
+{{- end -}}
+
+{{/*
+loadBalancer configuration for the the UI service.
+Supported inputs are Values.ui
+*/}}
+{{- define "service.loadBalancer" -}}
+{{- if  eq (.serviceType | toString) "LoadBalancer" }}
+{{- if .loadBalancerIP }}
+  loadBalancerIP: {{ .loadBalancerIP }}
+{{- end }}
+{{- with .loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{- range . }}
+  - {{ . }}
+{{- end }}
+{{- end -}}
+{{- end }}
+{{- end -}}