From 690ee410efac3aae6f46600aca4bd567b7d42a77 Mon Sep 17 00:00:00 2001 From: guru1306 Date: Sat, 20 Feb 2021 09:32:04 +0530 Subject: [PATCH 001/115] Add objectSelector to webhookconfiguration (#456) --- templates/injector-mutating-webhook.yaml | 4 ++++ test/unit/injector-mutating-webhook.bats | 23 +++++++++++++++++++++++ values.yaml | 9 +++++++++ 3 files changed, 36 insertions(+) diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index df28dc81a..abe23aabc 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -32,6 +32,10 @@ webhooks: namespaceSelector: {{ toYaml .Values.injector.namespaceSelector | indent 6}} {{ end }} +{{- if .Values.injector.objectSelector }} + objectSelector: +{{ toYaml .Values.injector.objectSelector | indent 6}} +{{ end }} {{- with .Values.injector.failurePolicy }} failurePolicy: {{.}} {{ end }} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index bb307f857..65f505bcf 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -76,6 +76,29 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + @test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.yaml b/values.yaml index 2aa0e3bbc..49836b73c 100644 --- a/values.yaml +++ b/values.yaml @@ -80,6 +80,15 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the # API Version of the WebHook. From ff735774c43cc94a64bf58c2f7d0de44f057dbd6 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 23:03:15 -0500 Subject: [PATCH 002/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67e53fce8..7206d1c7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) + ## 0.9.1 (February 2nd, 2021) Bugs: From 4c1d79f46ec6557140756ba713a2e79ec0579fbc Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 19 Mar 2021 14:14:38 +0000 Subject: [PATCH 003/115] Add CSI secrets store provider (#461) --- templates/_helpers.tpl | 55 +++ templates/csi-clusterrole.yaml | 17 + templates/csi-clusterrolebinding.yaml | 18 + templates/csi-daemonset.yaml | 89 ++++ templates/csi-serviceaccount.yaml | 12 + test/acceptance/csi-test/nginx.yaml | 26 ++ .../vault-kv-secretproviderclass.yaml | 15 + test/acceptance/csi-test/vault-policy.hcl | 7 + test/acceptance/csi.bats | 59 +++ test/unit/csi-clusterrole.bats | 22 + test/unit/csi-clusterrolebinding.bats | 22 + test/unit/csi-daemonset.bats | 380 ++++++++++++++++++ test/unit/csi-serviceaccount.bats | 48 +++ values.yaml | 77 ++++ 14 files changed, 847 insertions(+) create mode 100644 templates/csi-clusterrole.yaml create mode 100644 templates/csi-clusterrolebinding.yaml create mode 100644 templates/csi-daemonset.yaml create mode 100644 templates/csi-serviceaccount.yaml create mode 100644 test/acceptance/csi-test/nginx.yaml create mode 100644 test/acceptance/csi-test/vault-kv-secretproviderclass.yaml create mode 100644 test/acceptance/csi-test/vault-policy.hcl create mode 100644 test/acceptance/csi.bats create mode 100644 test/unit/csi-clusterrole.bats create mode 100644 test/unit/csi-clusterrolebinding.bats create mode 100644 test/unit/csi-daemonset.bats create mode 100644 test/unit/csi-serviceaccount.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 512bb32f3..bee8f81d2 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -475,6 +475,61 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "csi.resources" -}} + {{- if .Values.csi.resources -}} + resources: +{{ toYaml .Values.csi.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets extra CSI daemonset annotations +*/}} +{{- define "csi.daemonSet.annotations" -}} + {{- if .Values.csi.daemonSet.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.daemonSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI provider pod annotations +*/}} +{{- define "csi.pod.annotations" -}} + {{- if .Values.csi.pod.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.pod.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.pod.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI service account annotations +*/}} +{{- define "csi.serviceAccount.annotations" -}} + {{- if .Values.csi.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Inject extra environment vars in the format key:value, if populated */}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml new file mode 100644 index 000000000..35625a493 --- /dev/null +++ b/templates/csi-clusterrole.yaml @@ -0,0 +1,17 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "vault.name" . }}-csi-provider-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{- end }} diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml new file mode 100644 index 000000000..63d69c7b1 --- /dev/null +++ b/templates/csi-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml new file mode 100644 index 000000000..b7a762213 --- /dev/null +++ b/templates/csi-daemonset.yaml @@ -0,0 +1,89 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "csi.daemonSet.annotations" . }} +spec: + updateStrategy: + type: {{ .Values.csi.daemonSet.updateStrategy.type }} + {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + {{ template "csi.pod.annotations" . }} + spec: + serviceAccountName: {{ include "vault.name" . }}-csi-provider + containers: + - name: {{ include "vault.name" . }}-csi-provider + {{ template "csi.resources" . }} + image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + imagePullPolicy: {{ .Values.csi.image.pullPolicy }} + args: + - --endpoint=/provider/vault.sock + - --debug={{ .Values.csi.debug }} + volumeMounts: + - name: providervol + mountPath: "/provider" + - name: mountpoint-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: HostToContainer + {{- range .Values.csi.extraVolumes }} + - name: userconfig-{{ .name }} + mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + readOnly: true + {{- end }} + {{- if .Values.csi.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.csi.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- end }} + volumes: + - name: providervol + hostPath: + path: "/etc/kubernetes/secrets-store-csi-providers" + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + {{- range .Values.csi.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + defaultMode: {{ .defaultMode | default 420 }} + {{- end }} +{{- end }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml new file mode 100644 index 000000000..ee127481b --- /dev/null +++ b/templates/csi-serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "csi.serviceAccount.annotations" . }} +{{- end }} diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml new file mode 100644 index 000000000..882202ac1 --- /dev/null +++ b/test/acceptance/csi-test/nginx.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx +--- +kind: Pod +apiVersion: v1 +metadata: + name: nginx +spec: + terminationGracePeriodSeconds: 0 + containers: + - image: docker.mirror.hashicorp.services/nginx + name: nginx + volumeMounts: + - name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true + volumes: + - name: secrets-store-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "vault-kv" diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml new file mode 100644 index 000000000..9d89fa8e6 --- /dev/null +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -0,0 +1,15 @@ +# The "Hello World" Vault SecretProviderClass +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: vault-kv +spec: + provider: vault + parameters: + roleName: "kv-role" + vaultAddress: http://vault:8200 + objects: | + array: + - | + objectName: "bar1" + objectPath: "v1/secret/kv1" diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl new file mode 100644 index 000000000..0590d898e --- /dev/null +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -0,0 +1,7 @@ +path "sys/mounts" { + capabilities = ["read"] +} + +path "secret/*" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats new file mode 100644 index 000000000..93149596c --- /dev/null +++ b/test/acceptance/csi.bats @@ -0,0 +1,59 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi: testing deployment" { + cd `chart_dir` + + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + + # Install Secrets Store CSI driver + helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.19.tgz?raw=true \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set linux.image.pullPolicy="IfNotPresent" \ + --set grpcSupportedProviders="azure;gcp;vault" + # Install Vault and Vault provider + helm install vault \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set="server.dev.enabled=true" \ + --set="csi.enabled=true" \ + --set="injector.enabled=false" . + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider + + # Set up k8s auth and a kv secret. + cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - + kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes + kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' + kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ + bound_service_account_names=vault-csi-provider \ + bound_service_account_namespaces=acceptance \ + policies=kv-policy \ + ttl=20m + kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 + + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx + + result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar1) + [[ "$result" == "hello1" ]] +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm --namespace=acceptance delete vault + helm --namespace=acceptance delete secrets-store-csi-driver + kubectl delete --all pvc + kubectl delete namespace acceptance + fi +} diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats new file mode 100644 index 000000000..0fa626e0f --- /dev/null +++ b/test/unit/csi-clusterrole.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ClusterRole: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-clusterrole.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ClusterRole: enabled with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrole.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats new file mode 100644 index 000000000..ba37fb4c7 --- /dev/null +++ b/test/unit/csi-clusterrolebinding.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ClusterRoleBinding: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + . || echo "---")| tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ClusterRoleBinding: enabled with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats new file mode 100644 index 000000000..79f748c9f --- /dev/null +++ b/test/unit/csi-daemonset.bats @@ -0,0 +1,380 @@ +#!/usr/bin/env bats + +load _helpers + +#-------------------------------------------------------------------- +# Daemonset + +# Enabled +@test "csi/daemonset: created only when enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-daemonset.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$( (helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "global.enabled=false" \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +# Image +@test "csi/daemonset: image is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.image.repository=SomeOtherImage" \ + --set "csi.image.tag=0.0.1" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "SomeOtherImage:0.0.1" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.image.pullPolicy=SomePullPolicy" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "SomePullPolicy" ] +} + +# Debug arg +@test "csi/daemonset: debug arg is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr) + [ "${actual}" = "--debug=false" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.debug=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr) + [ "${actual}" = "--debug=true" ] +} + +# updateStrategy +@test "csi/daemonset: updateStrategy is configurable" { + cd `chart_dir` + # Default + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.type' | tee /dev/stderr) + [ "${actual}" = "RollingUpdate" ] + + # OnDelete + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.daemonSet.updateStrategy.type=OnDelete" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.type' | tee /dev/stderr) + [ "${actual}" = "OnDelete" ] + + # Max unavailable + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.daemonSet.updateStrategy.maxUnavailable=25%" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.rollingUpdate.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "25%" ] +} + +#-------------------------------------------------------------------- +# Extra annotations +@test "csi/daemonset: default csi.daemonSet.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.daemonSet.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.daemonSet.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: default csi.pod.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.pod.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# extraVolumes + +@test "csi/daemonset: csi.extraVolumes adds extra volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=configMap' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.configMap.name' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + local actual=$(echo $object | + yq -r '.configMap.secretName' | tee /dev/stderr) + [ "${actual}" = "null" ] + + # Test that it mounts it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=configMap' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/vault/userconfig/foo" ] +} + +@test "csi/daemonset: csi.extraVolumes adds extra secret volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=secret' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.secret.name' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(echo $object | + yq -r '.secret.secretName' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + # Test that it mounts it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=configMap' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/vault/userconfig/foo" ] +} + +#-------------------------------------------------------------------- +# Readiness/liveness probes + +@test "csi/daemonset: csi.livenessProbe and csi.readinessProbe default to disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: csi.livenessProbe is configurable" { + cd `chart_dir` + + # Test the defaults + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "3" ] + + # Test it is configurable + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.livenessProbe.enabled=true' \ + --set 'csi.livenessProbe.failureThreshold=10' \ + --set 'csi.livenessProbe.initialDelaySeconds=11' \ + --set 'csi.livenessProbe.periodSeconds=12' \ + --set 'csi.livenessProbe.successThreshold=13' \ + --set 'csi.livenessProbe.timeoutSeconds=14' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "10" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "11" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "13" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "14" ] +} + +@test "csi/daemonset: csi.readinessProbe is configurable" { + cd `chart_dir` + + # Test the defaults + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.readinessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "3" ] + + # Test it is configurable + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.readinessProbe.enabled=true' \ + --set 'csi.readinessProbe.failureThreshold=10' \ + --set 'csi.readinessProbe.initialDelaySeconds=11' \ + --set 'csi.readinessProbe.periodSeconds=12' \ + --set 'csi.readinessProbe.successThreshold=13' \ + --set 'csi.readinessProbe.timeoutSeconds=14' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "10" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "11" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "13" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "14" ] +} diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats new file mode 100644 index 000000000..63ead313a --- /dev/null +++ b/test/unit/csi-serviceaccount.bats @@ -0,0 +1,48 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ServiceAccount: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-serviceaccount.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ServiceAccount: enable with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/serviceAccount: specify annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'server.serviceAccount.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 49836b73c..c661192ec 100644 --- a/values.yaml +++ b/values.yaml @@ -638,3 +638,80 @@ ui: # This can either be YAML or a YAML-formatted multi-line templated string map # of the annotations to apply to the ui service annotations: {} + +# secrets-store-csi-driver-provider-vault +csi: + # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # + # Requires installing the secrets-store-csi-driver separately, see: + # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver + # + # With the driver and provider installed, you can mount Vault secrets into volumes + # similar to the Vault Agent injector, and you can also sync those secrets into + # Kubernetes secrets. + enabled: false + + image: + repository: "hashicorp/secrets-store-csi-driver-provider-vault" + tag: "0.0.7" + pullPolicy: IfNotPresent + + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Vault in the path `/vault/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # path: null # default is `/vault/userconfig` + + resources: {} + # resources: + # requests: + # cpu: 50m + # memory: 128Mi + # limits: + # cpu: 50m + # memory: 128Mi + + # Settings for the daemonSet used to run the provider. + daemonSet: + updateStrategy: + type: RollingUpdate + maxUnavailable: "" + # Extra annotations for the daemonSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the daemonSet. + annotations: {} + pod: + # Extra annotations for the provider pods. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the pod. + annotations: {} + + serviceAccount: + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + + # Used to configure readinessProbe for the pods. + readinessProbe: + # Vault CSI provider does not support a readiness probe in versions <= 0.7.0 + enabled: false + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # Used to configure livenessProbe for the pods. + livenessProbe: + # Vault CSI provider does not support a liveness probe in versions <= 0.7.0 + enabled: false + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + + # Enables debug logging. + debug: false \ No newline at end of file From 3e36bb70d558fa96bc74b8490ad2e8191a99fd60 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 24 Mar 2021 06:20:06 -0700 Subject: [PATCH 004/115] updating acceptance tests to k8s 1.17 on gke (#473) --- test/terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 1c3f035c1..3556c6fd8 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -8,7 +8,7 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = "${var.zone}" - version_prefix = "1.15." + version_prefix = "1.17." } data "google_service_account" "gcpapi" { From 2ddac08c51ce4636909ffa886d135d9a43cc0fba Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 24 Mar 2021 14:03:21 +0000 Subject: [PATCH 005/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7206d1c7e..4d6e6a7cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* Add support for Vault CSI provider [GH-461](https://github.com/hashicorp/vault-helm/pull/461) + Improvements: * `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) From 102f9e49e2a9e0db6f64fe88427082ef3c3de404 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 25 Mar 2021 13:02:36 +0000 Subject: [PATCH 006/115] Target vault-csi-provider release 0.1.0 (#475) --- templates/csi-daemonset.yaml | 4 ---- test/acceptance/csi-test/nginx.yaml | 1 + .../vault-kv-secretproviderclass.yaml | 7 +++---- test/acceptance/csi-test/vault-policy.hcl | 6 +----- test/acceptance/csi.bats | 12 +++++------ test/unit/csi-daemonset.bats | 21 ------------------- values.yaml | 8 ++----- 7 files changed, 13 insertions(+), 46 deletions(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index b7a762213..4a1c17d2c 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -47,7 +47,6 @@ spec: mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} readOnly: true {{- end }} - {{- if .Values.csi.livenessProbe.enabled }} livenessProbe: httpGet: path: /health/ready @@ -57,8 +56,6 @@ spec: periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} - {{- end }} - {{- if .Values.csi.readinessProbe.enabled }} readinessProbe: httpGet: path: /health/ready @@ -68,7 +65,6 @@ spec: periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} - {{- end }} volumes: - name: providervol hostPath: diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml index 882202ac1..fed1137f7 100644 --- a/test/acceptance/csi-test/nginx.yaml +++ b/test/acceptance/csi-test/nginx.yaml @@ -10,6 +10,7 @@ metadata: name: nginx spec: terminationGracePeriodSeconds: 0 + serviceAccountName: nginx containers: - image: docker.mirror.hashicorp.services/nginx name: nginx diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml index 9d89fa8e6..e793bde64 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -9,7 +9,6 @@ spec: roleName: "kv-role" vaultAddress: http://vault:8200 objects: | - array: - - | - objectName: "bar1" - objectPath: "v1/secret/kv1" + - objectName: "bar" + secretPath: "secret/data/kv1" + secretKey: "bar1" diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl index 0590d898e..48b670ea7 100644 --- a/test/acceptance/csi-test/vault-policy.hcl +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -1,7 +1,3 @@ -path "sys/mounts" { - capabilities = ["read"] -} - -path "secret/*" { +path "secret/data/kv1" { capabilities = ["read"] } \ No newline at end of file diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 93149596c..67be09d6d 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -9,11 +9,10 @@ load _helpers kubectl create namespace acceptance # Install Secrets Store CSI driver - helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.19.tgz?raw=true \ + helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.20.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ - --set linux.image.pullPolicy="IfNotPresent" \ - --set grpcSupportedProviders="azure;gcp;vault" + --set linux.image.pullPolicy="IfNotPresent" # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ @@ -30,9 +29,10 @@ load _helpers kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + disable_iss_validation=true' kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ - bound_service_account_names=vault-csi-provider \ + bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ policies=kv-policy \ ttl=20m @@ -42,7 +42,7 @@ load _helpers kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx - result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar1) + result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) [[ "$result" == "hello1" ]] } diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 79f748c9f..dec29c940 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -248,23 +248,6 @@ load _helpers #-------------------------------------------------------------------- # Readiness/liveness probes -@test "csi/daemonset: csi.livenessProbe and csi.readinessProbe default to disabled" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) - [ "${actual}" = "null" ] - - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - @test "csi/daemonset: csi.livenessProbe is configurable" { cd `chart_dir` @@ -272,7 +255,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.livenessProbe.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) @@ -296,7 +278,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.livenessProbe.enabled=true' \ --set 'csi.livenessProbe.failureThreshold=10' \ --set 'csi.livenessProbe.initialDelaySeconds=11' \ --set 'csi.livenessProbe.periodSeconds=12' \ @@ -329,7 +310,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.readinessProbe.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) @@ -353,7 +333,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.readinessProbe.enabled=true' \ --set 'csi.readinessProbe.failureThreshold=10' \ --set 'csi.readinessProbe.initialDelaySeconds=11' \ --set 'csi.readinessProbe.periodSeconds=12' \ diff --git a/values.yaml b/values.yaml index c661192ec..c64d3af7e 100644 --- a/values.yaml +++ b/values.yaml @@ -652,8 +652,8 @@ csi: enabled: false image: - repository: "hashicorp/secrets-store-csi-driver-provider-vault" - tag: "0.0.7" + repository: "hashicorp/vault-csi-provider" + tag: "0.1.0" pullPolicy: IfNotPresent # extraVolumes is a list of extra volumes to mount. These will be exposed @@ -696,8 +696,6 @@ csi: # Used to configure readinessProbe for the pods. readinessProbe: - # Vault CSI provider does not support a readiness probe in versions <= 0.7.0 - enabled: false failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 @@ -705,8 +703,6 @@ csi: timeoutSeconds: 3 # Used to configure livenessProbe for the pods. livenessProbe: - # Vault CSI provider does not support a liveness probe in versions <= 0.7.0 - enabled: false failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 From f75b19f068a39f428024e8ce7f9c5983ad7d1082 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 25 Mar 2021 10:19:31 -0400 Subject: [PATCH 007/115] Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog --- CHANGELOG.md | 4 ++-- Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 2 +- test/acceptance/server-ha-enterprise-perf.bats | 2 +- values.yaml | 18 ++++++++++++++---- 5 files changed, 20 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d6e6a7cf..4e9008658 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ -## Unreleased +## 0.10.0 (March 25th, 2021) Features: -* Add support for Vault CSI provider [GH-461](https://github.com/hashicorp/vault-helm/pull/461) +* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461) Improvements: * `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) diff --git a/Chart.yaml b/Chart.yaml index 3456fa48f..04370699d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.9.1 -appVersion: 1.6.2 +version: 0.10.0 +appVersion: 1.7.0 description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 3698f08c4..5b04d2c01 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.0_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5fcfbcef2..5c9b0c547 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-east-0" diff --git a/values.yaml b/values.yaml index c64d3af7e..fe4f6d1f6 100644 --- a/values.yaml +++ b/values.yaml @@ -49,7 +49,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.8.0" + tag: "0.9.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.6.2" + tag: "1.7.0" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" @@ -180,7 +180,7 @@ server: image: repository: "vault" - tag: "1.6.2" + tag: "1.7.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -696,18 +696,28 @@ csi: # Used to configure readinessProbe for the pods. readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 + # Number of seconds after the container has started before probe initiates initialDelaySeconds: 5 + # How often (in seconds) to perform the probe periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + # Number of seconds after which the probe times out. timeoutSeconds: 3 # Used to configure livenessProbe for the pods. livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 + # Number of seconds after the container has started before probe initiates initialDelaySeconds: 5 + # How often (in seconds) to perform the probe periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + # Number of seconds after which the probe times out. timeoutSeconds: 3 # Enables debug logging. - debug: false \ No newline at end of file + debug: false From 7fd6959cdc0b4da3ec09be4f52fd90f985ba6e51 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 25 Mar 2021 10:21:21 -0400 Subject: [PATCH 008/115] Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example --- templates/csi-daemonset.yaml | 19 +++------- test/unit/csi-daemonset.bats | 68 +++++++++--------------------------- values.yaml | 23 ++++++++---- 3 files changed, 38 insertions(+), 72 deletions(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 4a1c17d2c..10a0d6340 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -42,10 +42,8 @@ spec: - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: HostToContainer - {{- range .Values.csi.extraVolumes }} - - name: userconfig-{{ .name }} - mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} - readOnly: true + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12}} {{- end }} livenessProbe: httpGet: @@ -72,14 +70,7 @@ spec: - name: mountpoint-dir hostPath: path: /var/lib/kubelet/pods - {{- range .Values.csi.extraVolumes }} - - name: userconfig-{{ .name }} - {{ .type }}: - {{- if (eq .type "configMap") }} - name: {{ .name }} - {{- else if (eq .type "secret") }} - secretName: {{ .name }} - {{- end }} - defaultMode: {{ .defaultMode | default 420 }} - {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} {{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index dec29c940..31540fbfa 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -167,82 +167,48 @@ load _helpers } #-------------------------------------------------------------------- -# extraVolumes +# volumes -@test "csi/daemonset: csi.extraVolumes adds extra volume" { +@test "csi/daemonset: csi.volumes adds volume" { cd `chart_dir` # Test that it defines it local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=configMap' \ - --set 'csi.extraVolumes[0].name=foo' \ + --set 'csi.volumes[0].name=plugins' \ + --set 'csi.volumes[0].emptyDir=\{\}' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + yq -r '.spec.template.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.configMap.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] - - local actual=$(echo $object | - yq -r '.configMap.secretName' | tee /dev/stderr) - [ "${actual}" = "null" ] - - # Test that it mounts it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=configMap' \ - --set 'csi.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.readOnly' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + yq -r '.emptyDir' | tee /dev/stderr) + [ "${actual}" = "{}" ] } -@test "csi/daemonset: csi.extraVolumes adds extra secret volume" { +#-------------------------------------------------------------------- +# volumeMounts + +@test "csi/daemonset: csi.volumeMounts adds volume mounts" { cd `chart_dir` # Test that it defines it local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=secret' \ - --set 'csi.extraVolumes[0].name=foo' \ + --set 'csi.volumeMounts[0].name=plugins' \ + --set 'csi.volumeMounts[0].mountPath=/usr/local/libexec/vault' \ + --set 'csi.volumeMounts[0].readOnly=true' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.secret.name' | tee /dev/stderr) - [ "${actual}" = "null" ] - - local actual=$(echo $object | - yq -r '.secret.secretName' | tee /dev/stderr) - [ "${actual}" = "foo" ] - - # Test that it mounts it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=configMap' \ - --set 'csi.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/usr/local/libexec/vault" ] local actual=$(echo $object | yq -r '.readOnly' | tee /dev/stderr) [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] } #-------------------------------------------------------------------- diff --git a/values.yaml b/values.yaml index fe4f6d1f6..80c78051a 100644 --- a/values.yaml +++ b/values.yaml @@ -320,6 +320,7 @@ server: # secretName: vault # secretKey: AWS_SECRET_ACCESS_KEY + # Deprecated: please use 'volumes' instead. # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. @@ -656,13 +657,21 @@ csi: tag: "0.1.0" pullPolicy: IfNotPresent - # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is - # an array of objects, examples are shown below. - extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # path: null # default is `/vault/userconfig` + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: tls + # secret: + # secretName: vault-tls + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - name: tls + # mountPath: "/vault/tls" + # readOnly: true resources: {} # resources: From 703ba50d4776c7d7fbce673544cd6b1a573768be Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 25 Mar 2021 10:56:59 -0400 Subject: [PATCH 009/115] changelog++ --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e9008658..3dde192e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +## Unreleased + ## 0.10.0 (March 25th, 2021) Features: From a6856646aa48f661ca323cc7ceecd11ce7a5475f Mon Sep 17 00:00:00 2001 From: Paul Date: Tue, 30 Mar 2021 03:12:09 +0200 Subject: [PATCH 010/115] Remove extra word in readme (#482) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 29db84819..25cc872be 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ use Vault with Kubernetes, please see the ## Prerequisites To use the charts here, [Helm](https://helm.sh/) must be configured for your -Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope of +Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of this README. Please refer to the Kubernetes and Helm documentation. The versions required are: From 7a71c0fec489759ad7293869e816ae6ca34c403a Mon Sep 17 00:00:00 2001 From: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Date: Tue, 6 Apr 2021 16:56:11 +0300 Subject: [PATCH 011/115] fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests --- templates/_helpers.tpl | 2 ++ templates/csi-clusterrole.yaml | 2 +- templates/csi-daemonset.yaml | 2 +- test/unit/csi-clusterrole.bats | 11 +++++++++ test/unit/csi-clusterrolebinding.bats | 22 +++++++++++++++++ test/unit/csi-daemonset.bats | 11 +++++++++ test/unit/csi-serviceaccount.bats | 11 +++++++++ test/unit/server-statefulset.bats | 35 +++++++++++++++++++++++++++ values.yaml | 3 +++ 9 files changed, 97 insertions(+), 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index bee8f81d2..ca57fa167 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -53,6 +53,8 @@ template logic. {{- define "vault.mode" -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} + {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index 35625a493..a19e520f5 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "vault.name" . }}-csi-provider-clusterrole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 10a0d6340..5f80ed174 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -27,7 +27,7 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} {{ template "csi.pod.annotations" . }} spec: - serviceAccountName: {{ include "vault.name" . }}-csi-provider + serviceAccountName: {{ template "vault.fullname" . }}-csi-provider containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 0fa626e0f..68ea7ce78 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -20,3 +20,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +# ClusterRole name +@test "csi/ClusterRole: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrole.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] +} \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index ba37fb4c7..cff3a3699 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -20,3 +20,25 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +# ClusterRoleBinding cluster role ref name +@test "csi/ClusterRoleBinding: cluster role ref name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.roleRef.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] +} + +# ClusterRoleBinding service account name +@test "csi/ClusterRoleBinding: service account name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.subjects[0].name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 31540fbfa..127ac54e9 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,17 @@ load _helpers [ "${actual}" = "false" ] } +# serviceAccountName reference name +@test "csi/daemonset: serviceAccountName reference name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} + # Image @test "csi/daemonset: image is configurable" { cd `chart_dir` diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 63ead313a..22ba06df2 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -21,6 +21,17 @@ load _helpers [ "${actual}" = "true" ] } +# serviceAccountName reference name +@test "csi/daemonset: serviceAccountName name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} + @test "csi/serviceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7a0533cd9..b34636262 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -2,6 +2,41 @@ load _helpers +#-------------------------------------------------------------------- +# disable / enable server deployment + +@test "server/StatefulSet: disabled server.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: disabled server.enabled random string" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=blabla' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: enabled server.enabled explicit true" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- + @test "server/standalone-StatefulSet: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.yaml b/values.yaml index 80c78051a..4f84d928e 100644 --- a/values.yaml +++ b/values.yaml @@ -174,6 +174,9 @@ injector: annotations: {} server: + # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details + enabled: true + # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. From b24457323b6c98df4a885a93faba14974b4de2a1 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 7 Apr 2021 14:24:00 +0100 Subject: [PATCH 012/115] changelog++ --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3dde192e9..7b5a66845 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +Features: +* Set `server.enabled=false` to skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + +Bugs: +* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + ## 0.10.0 (March 25th, 2021) Features: From a2a07b2a02d1e1abddf314af5f08e106f7876092 Mon Sep 17 00:00:00 2001 From: Paul Witt Date: Thu, 8 Apr 2021 10:03:56 -0400 Subject: [PATCH 013/115] add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests --- templates/injector-deployment.yaml | 1 + test/unit/injector-deployment.bats | 22 ++++++++++++++++++++++ values.yaml | 4 ++++ 3 files changed, 27 insertions(+) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f5d8fc2ef..594575f24 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -36,6 +36,7 @@ spec: {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.injector.hostNetwork }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.injector.gid | default 1000 }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index a1174808b..133e27993 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -543,3 +543,25 @@ load _helpers yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# hostNetwork + +@test "injector/deployment: injector.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/deployment: injector.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.yaml b/values.yaml index 4f84d928e..277630afc 100644 --- a/values.yaml +++ b/values.yaml @@ -168,6 +168,10 @@ injector: # This should be a YAML map of the labels to apply to the injector extraLabels: {} + # Should the injector pods run on the host network (useful when using + # an alternate CNI in EKS) + hostNetwork: false + # Injector service specific config service: # Extra annotations to attach to the injector service From 6e46bcf529290f4cc57517a1d26fb38e5926a24e Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 10:05:47 -0400 Subject: [PATCH 014/115] changelog++ --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b5a66845..4cd11a5eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ ## Unreleased Features: -* Set `server.enabled=false` to skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From bfbeba256af05d21afd266f3ef9d24cd0a2daa22 Mon Sep 17 00:00:00 2001 From: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Date: Fri, 9 Apr 2021 00:09:19 +1000 Subject: [PATCH 015/115] feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 --- templates/server-ingress.yaml | 4 ++++ test/unit/server-ingress.bats | 37 +++++++++++++++++++++++++++++++++++ values.yaml | 7 ++++++- 3 files changed, 47 insertions(+), 1 deletion(-) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 7c19f5fea..5faac60f4 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -2,6 +2,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} {{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} @@ -41,6 +42,9 @@ spec: - host: {{ .host | quote }} http: paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} backend: diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 5af493847..bf191c3a2 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -57,6 +57,43 @@ load _helpers } +@test "server/ingress: extra paths prepend host configuration" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + [ "${actual}" = 'ssl-redirect' ] + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].path' | tee /dev/stderr) + [ "${actual}" = '/annotation-service' ] + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[1].path' | tee /dev/stderr) + [ "${actual}" = '/' ] +} + @test "server/ingress: labels gets added to object" { cd `chart_dir` diff --git a/values.yaml b/values.yaml index 277630afc..c08e9acf2 100644 --- a/values.yaml +++ b/values.yaml @@ -222,7 +222,12 @@ server: hosts: - host: chart-example.local paths: [] - + ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation tls: [] # - secretName: chart-example-tls # hosts: From ccebde9dae6cdca00dc0dfe9285a4e2f01b9d8a2 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 10:10:01 -0400 Subject: [PATCH 016/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cd11a5eb..e1c01a224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From ec67b5dd45c60346f709630e0d9acbd6f538ac69 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 11:18:16 -0400 Subject: [PATCH 017/115] Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor --- templates/server-statefulset.yaml | 8 ++ test/unit/server-dev-statefulset.bats | 50 ++++------- test/unit/server-ha-statefulset.bats | 115 +++++++++----------------- test/unit/server-statefulset.bats | 96 ++++++++++++++------- values.yaml | 11 ++- 5 files changed, 144 insertions(+), 136 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 62296af5e..69232ede8 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -117,6 +117,14 @@ spec: {{- end }} - name: HOME value: "/home/vault" + {{- if .Values.server.logLevel }} + - name: VAULT_LOG_LEVEL + value: "{{ .Values.server.logLevel }}" + {{- end }} + {{- if .Values.server.logFormat }} + - name: VAULT_LOG_FORMAT + value: "{{ .Values.server.logFormat }}" + {{- end }} {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 4e47fea69..3c5f9d8fb 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -246,13 +246,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_DEV_ROOT_TOKEN_ID" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "root" ] + local name=$(echo $object | + yq -r 'map(select(.name=="VAULT_DEV_ROOT_TOKEN_ID")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "root" ] } @test "server/dev-StatefulSet: set custom devRootToken" { @@ -264,13 +260,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_DEV_ROOT_TOKEN_ID" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "customtoken" ] + local name=$(echo $object | + yq -r 'map(select(.name=="VAULT_DEV_ROOT_TOKEN_ID")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "customtoken" ] } #-------------------------------------------------------------------- @@ -340,27 +332,21 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_0" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_0" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_1" ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 6df4dfe30..43e1acef2 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -70,14 +70,11 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) - [ "${actual}" = "http://127.0.0.1:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://127.0.0.1:8200" ] } + @test "server/ha-StatefulSet: tls enabled" { cd `chart_dir` local object=$(helm template \ @@ -86,13 +83,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) - [ "${actual}" = "https://127.0.0.1:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "https://127.0.0.1:8200" ] } #-------------------------------------------------------------------- @@ -348,21 +341,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foobar" ] } #-------------------------------------------------------------------- @@ -382,25 +367,21 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_0" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_0" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_1" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_1" ] } #-------------------------------------------------------------------- @@ -414,16 +395,12 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_API_ADDR" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = 'http://$(POD_IP):8200' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(POD_IP):8200' ] } -@test "server/ha-StatefulSet: api addr can be overriden" { +@test "server/ha-StatefulSet: api addr is configurable" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -432,13 +409,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_API_ADDR" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = 'https://example.com:8200' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "https://example.com:8200" ] } #-------------------------------------------------------------------- @@ -453,13 +426,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_CLUSTER_ADDR" ] - - local actual=$(echo $object | - yq -r '.[9].value' | tee /dev/stderr) - [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] } #-------------------------------------------------------------------- @@ -475,13 +444,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_RAFT_NODE_ID" ] - - local actual=$(echo $object | - yq -r '.[10].valueFrom.fieldRef.fieldPath' | tee /dev/stderr) - [ "${actual}" = 'metadata.name' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + [ "${value}" = "metadata.name" ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b34636262..0c674d6c9 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -448,6 +448,62 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# log level + +@test "server/standalone-StatefulSet: default log level to empty" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .name' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "server/standalone-StatefulSet: log level can be changed" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set='server.logLevel=debug' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "debug" ] +} + +#-------------------------------------------------------------------- +# log format + +@test "server/standalone-StatefulSet: default log format to empty" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .name' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "server/standalone-StatefulSet: can set log format" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set='server.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} + #-------------------------------------------------------------------- # extraEnvironmentVars @@ -461,21 +517,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -484,21 +532,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] } #-------------------------------------------------------------------- diff --git a/values.yaml b/values.yaml index c08e9acf2..89d713cf8 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,8 @@ injector: # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" - # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info + # Configures the log verbosity of the injector. + # Supported log levels include: trace, debug, info, warn, error logLevel: "info" # Configures the log format of the injector. Supported log formats: "standard", "json". @@ -195,6 +196,14 @@ server: # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" + # Configure the logging verbosity for the Vault server. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "" + + # Configure the logging format for the Vault server. + # Supported log formats include: standard, json + logFormat: "" + resources: {} # resources: # requests: From dc696bb1f31d75c97a6906be2e4ecdbce2f341f6 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 11:21:25 -0400 Subject: [PATCH 018/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1c01a224..870e631f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) +* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From d8c2d2058cc25d601c66e3edd880bf7c5d618f30 Mon Sep 17 00:00:00 2001 From: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Date: Mon, 12 Apr 2021 22:59:38 +0200 Subject: [PATCH 019/115] Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- templates/injector-deployment.yaml | 6 ++--- templates/injector-service.yaml | 2 +- test/unit/injector-deployment.bats | 36 ++++++++++++++++++++++++++++++ test/unit/injector-service.bats | 19 ++++++++++++++++ values.yaml | 3 +++ 5 files changed, 62 insertions(+), 4 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 594575f24..ba606a941 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -53,7 +53,7 @@ spec: {{- end }} env: - name: AGENT_INJECT_LISTEN - value: ":8080" + value: {{ printf ":%v" .Values.injector.port }} - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR @@ -104,7 +104,7 @@ spec: livenessProbe: httpGet: path: /health/ready - port: 8080 + port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 @@ -114,7 +114,7 @@ spec: readinessProbe: httpGet: path: /health/ready - port: 8080 + port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 0e5172743..73c517580 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -12,7 +12,7 @@ metadata: spec: ports: - port: 443 - targetPort: 8080 + targetPort: {{ .Values.injector.port }} selector: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 133e27993..895bec124 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -422,6 +422,42 @@ load _helpers [ "${actual}" = "bar" ] } +#-------------------------------------------------------------------- +# agent port + +@test "injector/deployment: default agentPort" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LISTEN" ] + + local actual=$(echo $object | + yq -r '.[0].value' | tee /dev/stderr) + [ "${actual}" = ":8080" ] +} + +@test "injector/deployment: custom agentPort" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.port=8443' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LISTEN" ] + + local actual=$(echo $object | + yq -r '.[0].value' | tee /dev/stderr) + [ "${actual}" = ":8443" ] +} + #-------------------------------------------------------------------- # affinity diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index f9d872256..ad4800991 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -18,6 +18,25 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/Service: service with default port" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8080" ] +} + +@test "injector/Service: service with custom port" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --set 'injector.port=8443' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8443" ] +} + @test "injector/Service: disable with global.enabled false" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.yaml b/values.yaml index 89d713cf8..0d78e3910 100644 --- a/values.yaml +++ b/values.yaml @@ -29,6 +29,9 @@ injector: replicas: 1 + # Configures the port the injector should listen on + port: 8080 + # If multiple replicas are specified, by default a leader-elector side-car # will be created so that only one injector attempts to create TLS certificates. leaderElector: From b838d4b843b7f1a78535beaed33b474ddee997a7 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 12 Apr 2021 17:00:51 -0400 Subject: [PATCH 020/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 870e631f9..d1a392c50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) * Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) From bf5783ef6b3aaec6680b63079fca5a68d0fe14ea Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 12 Apr 2021 17:01:14 -0400 Subject: [PATCH 021/115] Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran --- templates/injector-deployment.yaml | 10 ++ test/unit/injector-deployment.bats | 245 +++++++++++++++-------------- values.yaml | 13 ++ 3 files changed, 154 insertions(+), 114 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index ba606a941..5dd3553e9 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -97,6 +97,16 @@ spec: fieldRef: fieldPath: metadata.namespace {{- end }} + - name: AGENT_INJECT_CPU_REQUEST + value: "{{ .Values.injector.agentDefaults.cpuRequest }}" + - name: AGENT_INJECT_CPU_LIMIT + value: "{{ .Values.injector.agentDefaults.cpuLimit }}" + - name: AGENT_INJECT_MEM_REQUEST + value: "{{ .Values.injector.agentDefaults.memRequest }}" + - name: AGENT_INJECT_MEM_LIMIT + value: "{{ .Values.injector.agentDefaults.memLimit }}" + - name: AGENT_INJECT_DEFAULT_TEMPLATE + value: "{{ .Values.injector.agentDefaults.template }}" {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 895bec124..dbeb1d9ec 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -133,21 +133,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = "/etc/webhook/certs/test.crt" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_CERT_FILE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "/etc/webhook/certs/test.crt" ] - local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ] - - local actual=$(echo $object | - yq -r '.[6].value' | tee /dev/stderr) - [ "${actual}" = "/etc/webhook/certs/test.key" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_KEY_FILE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "/etc/webhook/certs/test.key" ] } @test "injector/deployment: auto TLS by default" { @@ -163,13 +155,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_AUTO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] - local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.default,RELEASE-NAME-vault-agent-injector-svc.default.svc" ] } @test "injector/deployment: with externalVaultAddr" { @@ -180,13 +172,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) - [ "${actual}" = "http://vault-outside" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://vault-outside" ] } @test "injector/deployment: without externalVaultAddr" { @@ -198,13 +186,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) - [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] } @test "injector/deployment: default authPath" { @@ -214,13 +198,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[3].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] - - local actual=$(echo $object | - yq -r '.[3].value' | tee /dev/stderr) - [ "${actual}" = "auth/kubernetes" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_AUTH_PATH")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "auth/kubernetes" ] } @test "injector/deployment: custom authPath" { @@ -231,13 +211,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[3].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] - - local actual=$(echo $object | - yq -r '.[3].value' | tee /dev/stderr) - [ "${actual}" = "auth/k8s" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_AUTH_PATH")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "auth/k8s" ] } @test "injector/deployment: default logLevel" { @@ -247,13 +223,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[1].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] - - local actual=$(echo $object | - yq -r '.[1].value' | tee /dev/stderr) - [ "${actual}" = "info" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "info" ] } @test "injector/deployment: custom logLevel" { @@ -264,13 +236,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[1].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] - - local actual=$(echo $object | - yq -r '.[1].value' | tee /dev/stderr) - [ "${actual}" = "foo" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foo" ] } @test "injector/deployment: default logFormat" { @@ -280,13 +248,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] - - local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) - [ "${actual}" = "standard" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "standard" ] } @test "injector/deployment: custom logFormat" { @@ -297,13 +261,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] - - local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) - [ "${actual}" = "json" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] } @test "injector/deployment: default revoke on shutdown" { @@ -313,13 +273,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] - - local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) - [ "${actual}" = "false" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_REVOKE_ON_SHUTDOWN")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "false" ] } @test "injector/deployment: custom revoke on shutdown" { @@ -330,13 +286,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] - - local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) - [ "${actual}" = "true" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_REVOKE_ON_SHUTDOWN")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "true" ] } @test "injector/deployment: disable security context when openshift enabled" { @@ -347,9 +299,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_SET_SECURITY_CONTEXT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "false" ] } #-------------------------------------------------------------------- @@ -365,29 +317,17 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "bar" ] - local actual=$(echo $object | - yq -r '.[9].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foobar" ] - local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] - - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "LOWER_CASE" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "sanitized" ] + local value=$(echo $object | + yq -r 'map(select(.name=="LOWER_CASE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "sanitized" ] } #-------------------------------------------------------------------- @@ -601,3 +541,80 @@ load _helpers yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/deployment: agent default resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "500m" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "250m" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "128Mi" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "64Mi" ] +} + +@test "injector/deployment: can set agent default resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.agentDefaults.cpuLimit=cpuLimit' \ + --set 'injector.agentDefaults.cpuRequest=cpuRequest' \ + --set 'injector.agentDefaults.memLimit=memLimit' \ + --set 'injector.agentDefaults.memRequest=memRequest' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "cpuLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "cpuRequest" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "memLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "memRequest" ] +} + +@test "injector/deployment: agent default template" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_DEFAULT_TEMPLATE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "map" ] +} + +@test "injector/deployment: can set agent default template" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.template=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_DEFAULT_TEMPLATE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} diff --git a/values.yaml b/values.yaml index 0d78e3910..b08b1312a 100644 --- a/values.yaml +++ b/values.yaml @@ -62,6 +62,19 @@ injector: repository: "vault" tag: "1.7.0" + # The default values for the injected Vault Agent containers. + agentDefaults: + # For more information on configuring resources, see the K8s documentation: + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + cpuLimit: "500m" + cpuRequest: "250m" + memLimit: "128Mi" + memRequest: "64Mi" + + # Default template type for secrets when no custom template is specified. + # Possible values include: "json" and "map". + template: "map" + # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" From 366cf23a7566b438d3955ae8f60616561837e7c7 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 12 Apr 2021 17:02:16 -0400 Subject: [PATCH 022/115] changelog++ --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1a392c50..4b8fda9fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,10 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) * Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) +* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) * Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) +* Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From 088ce89dc18e05a2b7995167ad6c377db7928fff Mon Sep 17 00:00:00 2001 From: Javier Criado Marcos Date: Tue, 13 Apr 2021 17:20:31 +0200 Subject: [PATCH 023/115] [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https --- templates/injector-service.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 73c517580..3138b7a5b 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -11,7 +11,8 @@ metadata: {{ template "injector.service.annotations" . }} spec: ports: - - port: 443 + - name: https + port: 443 targetPort: {{ .Values.injector.port }} selector: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector From f2e3d57a653de749c00b104bad743f263b7508ef Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 13 Apr 2021 11:21:08 -0400 Subject: [PATCH 024/115] changelog++ --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b8fda9fa..d9549805e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,9 @@ Features: * Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) * Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) -* + +Improvements: +* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From 5f2e1d470fc1f04972232f90c43883873bae0485 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 14 Apr 2021 08:23:50 -0400 Subject: [PATCH 025/115] Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI --- test/unit/injector-deployment.bats | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index dbeb1d9ec..3b6efbc38 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -159,9 +159,13 @@ load _helpers yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] + # helm template does uses current context namespace and ignores namespace flags, so + # discover the targeted namespace so we can check the rendered value correctly. + local namespace=$(kubectl config view --minify --output 'jsonpath={..namespace}') + local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.default,RELEASE-NAME-vault-agent-injector-svc.default.svc" ] + [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: with externalVaultAddr" { From be1721fc8461ea4a73f8ae54cc33384ec070eec4 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 14 Apr 2021 14:53:52 +0100 Subject: [PATCH 026/115] Remove redundant logic (#434) --- templates/injector-network-policy.yaml | 2 +- templates/injector-psp-role.yaml | 2 +- templates/injector-psp-rolebinding.yaml | 2 +- templates/injector-psp.yaml | 2 +- templates/server-clusterrolebinding.yaml | 2 +- templates/server-disruptionbudget.yaml | 2 +- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 4 ++-- templates/server-ingress.yaml | 2 +- templates/server-psp-role.yaml | 2 +- templates/server-psp-rolebinding.yaml | 2 +- templates/server-psp.yaml | 2 +- 12 files changed, 13 insertions(+), 13 deletions(-) diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index f2dfd511e..7a399a538 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 5fd264923..20c87bb2a 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index f7ae7fe6d..d6d0d5e24 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index 5871eb91d..c024ac107 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index ecf6a705e..e5e0f5fec 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 6d7f8240a..3c45cc04e 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. apiVersion: policy/v1beta1 diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index b6366b022..74fca41d7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for active Vault pod apiVersion: v1 kind: Service diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 473de5517..9213b7452 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -38,4 +38,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 5faac60f4..deaa0dd55 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,7 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index b4bea0602..fd12e1eb3 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index 923102733..b2a43c834 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 32c152634..2d9426819 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: From 27338595e81d0f54810665b6c5d653fd8ad6b5f8 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 14 Apr 2021 10:26:33 -0400 Subject: [PATCH 027/115] Update to v0.11.0 (#497) --- CHANGELOG.md | 2 ++ Chart.yaml | 3 ++- values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9549805e..2ed15ac47 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.11.0 (April 14th, 2021) + Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) diff --git a/Chart.yaml b/Chart.yaml index 04370699d..562323859 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.10.0 +version: 0.11.0 appVersion: 1.7.0 description: Official HashiCorp Vault Chart home: https://www.vaultproject.io @@ -10,3 +10,4 @@ sources: - https://github.com/hashicorp/vault - https://github.com/hashicorp/vault-helm - https://github.com/hashicorp/vault-k8s + - https://github.com/hashicorp/vault-csi-provider diff --git a/values.yaml b/values.yaml index b08b1312a..f31d13209 100644 --- a/values.yaml +++ b/values.yaml @@ -52,7 +52,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.9.0" + tag: "0.10.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -691,7 +691,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.1.0" + tag: "0.2.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From dcb4b102835d1c9911cfc9a47fb9bfc2084ffdbf Mon Sep 17 00:00:00 2001 From: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Date: Wed, 14 Apr 2021 20:05:38 +0300 Subject: [PATCH 028/115] Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- CONTRIBUTING.md | 21 ++++++++++++++++++--- test/docker/Test.dockerfile | 2 +- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 431dfa897..642226278 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -62,8 +62,23 @@ The unit tests don't require any active Kubernetes cluster and complete very quickly. These should be used for fast feedback during development. The acceptance tests require a Kubernetes cluster with a configured `kubectl`. -### Prequisites -* [Bats](https://github.com/bats-core/bats-core) +### Test Using Docker Container + +The following are the instructions for running bats tests using a Docker container. + +#### Prerequisites + +* Docker installed +* `vault-helm` checked out locally + +#### Test + +**Note:** the following commands should be run from the `vault-helm` directory. + +First, build the Docker image for running the tests: + +```shell +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test ```bash brew install bats-core ``` @@ -76,7 +91,7 @@ The acceptance tests require a Kubernetes cluster with a configured `kubectl`. brew install kubernetes-helm ``` -### Running The Tests +#### Test To run the unit tests: diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 4b1c37579..98afeace2 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -9,7 +9,7 @@ FROM docker.mirror.hashicorp.services/alpine:latest WORKDIR /root -ENV BATS_VERSION "1.1.0" +ENV BATS_VERSION "1.3.0" ENV TERRAFORM_VERSION "0.12.10" # base packages From b59cbf6dc63b6f6c74ffa4f61b42150ad93ddb04 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 10 May 2021 16:56:31 -0700 Subject: [PATCH 029/115] Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. --- .circleci/config.yml | 24 +++++++++++++ Chart.yaml | 1 + README.md | 4 +-- test/chart/_helpers.bash | 18 ++++++++++ test/chart/verifier.bats | 77 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 122 insertions(+), 2 deletions(-) create mode 100644 test/chart/_helpers.bash create mode 100644 test/chart/verifier.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 4e0f623be..0b0c91543 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -10,6 +10,29 @@ jobs: steps: - checkout - run: bats ./test/unit -t + + chart-verifier: + docker: + - image: docker.mirror.hashicorp.services/cimg/go:1.16 + environment: + BATS_VERSION: "1.3.0" + # Note: the commit SHA is used here since the repo doesn't use release tags + CHART_VERIFIER_VERSION: "190d532246a5936dc6a7125e2da917d04e38a672" + steps: + - checkout + - run: + name: install chart-verifier + command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: + name: install bats + command: | + curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz + tar -zxf /tmp/bats.tgz -C /tmp + sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local + - run: + name: run chart-verifier tests + command: bats ./test/chart -t + acceptance: docker: # This image is build from test/docker/Test.dockerfile @@ -66,6 +89,7 @@ workflows: build_and_test: jobs: - bats-unit-test + - chart-verifier - acceptance: requires: - bats-unit-test diff --git a/Chart.yaml b/Chart.yaml index 562323859..6a0daf403 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,6 +2,7 @@ apiVersion: v2 name: vault version: 0.11.0 appVersion: 1.7.0 +kubeVersion: ">= 1.14" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/README.md b/README.md index 25cc872be..f95b26fc3 100644 --- a/README.md +++ b/README.md @@ -22,9 +22,9 @@ The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is - untested. Other versions verified are Kubernetes 1.10, 1.11. + untested. ## Usage diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash new file mode 100644 index 000000000..fb9db31da --- /dev/null +++ b/test/chart/_helpers.bash @@ -0,0 +1,18 @@ +# chart_dir returns the directory for the chart +chart_dir() { + echo ${BATS_TEST_DIRNAME}/../.. +} + +# check_result checks if the specified test passed +# results schema example: +# { +# "check": "has-minkubeversion", +# "type": "Mandatory", +# "outcome": "PASS", +# "reason": "Minimum Kubernetes version specified" +# } +check_result() { + local -r var="$1" + local check=$(cat $VERIFY_OUTPUT | jq -r ".results[] | select(.check==\"${var}\").outcome") + [ "$check" = "PASS" ] +} diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats new file mode 100644 index 000000000..a4df5cfdb --- /dev/null +++ b/test/chart/verifier.bats @@ -0,0 +1,77 @@ +#!/usr/bin/env bats + +load _helpers + +setup_file() { + cd `chart_dir` + export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" + export CHART_VOLUME=vault-helm-chart-src + # Note: currently `latest` is the only tag available in the chart-verifier repo. + local IMAGE="quay.io/redhat-certification/chart-verifier:latest" + + local run_cmd="chart-verifier" + local chart_src="." + + if [ ! -e $USE_DOCKER ]; then + chart_src="/chart" + # Create a dummy container which will hold a volume with chart source + docker create -v $chart_src --name $CHART_VOLUME alpine:3 /bin/true + # Copy the chart source into this volume + docker cp . $CHART_VOLUME:$chart_src + # Make sure we have the latest version of chart-verifier + docker pull $IMAGE + # Start chart-verifier using this volume + run_cmd="docker run --rm --volumes-from $CHART_VOLUME $IMAGE" + fi + + $run_cmd verify --output json $chart_src 2>&1 | tee $VERIFY_OUTPUT +} + +teardown_file() { + if [ ! -e $USE_DOCKER ]; then + docker rm $CHART_VOLUME + fi +} + +@test "has-minkubeversion" { + check_result has-minkubeversion +} + +@test "is-helm-v3" { + check_result is-helm-v3 +} + +@test "not-contains-crds" { + check_result not-contains-crds +} + +@test "helm-lint" { + check_result helm-lint +} + +@test "not-contain-csi-objects" { + check_result not-contain-csi-objects +} + +@test "has-readme" { + check_result has-readme +} + +@test "contains-values" { + check_result contains-values +} + +@test "images-are-certified" { + skip "Skipping until this has been addressed" + check_result images-are-certified +} + +@test "contains-test" { + skip "Skipping until this has been addressed" + check_result contains-test +} + +@test "contains-values-schema" { + skip "Skipping until this has been addressed" + check_result contains-values-schema +} From 794a86a28b9abda62958947a45d1b08710e21158 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 10 May 2021 16:58:25 -0700 Subject: [PATCH 030/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ed15ac47..a9a895095 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) + ## 0.11.0 (April 14th, 2021) Features: From 6e8ef40840a9949c3ed4a5894251625cace9dae5 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 11 May 2021 08:25:50 -0700 Subject: [PATCH 031/115] match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 6a0daf403..f048aee9c 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: vault version: 0.11.0 appVersion: 1.7.0 -kubeVersion: ">= 1.14" +kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png From 92aed2cbee07466872b6b7807b11c1f7ac4c5714 Mon Sep 17 00:00:00 2001 From: mehmetsalgar Date: Wed, 12 May 2021 13:06:54 +0200 Subject: [PATCH 032/115] Add ImagePullSecrets to CSI daemonset (#519) --- templates/csi-daemonset.yaml | 4 ++++ test/unit/csi-daemonset.bats | 29 +++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 5f80ed174..94b765d34 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -73,4 +73,8 @@ spec: {{- if .Values.csi.volumes }} {{- toYaml .Values.csi.volumes | nindent 8}} {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end }} {{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 127ac54e9..992d1cf48 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -62,6 +62,35 @@ load _helpers [ "${actual}" = "SomePullPolicy" ] } +@test "csi/daemonset: Custom imagePullSecrets" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.imagePullSecrets[0].name=foo' \ + --set 'global.imagePullSecrets[1].name=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: default imagePullSecrets" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + # Debug arg @test "csi/daemonset: debug arg is configurable" { cd `chart_dir` From f84fc7e30bdaf1301b1332732d529fc8c87e1075 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 12 May 2021 12:11:15 +0100 Subject: [PATCH 033/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9a895095..2567b0539 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +Bugs: +* CSI: global.imagePullSecrets are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) + ## 0.11.0 (April 14th, 2021) Features: From 1505e7754bfab98ec8e8b0d34ffe57e8b27d44ca Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 12 May 2021 12:11:42 +0100 Subject: [PATCH 034/115] changelog++ --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2567b0539..790f52fea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) Bugs: -* CSI: global.imagePullSecrets are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) +* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) ## 0.11.0 (April 14th, 2021) From 2a70a9f50d1a22aa479a7dcf51eadaa1ae51ca74 Mon Sep 17 00:00:00 2001 From: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Date: Wed, 12 May 2021 17:44:11 +0300 Subject: [PATCH 035/115] fix CONTRIBUTING.md (#501) --- CONTRIBUTING.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 642226278..f83d56747 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -79,6 +79,21 @@ First, build the Docker image for running the tests: ```shell docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +``` +Next, execute the tests with the following commands: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +``` +It's possible to only run specific bats tests using regular expressions. +For example, the following will run only tests with "injector" in the name: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +``` + +### Test Manually +The following are the instructions for running bats tests on your workstation. +#### Prerequisites +* [Bats](https://github.com/bats-core/bats-core) ```bash brew install bats-core ``` From f226051e53227521beded82442baf97ea28d666f Mon Sep 17 00:00:00 2001 From: Sarah Thompson Date: Thu, 13 May 2021 11:56:01 +0100 Subject: [PATCH 036/115] updating to use new dedicated context and token (#515) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 0b0c91543..2f86aad37 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -99,7 +99,7 @@ workflows: update-helm-charts-index: jobs: - update-helm-charts-index: - context: helm-charts-trigger + context: helm-charts-trigger-vault filters: tags: only: /^v.*/ From ed38f6d3a6ca5b6207c61a3ebe89ce5d29676787 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 14 May 2021 08:59:36 -0700 Subject: [PATCH 037/115] added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- Makefile | 6 +- test/README.md | 28 +- test/chart/verifier.bats | 9 +- values.schema.json | 687 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 722 insertions(+), 8 deletions(-) create mode 100644 values.schema.json diff --git a/Makefile b/Makefile index 96bb17ebe..1b3020c59 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,10 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance +# Generate json schema for chart values. See test/README.md for more details. +values-schema: + helm schema-gen values.yaml > values.schema.json + test-image: @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) @@ -62,4 +66,4 @@ provision-cluster: destroy-cluster: terraform destroy -auto-approve -.PHONY: test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster +.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/test/README.md b/test/README.md index e4ce89144..722bc4034 100644 --- a/test/README.md +++ b/test/README.md @@ -1,4 +1,6 @@ -# Running Vault Helm Acceptance tests +# Vault Helm Tests + +## Running Vault Helm Acceptance tests The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance. @@ -7,4 +9,26 @@ The Makefile at the top level of this repo contains a few target that should hel * Run `make test-provision` to provision the GKE cluster using terraform. * Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster. * You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target. -* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. \ No newline at end of file +* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. + +## Running chart verification tests + +If [chart-verifier](https://github.com/redhat-certification/chart-verifier) is built and available in your PATH, run: + + bats test/chart/verifier.bats + +Or if you'd rather use the latest chart-verifier docker container, set +USE_DOCKER: + + USE_DOCKER=true bats test/chart/verifier.bats + +## Generating the values json schema + +There is a make target for generating values.schema.json: + + make values-schema + +It relies on the helm [schema-gen plugin][schema-gen]. Note that some manual +editing will be required, since several properties accept multiple data types. + +[schema-gen]: https://github.com/karuppiah7890/helm-schema-gen diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index a4df5cfdb..eab216dcf 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -61,6 +61,10 @@ teardown_file() { check_result contains-values } +@test "contains-values-schema" { + check_result contains-values-schema +} + @test "images-are-certified" { skip "Skipping until this has been addressed" check_result images-are-certified @@ -70,8 +74,3 @@ teardown_file() { skip "Skipping until this has been addressed" check_result contains-test } - -@test "contains-values-schema" { - skip "Skipping until this has been addressed" - check_result contains-values-schema -} diff --git a/values.schema.json b/values.schema.json new file mode 100644 index 000000000..95c2fd733 --- /dev/null +++ b/values.schema.json @@ -0,0 +1,687 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "csi": { + "type": "object", + "properties": { + "daemonSet": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "updateStrategy": { + "type": "object", + "properties": { + "maxUnavailable": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + }, + "debug": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "pod": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "volumeMounts": { + "type": ["null", "array"] + }, + "volumes": { + "type": ["null", "array"] + } + } + }, + "global": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "imagePullSecrets": { + "type": "array" + }, + "openshift": { + "type": "boolean" + }, + "psp": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enable": { + "type": "boolean" + } + } + }, + "tlsDisable": { + "type": "boolean" + } + } + }, + "injector": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + }, + "agentDefaults": { + "type": "object", + "properties": { + "cpuLimit": { + "type": "string" + }, + "cpuRequest": { + "type": "string" + }, + "memLimit": { + "type": "string" + }, + "memRequest": { + "type": "string" + }, + "template": { + "type": "string" + } + } + }, + "agentImage": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "annotations": { + "type": ["object", "string"] + }, + "authPath": { + "type": "string" + }, + "certs": { + "type": "object", + "properties": { + "caBundle": { + "type": "string" + }, + "certName": { + "type": "string" + }, + "keyName": { + "type": "string" + }, + "secretName": { + "type": ["null", "string"] + } + } + }, + "enabled": { + "type": "boolean" + }, + "externalVaultAddr": { + "type": "string" + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraLabels": { + "type": "object" + }, + "failurePolicy": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "leaderElector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ttl": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "namespaceSelector": { + "type": "object" + }, + "nodeSelector": { + "type": ["null", "string"] + }, + "objectSelector": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "revokeOnShutdown": { + "type": "boolean" + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "tolerations": { + "type": ["null", "string"] + } + } + }, + "server": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + }, + "annotations": { + "type": ["object", "string"] + }, + "auditStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": ["boolean", "string"] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": ["null", "string"] + } + } + }, + "authDelegator": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "dataStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": ["boolean", "string"] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": ["null", "string"] + } + } + }, + "dev": { + "type": "object", + "properties": { + "devRootToken": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + }, + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "string" + }, + "extraContainers": { + "type": ["null", "array"] + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraInitContainers": { + "type": ["null", "array"] + }, + "extraLabels": { + "type": "object" + }, + "extraSecretEnvironmentVars": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "ha": { + "type": "object", + "properties": { + "apiAddr": { + "type": ["null", "string"] + }, + "config": { + "type": "string" + }, + "disruptionBudget": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxUnavailable": { + "type": "null" + } + } + }, + "enabled": { + "type": "boolean" + }, + "raft": { + "type": "object", + "properties": { + "config": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "setNodeId": { + "type": "boolean" + } + } + }, + "replicas": { + "type": "integer" + } + } + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "extraPaths": { + "type": "array" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array" + } + } + } + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "networkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + } + } + }, + "nodeSelector": { + "type": ["null", "string"] + }, + "postStart": { + "type": "array" + }, + "preStopSleepSeconds": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "route": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "labels": { + "type": "object" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "port": { + "type": "integer" + }, + "targetPort": { + "type": "integer" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "standalone": { + "type": "object", + "properties": { + "config": { + "type": "string" + }, + "enabled": { + "type": ["string", "boolean"] + } + } + }, + "statefulSet": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "tolerations": { + "type": ["null", "string"] + }, + "updateStrategyType": { + "type": "string" + }, + "volumeMounts": { + "type": ["null", "array"] + }, + "volumes": { + "type": ["null", "array"] + } + } + }, + "ui": { + "type": "object", + "properties": { + "activeVaultPodOnly": { + "type": "boolean" + }, + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "externalPort": { + "type": "integer" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "serviceNodePort": { + "type": "null" + }, + "serviceType": { + "type": "string" + } + } + } + } +} From e817b1d254e04a63987f8c39d8458dd9ece11226 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 14 May 2021 10:49:37 -0700 Subject: [PATCH 038/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 790f52fea..8478374fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) Bugs: * CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) From 0ab15dfb844b1b88377ef1167acc3d45fee1baa4 Mon Sep 17 00:00:00 2001 From: mehmetsalgar Date: Tue, 18 May 2021 02:14:19 +0200 Subject: [PATCH 039/115] [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran --- templates/_helpers.tpl | 10 ++++++++++ templates/csi-daemonset.yaml | 1 + test/unit/csi-daemonset.bats | 21 +++++++++++++++++++++ values.yaml | 6 ++++++ 4 files changed, 38 insertions(+) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ca57fa167..505275b91 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -502,6 +502,16 @@ Sets extra CSI daemonset annotations {{- end }} {{- end -}} +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "csi.pod.tolerations" -}} + {{- if .Values.csi.pod.tolerations }} + tolerations: + {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} + {{- end }} +{{- end -}} + {{/* Sets extra CSI provider pod annotations */}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 94b765d34..b505d14bb 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -28,6 +28,7 @@ spec: {{ template "csi.pod.annotations" . }} spec: serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + {{- template "csi.pod.tolerations" . }} containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 992d1cf48..d2156ee63 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -206,6 +206,27 @@ load _helpers [ "${actual}" = "bar" ] } +@test "csi/daemonset: tolerations not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: tolerations can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.tolerations=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # volumes diff --git a/values.yaml b/values.yaml index f31d13209..32975bc15 100644 --- a/values.yaml +++ b/values.yaml @@ -728,12 +728,18 @@ csi: # YAML-formatted multi-line templated string map of the annotations to apply # to the daemonSet. annotations: {} + pod: # Extra annotations for the provider pods. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply # to the pod. annotations: {} + # Toleration Settings for provider pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: null + serviceAccount: # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the From dbd99b10c06dbdcb4d9e56c45fb4b5dc5e8eb303 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 17 May 2021 17:16:34 -0700 Subject: [PATCH 040/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8478374fe..dc4c4534d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) * Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) +* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) Bugs: * CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) From 030d3cd89db0e6d99ba5038bd12e2d0153112586 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 21 May 2021 12:48:21 +0100 Subject: [PATCH 041/115] Add extraArgs value for CSI (#526) --- templates/csi-daemonset.yaml | 3 +++ test/unit/csi-daemonset.bats | 30 ++++++++++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 4 files changed, 39 insertions(+) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index b505d14bb..75bde9a32 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -37,6 +37,9 @@ spec: args: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.extraArgs }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} volumeMounts: - name: providervol mountPath: "/provider" diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index d2156ee63..f0a62c2b2 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -110,6 +110,36 @@ load _helpers [ "${actual}" = "--debug=true" ] } +# Extra args +@test "csi/daemonset: extra args can be passed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) + [ "${actual}" = "2" ] + + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.extraArgs={--foo=bar,--bar baz,first}" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0]') + local actual=$(echo $object | + yq -r '.args | length' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.args[2]' | tee /dev/stderr) + [ "${actual}" = "--foo=bar" ] + local actual=$(echo $object | + yq -r '.args[3]' | tee /dev/stderr) + [ "${actual}" = "--bar baz" ] + local actual=$(echo $object | + yq -r '.args[4]' | tee /dev/stderr) + [ "${actual}" = "first" ] +} + # updateStrategy @test "csi/daemonset: updateStrategy is configurable" { cd `chart_dir` diff --git a/values.schema.json b/values.schema.json index 95c2fd733..c3999654b 100644 --- a/values.schema.json +++ b/values.schema.json @@ -30,6 +30,9 @@ "enabled": { "type": "boolean" }, + "extraArgs": { + "type": "array" + }, "image": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index 32975bc15..f6b513e80 100644 --- a/values.yaml +++ b/values.yaml @@ -773,3 +773,6 @@ csi: # Enables debug logging. debug: false + + # Pass arbitrary additional arguments to vault-csi-provider. + extraArgs: [] From 23ff8a1d83ba03935d5b6bb4f90ad926591febd3 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 21 May 2021 12:50:44 +0100 Subject: [PATCH 042/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc4c4534d..d5655308f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) + Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) * Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) From e206fadd9ed248a0316fee0bea98bcaa8f6ba9d0 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 25 May 2021 07:16:29 -0700 Subject: [PATCH 043/115] add schema unit tests (#530) --- test/unit/schema.bats | 46 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 test/unit/schema.bats diff --git a/test/unit/schema.bats b/test/unit/schema.bats new file mode 100644 index 000000000..a42614bf6 --- /dev/null +++ b/test/unit/schema.bats @@ -0,0 +1,46 @@ +#!/usr/bin/env bats + +load _helpers + +# These tests are just to verify there is a schema file used in the chart. Since +# .enabled is defined as a boolean type for each of the top-level blocks in the +# schema, setting it as a string fails 'helm template'. +@test "schema: csi enabled datatype" { + cd `chart_dir` + run helm template . --set csi.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set csi.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: injector enabled datatype" { + cd `chart_dir` + run helm template . --set injector.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set injector.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: server enabled datatype" { + cd `chart_dir` + run helm template . --set server.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set server.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: ui enabled datatype" { + cd `chart_dir` + run helm template . --set ui.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set ui.enabled=true + [ "$status" -eq 0 ] +} From 4c71c268b98baf1efa6c178edbace969502c104c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Horcajo?= Date: Tue, 25 May 2021 16:20:23 +0200 Subject: [PATCH 044/115] Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 --- templates/ui-service.yaml | 2 +- values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index a1498d5fd..9e90af4bb 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -25,7 +25,7 @@ spec: ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.ui.externalPort }} - targetPort: 8200 + targetPort: {{ .Values.ui.targetPort }} {{- if .Values.ui.serviceNodePort }} nodePort: {{ .Values.ui.serviceNodePort }} {{- end }} diff --git a/values.yaml b/values.yaml index f6b513e80..5fe4290d5 100644 --- a/values.yaml +++ b/values.yaml @@ -665,6 +665,7 @@ ui: serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 + targetPort: 8200 # loadBalancerSourceRanges: # - 10.0.0.0/16 From d53b011ae97a8c46f333210f3219af571a59728c Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 25 May 2021 10:21:01 -0400 Subject: [PATCH 045/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5655308f..4385a7420 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) * Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) * Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) +* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437) Bugs: * CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) From b21b37b07a439e8c0ae6ddd133aca71c719a01ca Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 25 May 2021 13:46:48 -0400 Subject: [PATCH 046/115] Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo --- CHANGELOG.md | 2 + Chart.yaml | 4 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- values.schema.json | 161 ++++++++++++++---- values.yaml | 6 +- 6 files changed, 141 insertions(+), 40 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4385a7420..5b9459835 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.12.0 (May 25th, 2021) + Features: * Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) diff --git a/Chart.yaml b/Chart.yaml index f048aee9c..4bd306fdc 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.11.0 -appVersion: 1.7.0 +version: 0.12.0 +appVersion: 1.7.2 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 5b04d2c01..55182441e 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.0_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5c9b0c547..7497dbc3e 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.0_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-east-0" @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/values.schema.json b/values.schema.json index c3999654b..87130e998 100644 --- a/values.schema.json +++ b/values.schema.json @@ -9,7 +9,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "updateStrategy": { "type": "object", @@ -71,7 +74,13 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] + }, + "tolerations": { + "type": ["null", "string"] } } }, @@ -102,15 +111,24 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] } } }, "volumeMounts": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "volumes": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] } } }, @@ -130,7 +148,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enable": { "type": "boolean" @@ -180,7 +201,10 @@ } }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "authPath": { "type": "string" @@ -198,7 +222,10 @@ "type": "string" }, "secretName": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -298,12 +325,18 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] } } }, "tolerations": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -314,7 +347,10 @@ "type": "string" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "auditStorage": { "type": "object", @@ -323,10 +359,16 @@ "type": "string" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { - "type": ["boolean", "string"] + "type": [ + "boolean", + "string" + ] }, "mountPath": { "type": "string" @@ -335,7 +377,10 @@ "type": "string" }, "storageClass": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -354,10 +399,16 @@ "type": "string" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { - "type": ["boolean", "string"] + "type": [ + "boolean", + "string" + ] }, "mountPath": { "type": "string" @@ -366,7 +417,10 @@ "type": "string" }, "storageClass": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -388,13 +442,19 @@ "type": "string" }, "extraContainers": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "extraEnvironmentVars": { "type": "object" }, "extraInitContainers": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "extraLabels": { "type": "object" @@ -409,7 +469,10 @@ "type": "object", "properties": { "apiAddr": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] }, "config": { "type": "string" @@ -465,7 +528,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -539,7 +605,10 @@ } }, "nodeSelector": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] }, "postStart": { "type": "array" @@ -580,7 +649,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -597,7 +669,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -614,7 +689,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "create": { "type": "boolean" @@ -634,7 +712,10 @@ "type": "string" }, "enabled": { - "type": ["string", "boolean"] + "type": [ + "string", + "boolean" + ] } } }, @@ -642,21 +723,33 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] } } }, "tolerations": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] }, "updateStrategyType": { "type": "string" }, "volumeMounts": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "volumes": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] } } }, @@ -667,7 +760,10 @@ "type": "boolean" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -683,6 +779,9 @@ }, "serviceType": { "type": "string" + }, + "targetPort": { + "type": "integer" } } } diff --git a/values.yaml b/values.yaml index 5fe4290d5..acab97a3b 100644 --- a/values.yaml +++ b/values.yaml @@ -52,7 +52,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.10.0" + tag: "0.10.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -60,7 +60,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.7.0" + tag: "1.7.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -204,7 +204,7 @@ server: image: repository: "vault" - tag: "1.7.0" + tag: "1.7.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 35937391604baaea86d1fcd2adaef12e4d2a9877 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 27 May 2021 17:09:50 -0700 Subject: [PATCH 047/115] Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. --- .circleci/config.yml | 2 +- templates/tests/server-test.yaml | 39 ++++++++++++++++++++++++++++++++ test/README.md | 7 ++++++ test/acceptance/helm-test.bats | 27 ++++++++++++++++++++++ test/chart/verifier.bats | 28 +++++++++++++++-------- 5 files changed, 93 insertions(+), 10 deletions(-) create mode 100644 templates/tests/server-test.yaml create mode 100644 test/acceptance/helm-test.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 2f86aad37..c5673d792 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,7 +17,7 @@ jobs: environment: BATS_VERSION: "1.3.0" # Note: the commit SHA is used here since the repo doesn't use release tags - CHART_VERIFIER_VERSION: "190d532246a5936dc6a7125e2da917d04e38a672" + CHART_VERIFIER_VERSION: "e2c03bd1a4aea20deb0a4a03ebfde254b1672050" steps: - checkout - run: diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml new file mode 100644 index 000000000..37819de5c --- /dev/null +++ b/templates/tests/server-test.yaml @@ -0,0 +1,39 @@ +{{- if .Values.server.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-server-test" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: {{ .Release.Name }}-server-test + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + env: + - name: VAULT_ADDR + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'vault status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + vault status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'vault status' output" + exit 1 + fi + + exit 0 + + restartPolicy: Never +{{- end }} diff --git a/test/README.md b/test/README.md index 722bc4034..28431dbf9 100644 --- a/test/README.md +++ b/test/README.md @@ -32,3 +32,10 @@ It relies on the helm [schema-gen plugin][schema-gen]. Note that some manual editing will be required, since several properties accept multiple data types. [schema-gen]: https://github.com/karuppiah7890/helm-schema-gen + +## Helm test + +Vault Helm also contains a simple helm test under +[templates/tests/](../templates/tests/) that may be run against a helm release: + + helm test diff --git a/test/acceptance/helm-test.bats b/test/acceptance/helm-test.bats new file mode 100644 index 000000000..c5f9553df --- /dev/null +++ b/test/acceptance/helm-test.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats + +load _helpers + +@test "helm/test: running helm test" { + cd `chart_dir` + + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance + + helm install "$(name_prefix)" . + wait_for_running $(name_prefix)-0 + + helm test "$(name_prefix)" +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm delete vault + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index eab216dcf..f8e298623 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -8,6 +8,9 @@ setup_file() { export CHART_VOLUME=vault-helm-chart-src # Note: currently `latest` is the only tag available in the chart-verifier repo. local IMAGE="quay.io/redhat-certification/chart-verifier:latest" + # chart-verifier requires an openshift version if a cluster isn't available + local OPENSHIFT_VERSION="4.7" + local DISABLED_TESTS="chart-testing" local run_cmd="chart-verifier" local chart_src="." @@ -23,8 +26,11 @@ setup_file() { # Start chart-verifier using this volume run_cmd="docker run --rm --volumes-from $CHART_VOLUME $IMAGE" fi - - $run_cmd verify --output json $chart_src 2>&1 | tee $VERIFY_OUTPUT + + $run_cmd verify $chart_src \ + --output json \ + --openshift-version $OPENSHIFT_VERSION \ + --disable $DISABLED_TESTS 2>&1 | tee $VERIFY_OUTPUT } teardown_file() { @@ -33,8 +39,8 @@ teardown_file() { fi } -@test "has-minkubeversion" { - check_result has-minkubeversion +@test "has-kubeversion" { + check_result has-kubeversion } @test "is-helm-v3" { @@ -65,12 +71,16 @@ teardown_file() { check_result contains-values-schema } -@test "images-are-certified" { - skip "Skipping until this has been addressed" - check_result images-are-certified +@test "contains-test" { + check_result contains-test } -@test "contains-test" { +@test "chart-testing" { + skip "Skipping since this test requires a kubernetes/openshift cluster" + check_result chart-testing +} + +@test "images-are-certified" { skip "Skipping until this has been addressed" - check_result contains-test + check_result images-are-certified } From 3afcb463f8672e55c5632312228a02422eeb7cc9 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 27 May 2021 17:11:17 -0700 Subject: [PATCH 048/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b9459835..c5a15319b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) + ## 0.12.0 (May 25th, 2021) Features: From af25981752b6850d343729053c104f0f82d9ab6d Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 1 Jun 2021 10:41:02 -0700 Subject: [PATCH 049/115] fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer --- test/unit/ui-service.bats | 23 +++++++++++++++++++++++ values.schema.json | 5 ++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 499f7326c..9dade3db3 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -300,3 +300,26 @@ load _helpers yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) [ "${actual}" = 'true' ] } + +@test "ui/Service: default is no nodePort" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "ui/Service: can set nodePort" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceNodePort=123' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "123" ] +} diff --git a/values.schema.json b/values.schema.json index 87130e998..2535c1d9e 100644 --- a/values.schema.json +++ b/values.schema.json @@ -775,7 +775,10 @@ "type": "boolean" }, "serviceNodePort": { - "type": "null" + "type": [ + "null", + "integer" + ] }, "serviceType": { "type": "string" From 828b31287b2ce6fab97db5ebde1abee34ce60c50 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 1 Jun 2021 10:42:21 -0700 Subject: [PATCH 050/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5a15319b..0b097f908 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +Bugs: +* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) + ## 0.12.0 (May 25th, 2021) Features: From 458876007a9b8aadb762ce84605f37ec8d115904 Mon Sep 17 00:00:00 2001 From: Rule88 Date: Tue, 1 Jun 2021 19:51:18 +0200 Subject: [PATCH 051/115] change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran --- test/unit/server-ha-disruptionbudget.bats | 12 ++++++++++++ values.schema.json | 5 ++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index f3c329ec6..6cf21f200 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -85,3 +85,15 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: correct maxUnavailable with custom value" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=3' \ + --set 'server.ha.disruptionBudget.maxUnavailable=2' \ + . | tee /dev/stderr | + yq '.spec.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "2" ] +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index 2535c1d9e..e2d00454f 100644 --- a/values.schema.json +++ b/values.schema.json @@ -484,7 +484,10 @@ "type": "boolean" }, "maxUnavailable": { - "type": "null" + "type": [ + "null", + "integer" + ] } } }, From ad9a46ae66e66a9c099162b84520b17db783d54b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 1 Jun 2021 10:52:44 -0700 Subject: [PATCH 052/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b097f908..9839420c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ Improvements: Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) +* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) ## 0.12.0 (May 25th, 2021) From 637087fa70ad6da1b92f8aad772c5f7a71fa7196 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 2 Jun 2021 09:12:15 -0700 Subject: [PATCH 053/115] use vault-helm-test:0.2.0 (#543) --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c5673d792..cef29305b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,7 +6,7 @@ jobs: bats-unit-test: docker: # This image is built from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0 + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 steps: - checkout - run: bats ./test/unit -t @@ -36,7 +36,7 @@ jobs: acceptance: docker: # This image is build from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0 + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 steps: - checkout From d27121c223368fcc77f6eb2eaf29eee1500c1c9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20G=C3=A2ndara=20Pinto?= Date: Thu, 10 Jun 2021 23:32:22 +0100 Subject: [PATCH 054/115] Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount --- templates/injector-deployment.yaml | 10 ++++++---- test/unit/injector-deployment.bats | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 5dd3553e9..4756a253d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -131,6 +131,12 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} @@ -161,10 +167,6 @@ spec: timeoutSeconds: 5 {{- end }} {{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true volumes: - name: webhook-certs secret: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 3b6efbc38..cd6f1ddd3 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -168,6 +168,24 @@ load _helpers [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } +@test "injector/deployment: manual TLS adds volume mount" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.certs.secretName=vault-tls' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/etc/webhook/certs" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: with externalVaultAddr" { cd `chart_dir` local object=$(helm template \ From bb63d73b5a0b1367c9a75c3d1352affb08ae366f Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 10 Jun 2021 15:34:49 -0700 Subject: [PATCH 055/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9839420c0..7d655e701 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Improvements: Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) * Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) +* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545) ## 0.12.0 (May 25th, 2021) From 4d23074cd3eeb9f129418a5b75dd0b605eb7ae88 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 11 Jun 2021 13:29:30 -0700 Subject: [PATCH 056/115] Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. --- templates/_helpers.tpl | 11 ++++ templates/server-statefulset.yaml | 4 ++ test/acceptance/server-ha-enterprise-dr.bats | 7 ++- .../acceptance/server-ha-enterprise-perf.bats | 7 ++- test/unit/server-statefulset.bats | 56 +++++++++++++++++++ values.schema.json | 11 ++++ values.yaml | 12 ++++ 7 files changed, 104 insertions(+), 4 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 505275b91..63011d31e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -103,6 +103,12 @@ extra volumes the user may have specified (such as a secret with TLS). {{- if .Values.server.volumes }} {{- toYaml .Values.server.volumes | nindent 8}} {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + secret: + secretName: {{ .Values.server.enterpriseLicense.secretName }} + defaultMode: 0440 + {{- end }} {{- end -}} {{/* @@ -166,6 +172,11 @@ based on the mode configured. {{- if .Values.server.volumeMounts }} {{- toYaml .Values.server.volumeMounts | nindent 12}} {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + mountPath: /vault/license + readOnly: true + {{- end }} {{- end -}} {{/* diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 69232ede8..718c9a03e 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -125,6 +125,10 @@ spec: - name: VAULT_LOG_FORMAT value: "{{ .Values.server.logFormat }}" {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: VAULT_LICENSE_PATH + value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} + {{- end }} {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 55182441e..c7119d535 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -10,7 +10,8 @@ load _helpers --set='server.image.tag=1.7.2_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized @@ -78,7 +79,8 @@ load _helpers --set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized @@ -153,6 +155,7 @@ setup() { kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance + kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI } #cleanup diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 7497dbc3e..eb08b31a1 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -10,7 +10,8 @@ load _helpers --set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized @@ -78,7 +79,8 @@ load _helpers --set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized @@ -151,6 +153,7 @@ setup() { kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance + kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI } #cleanup diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0c674d6c9..d7edb969d 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1566,3 +1566,59 @@ load _helpers } + +#-------------------------------------------------------------------- +# enterprise license autoload support +@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] +} + +@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] +} + +@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] +} + +@test "server/StatefulSet: blank secretName does not set env var" { + cd `chart_dir` + + # setting secretName=null + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=null' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] + + # omitting secretName + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] +} diff --git a/values.schema.json b/values.schema.json index e2d00454f..db3b80679 100644 --- a/values.schema.json +++ b/values.schema.json @@ -438,6 +438,17 @@ "enabled": { "type": "boolean" }, + "enterpriseLicense": { + "type": "object", + "properties": { + "secretKey": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, "extraArgs": { "type": "string" }, diff --git a/values.yaml b/values.yaml index acab97a3b..a85514b3d 100644 --- a/values.yaml +++ b/values.yaml @@ -198,6 +198,18 @@ server: # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details enabled: true + # [Enterprise Only] This value refers to a Kubernetes secret that you have + # created that contains your enterprise license. If you are not using an + # enterprise image or if you plan to introduce the license key via another + # route, then leave secretName blank ("") or set it to null. + # Requires Vault Enterprise 1.8 or later. + enterpriseLicense: + # The name of the Kubernetes secret that holds the enterprise license. The + # secret must be in the same namespace that Vault is installed into. + secretName: "" + # The key within the Kubernetes secret that holds the enterprise license. + secretKey: "license" + # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. From 3a6e097ae51646d1b98e3900a3dc7a713fc13146 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 11 Jun 2021 13:31:41 -0700 Subject: [PATCH 057/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d655e701..6eb008994 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) From 0f832e01fc9019bef0425dbcae60bda59ab9e4a0 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 16 Jun 2021 13:54:22 -0700 Subject: [PATCH 058/115] Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. --- .circleci/config.yml | 3 +-- test/chart/verifier.bats | 12 ++++++------ values.openshift.yaml | 18 ++++++++++++++++++ 3 files changed, 25 insertions(+), 8 deletions(-) create mode 100644 values.openshift.yaml diff --git a/.circleci/config.yml b/.circleci/config.yml index cef29305b..e1bce111f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -16,8 +16,7 @@ jobs: - image: docker.mirror.hashicorp.services/cimg/go:1.16 environment: BATS_VERSION: "1.3.0" - # Note: the commit SHA is used here since the repo doesn't use release tags - CHART_VERIFIER_VERSION: "e2c03bd1a4aea20deb0a4a03ebfde254b1672050" + CHART_VERIFIER_VERSION: "1.0.0" steps: - checkout - run: diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index f8e298623..e7ab5aa72 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -30,7 +30,8 @@ setup_file() { $run_cmd verify $chart_src \ --output json \ --openshift-version $OPENSHIFT_VERSION \ - --disable $DISABLED_TESTS 2>&1 | tee $VERIFY_OUTPUT + --disable $DISABLED_TESTS \ + --chart-values values.openshift.yaml 2>&1 | tee $VERIFY_OUTPUT } teardown_file() { @@ -75,12 +76,11 @@ teardown_file() { check_result contains-test } +@test "images-are-certified" { + check_result images-are-certified +} + @test "chart-testing" { skip "Skipping since this test requires a kubernetes/openshift cluster" check_result chart-testing } - -@test "images-are-certified" { - skip "Skipping until this has been addressed" - check_result images-are-certified -} diff --git a/values.openshift.yaml b/values.openshift.yaml new file mode 100644 index 000000000..2e3ed77b8 --- /dev/null +++ b/values.openshift.yaml @@ -0,0 +1,18 @@ +# These overrides are appropriate defaults for deploying this chart on OpenShift + +global: + openshift: true + +injector: + image: + repository: "registry.connect.redhat.com/hashicorp/vault-k8s" + tag: "0.10.1-ubi" + + agentImage: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.7.2-ubi" + +server: + image: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.7.2-ubi" From 7509bc739d84f0a87881b8436b498a3a5ff8e47b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 16 Jun 2021 13:57:16 -0700 Subject: [PATCH 059/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6eb008994..ee5ed3d52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) * Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) +* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549) Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) From f67b844d3027b981d12a56957f5fbcbf85ec5adc Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 17 Jun 2021 10:52:21 -0700 Subject: [PATCH 060/115] Update to v0.13.0 (#554) --- CHANGELOG.md | 2 ++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 8 ++++---- 6 files changed, 15 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee5ed3d52..5c58777ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.13.0 (June 17th, 2021) + Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) * Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) diff --git a/Chart.yaml b/Chart.yaml index 4bd306fdc..045116268 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.12.0 -appVersion: 1.7.2 +version: 0.13.0 +appVersion: 1.7.3 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index c7119d535..1445ffb83 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index eb08b31a1..98fc3e6d6 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 2e3ed77b8..96198fe9b 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.10.1-ubi" + tag: "0.10.2-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.7.2-ubi" + tag: "1.7.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.7.2-ubi" + tag: "1.7.3-ubi" diff --git a/values.yaml b/values.yaml index a85514b3d..4516e8777 100644 --- a/values.yaml +++ b/values.yaml @@ -52,7 +52,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.10.1" + tag: "0.10.2" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -60,7 +60,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.7.2" + tag: "1.7.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -216,7 +216,7 @@ server: image: repository: "vault" - tag: "1.7.2" + tag: "1.7.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -704,7 +704,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.2.0" + tag: "0.3.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 14d1f97edda10c314849f8f073980a1156229226 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> Date: Tue, 6 Jul 2021 09:49:48 -0700 Subject: [PATCH 061/115] injector: add templateConfig.exitOnRetryFailure annotation (#560) * injector: add templateConfig.exitOnRetryFailure annotation * update values.schema.json --- templates/injector-deployment.yaml | 2 ++ test/unit/injector-deployment.bats | 25 +++++++++++++++++++++++++ values.schema.json | 8 ++++++++ values.yaml | 4 ++++ 4 files changed, 39 insertions(+) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 4756a253d..c063a8705 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -107,6 +107,8 @@ spec: value: "{{ .Values.injector.agentDefaults.memLimit }}" - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" + - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE + value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index cd6f1ddd3..edd5a0010 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -640,3 +640,28 @@ load _helpers yq -r 'map(select(.name=="AGENT_INJECT_DEFAULT_TEMPLATE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "json" ] } + +@test "injector/deployment: agent default template_config.exit_on_retry_failure" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "true" ] +} + +@test "injector/deployment: can set agent template_config.exit_on_retry_failure" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.templateConfig.exitOnRetryFailure=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "false" ] +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index db3b80679..e8b3d2c81 100644 --- a/values.schema.json +++ b/values.schema.json @@ -186,6 +186,14 @@ }, "template": { "type": "string" + }, + "templateConfig": { + "type": "object", + "properties": { + "exitOnRetryFailure": { + "type": "boolean" + } + } } } }, diff --git a/values.yaml b/values.yaml index 4516e8777..2271f3048 100644 --- a/values.yaml +++ b/values.yaml @@ -75,6 +75,10 @@ injector: # Possible values include: "json" and "map". template: "map" + # Default values within Agent's template_config stanza. + templateConfig: + exitOnRetryFailure: true + # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" From 1e4709cc46831dce302c6418d0e253deeaed1591 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Wed, 7 Jul 2021 19:07:58 -0400 Subject: [PATCH 062/115] feature: Support configuring various properties as YAML directly. (#565) * feature: Support configuring various properties as YAML directly. Supported properties include: pod tolerations, pod affinity, and node selectors. --- .gitignore | 1 + Makefile | 5 +++- templates/_helpers.tpl | 45 ++++++++++++++++++++++++---- test/unit/csi-daemonset.bats | 13 +++++++- test/unit/injector-deployment.bats | 37 +++++++++++++++++++++-- test/unit/server-ha-statefulset.bats | 13 +++++++- test/unit/server-statefulset.bats | 37 +++++++++++++++++++++-- values.schema.json | 25 +++++++++++++--- values.yaml | 29 +++++++++--------- 9 files changed, 172 insertions(+), 33 deletions(-) diff --git a/.gitignore b/.gitignore index 6992d23f4..2e23aca27 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ vaul-helm-dev-creds.json ./test/unit/vaul-helm-dev-creds.json ./test/acceptance/values.yaml ./test/acceptance/values.yml +.idea diff --git a/Makefile b/Makefile index 1b3020c59..d72b0e86a 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,9 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance +# filter bats unit tests to run. +UNIT_TESTS_FILTER?='.*' + # Generate json schema for chart values. See test/README.md for more details. values-schema: helm schema-gen values.yaml > values.schema.json @@ -12,7 +15,7 @@ test-image: @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) test-unit: - @docker run -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats /helm-test/test/unit + @docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit test-bats: test-unit test-acceptance diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 63011d31e..72b0e6803 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,7 +224,12 @@ Set's the affinity for pod placement when running in standalone and HA modes. {{- define "vault.affinity" -}} {{- if and (ne .mode "dev") .Values.server.affinity }} affinity: - {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{ $tp := typeOf .Values.server.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.affinity | nindent 8 }} + {{- end }} {{ end }} {{- end -}} @@ -234,17 +239,27 @@ Sets the injector affinity for pod placement {{- define "injector.affinity" -}} {{- if .Values.injector.affinity }} affinity: - {{ tpl .Values.injector.affinity . | nindent 8 | trim }} + {{ $tp := typeOf .Values.injector.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.affinity | nindent 8 }} + {{- end }} {{ end }} {{- end -}} {{/* -Set's the toleration for pod placement when running in standalone and HA modes. +Sets the toleration for pod placement when running in standalone and HA modes. */}} {{- define "vault.tolerations" -}} {{- if and (ne .mode "dev") .Values.server.tolerations }} tolerations: + {{- $tp := typeOf .Values.server.tolerations }} + {{- if eq $tp "string" }} {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.tolerations | nindent 8 }} + {{- end }} {{- end }} {{- end -}} @@ -254,7 +269,12 @@ Sets the injector toleration for pod placement {{- define "injector.tolerations" -}} {{- if .Values.injector.tolerations }} tolerations: + {{- $tp := typeOf .Values.injector.tolerations }} + {{- if eq $tp "string" }} {{ tpl .Values.injector.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.tolerations | nindent 8 }} + {{- end }} {{- end }} {{- end -}} @@ -264,7 +284,12 @@ Set's the node selector for pod placement when running in standalone and HA mode {{- define "vault.nodeselector" -}} {{- if and (ne .mode "dev") .Values.server.nodeSelector }} nodeSelector: - {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- $tp := typeOf .Values.server.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.server.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.nodeSelector | nindent 8 }} + {{- end }} {{- end }} {{- end -}} @@ -274,7 +299,12 @@ Sets the injector node selector for pod placement {{- define "injector.nodeselector" -}} {{- if .Values.injector.nodeSelector }} nodeSelector: - {{ tpl .Values.injector.nodeSelector . | indent 8 | trim }} + {{- $tp := typeOf .Values.injector.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.nodeSelector | nindent 8 }} + {{- end }} {{- end }} {{- end -}} @@ -519,7 +549,12 @@ Sets the injector toleration for pod placement {{- define "csi.pod.tolerations" -}} {{- if .Values.csi.pod.tolerations }} tolerations: + {{- $tp := typeOf .Values.csi.pod.tolerations }} + {{- if eq $tp "string" }} {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.tolerations | nindent 8 }} + {{- end }} {{- end }} {{- end -}} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index f0a62c2b2..d7152c61f 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -246,7 +246,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "csi/daemonset: tolerations can be set" { +@test "csi/daemonset: tolerations can be set as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -257,6 +257,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "csi/daemonset: tolerations can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.tolerations[0].foo=bar,csi.pod.tolerations[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.tolerations == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # volumes diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index edd5a0010..0f475dfca 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -432,7 +432,7 @@ load _helpers [ "${actual}" = "false" ] } -@test "injector/deployment: affinity can be set" { +@test "injector/deployment: affinity can be set as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -442,6 +442,16 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: affinity can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.affinity.podAntiAffinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity.podAntiAffinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # tolerations @@ -454,7 +464,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/deployment: tolerations can be set" { +@test "injector/deployment: tolerations can be set as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -464,6 +474,16 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: tolerations can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.tolerations[0].foo=bar,injector.tolerations[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.tolerations == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # nodeSelector @@ -476,7 +496,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "injector/deployment: nodeSelector can be set" { +@test "injector/deployment: nodeSelector can be set as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -486,6 +506,17 @@ load _helpers [ "${actual}" = "testing" ] } +@test "injector/deployment: nodeSelector can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.nodeSelector.beta\.kubernetes\.io/arch=amd64" \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector == {"beta.kubernetes.io/arch": "amd64"}' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + + #-------------------------------------------------------------------- # priorityClassName diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 43e1acef2..cc77e7e39 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -571,7 +571,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/ha-StatefulSet: specified nodeSelector" { +@test "server/ha-StatefulSet: specified nodeSelector as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -582,6 +582,17 @@ load _helpers [ "${actual}" = "testing" ] } +@test "server/ha-StatefulSet: nodeSelector can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set "server.nodeSelector.beta\.kubernetes\.io/arch=amd64" \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector == {"beta.kubernetes.io/arch": "amd64"}' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Security Contexts @test "server/ha-StatefulSet: uid default" { diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index d7edb969d..62f252919 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -738,7 +738,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/standalone-StatefulSet: affinity can be set" { +@test "server/standalone-StatefulSet: affinity can be set as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -748,6 +748,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/standalone-StatefulSet: affinity can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.affinity.podAntiAffinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity.podAntiAffinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + + @test "server/standalone-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ @@ -757,7 +768,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/standalone-StatefulSet: tolerations can be set" { +@test "server/standalone-StatefulSet: tolerations can be set as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -767,6 +778,16 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/standalone-StatefulSet: tolerations can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set "server.tolerations[0].foo=bar,server.tolerations[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.tolerations == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "server/standalone-StatefulSet: nodeSelector is not set by default" { cd `chart_dir` local actual=$(helm template \ @@ -776,7 +797,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/standalone-StatefulSet: specified nodeSelector" { +@test "server/standalone-StatefulSet: specified nodeSelector as string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -786,6 +807,16 @@ load _helpers [ "${actual}" = "testing" ] } +@test "server/standalone-StatefulSet: nodeSelector can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set "server.nodeSelector.beta\.kubernetes\.io/arch=amd64" \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector == {"beta.kubernetes.io/arch": "amd64"}' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # extraInitContainers diff --git a/values.schema.json b/values.schema.json index e8b3d2c81..d9cbf926c 100644 --- a/values.schema.json +++ b/values.schema.json @@ -80,7 +80,11 @@ ] }, "tolerations": { - "type": ["null", "string"] + "type": [ + "null", + "array", + "string" + ] } } }, @@ -167,7 +171,10 @@ "type": "object", "properties": { "affinity": { - "type": "string" + "type": [ + "object", + "string" + ] }, "agentDefaults": { "type": "object", @@ -309,7 +316,11 @@ "type": "object" }, "nodeSelector": { - "type": ["null", "string"] + "type": [ + "null", + "object", + "string" + ] }, "objectSelector": { "type": "object" @@ -343,6 +354,7 @@ "tolerations": { "type": [ "null", + "array", "string" ] } @@ -352,7 +364,10 @@ "type": "object", "properties": { "affinity": { - "type": "string" + "type": [ + "object", + "string" + ] }, "annotations": { "type": [ @@ -629,6 +644,7 @@ "nodeSelector": { "type": [ "null", + "object", "string" ] }, @@ -755,6 +771,7 @@ "tolerations": { "type": [ "null", + "array", "string" ] }, diff --git a/values.yaml b/values.yaml index 2271f3048..4598c8d7d 100644 --- a/values.yaml +++ b/values.yaml @@ -151,8 +151,7 @@ injector: # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods - # This should be a multi-line string matching the affinity section of a - # PodSpec. + # This can either be multi-line string or YAML matching the PodSpec's affinity field. # Commenting out or setting as empty the affinity variable, will allow # deployment of multiple replicas to single node services such as Minikube. affinity: | @@ -166,16 +165,16 @@ injector: topologyKey: kubernetes.io/hostname # Toleration Settings for injector pods - # This should be a multi-line string matching the Toleration array + # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. - tolerations: null + tolerations: [] - # nodeSelector labels for injector pod assignment, formatted as a muli-line string. + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # Example: - # nodeSelector: | + # nodeSelector: # beta.kubernetes.io/arch: amd64 - nodeSelector: null + nodeSelector: {} # Priority class for injector pods priorityClassName: "" @@ -397,10 +396,10 @@ server: # name: plugins # readOnly: true - # Affinity Settings # Commenting out or setting as empty the affinity variable, will allow # deployment to single node services such as Minikube + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -412,16 +411,16 @@ server: topologyKey: kubernetes.io/hostname # Toleration Settings for server pods - # This should be a multi-line string matching the Toleration array + # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. - tolerations: null + tolerations: [] - # nodeSelector labels for server pod assignment, formatted as a muli-line string. + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # Example: - # nodeSelector: | + # nodeSelector: # beta.kubernetes.io/arch: amd64 - nodeSelector: null + nodeSelector: {} # Enables network policy for server pods networkPolicy: @@ -753,9 +752,9 @@ csi: annotations: {} # Toleration Settings for provider pods - # This should be a multi-line string matching the Toleration array + # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. - tolerations: null + tolerations: [] serviceAccount: # Extra annotations for the serviceAccount definition. This can either be From f5ef752e9aec4a68d554585be888d0378676d73a Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Wed, 7 Jul 2021 19:32:02 -0400 Subject: [PATCH 063/115] ++changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c58777ac..7366d1a12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +Features: +* Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) + +Improvements: +* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) + ## 0.13.0 (June 17th, 2021) Improvements: From 2d420856a4d546b49709f270e6571477cd0b45de Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Mon, 12 Jul 2021 13:00:12 -0400 Subject: [PATCH 064/115] Update the default vault agent image to come from the hashicorp docker organization. (#567) * Default to hashicorp/vault for vault agent image. * Add support for running acceptance tests against a kind cluster * make the injector-leader-elector a bit more reliable when run locally --- Makefile | 30 +++++++++++++++++++- test/README.md | 16 +++++++++-- test/acceptance/injector-leader-elector.bats | 15 ++++++++-- test/kind/config.yaml | 7 +++++ values.yaml | 4 +-- 5 files changed, 65 insertions(+), 7 deletions(-) create mode 100644 test/kind/config.yaml diff --git a/Makefile b/Makefile index d72b0e86a..e4e9df1ed 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,15 @@ ACCEPTANCE_TESTS?=acceptance # filter bats unit tests to run. UNIT_TESTS_FILTER?='.*' +# set to 'true' to run acceptance tests locally in a kind cluster +LOCAL_ACCEPTANCE_TESTS?=false + +# kind cluster name +KIND_CLUSTER_NAME?=vault-helm + +# kind k8s version +KIND_K8S_VERSION?=v1.20.2 + # Generate json schema for chart values. See test/README.md for more details. values-schema: helm schema-gen values.yaml > values.schema.json @@ -24,6 +33,9 @@ test: test-image test-bats # run acceptance tests on GKE # set google project/credential vars above test-acceptance: +ifeq ($(LOCAL_ACCEPTANCE_TESTS),true) + make setup-kind acceptance +else @docker run -it -v ${PWD}:/helm-test \ -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ @@ -31,7 +43,8 @@ test-acceptance: -w /helm-test \ $(TEST_IMAGE) \ make acceptance - +endif + # destroy GKE cluster using terraform test-destroy: @docker run -it -v ${PWD}:/helm-test \ @@ -54,7 +67,9 @@ test-provision: # this target is for running the acceptance tests # it is run in the docker container above when the test-acceptance target is invoked acceptance: +ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} +endif bats test/${ACCEPTANCE_TESTS} # this target is for provisioning the GKE cluster @@ -69,4 +84,17 @@ provision-cluster: destroy-cluster: terraform destroy -auto-approve +# create a kind cluster for running the acceptance tests locally +setup-kind: + kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \ + kind create cluster \ + --image kindest/node:${KIND_K8S_VERSION} \ + --name ${KIND_CLUSTER_NAME} \ + --config $(CURDIR)/test/kind/config.yaml + kubectl config use-context kind-${KIND_CLUSTER_NAME} + +# delete the kind cluster +delete-kind: + kind delete cluster --name ${KIND_CLUSTER_NAME} || : + .PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/test/README.md b/test/README.md index 28431dbf9..fdd586fc9 100644 --- a/test/README.md +++ b/test/README.md @@ -2,15 +2,27 @@ ## Running Vault Helm Acceptance tests -The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance. +The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster. -* Set the GOOGLE_CREDENTIALS and CLOUDSDK_CORE_PROJECT variables at the top of the file. GOOGLE_CREDENTIALS should contain the local path to your Google Cloud Platform account credentials in JSON format. CLOUDSDK_CORE_PROJECT should be set to the ID of your GCP project. +### Running in a GKE cluster + +* Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project. * Run `make test-image` to create the docker image (with dependencies installed) that will be re-used in the below steps. * Run `make test-provision` to provision the GKE cluster using terraform. * Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster. * You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target. * Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. +### Running in a kind cluster + +* Run `make test-acceptance LOCAL_ACCEPTANCE_TESTS=true` +* You can choose to only run certain tests by setting the `ACCEPTANCE_TESTS` variable and re-running the above target. +* Run `make delete-kind` when you have finished testing and want to tear-down and remove the cluster. +* You can set an alternate kind cluster name by specifying the `KIND_CLUSTER_NAME` variable for any of the above targets. +* You can set an alternate K8S version by specifying the `KIND_K8S_VERSION` variable for any of the above targets. + +See [kind-quick-start](https://kind.sigs.k8s.io/docs/user/quick-start/) if you don't have kind installed on your system. + ## Running chart verification tests If [chart-verifier](https://github.com/redhat-certification/chart-verifier) is built and available in your PATH, run: diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 8cfde5bf7..04c1ae5fa 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -4,19 +4,30 @@ load _helpers @test "injector: testing leader elector" { cd `chart_dir` - + kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance helm install "$(name_prefix)" \ + --wait \ + --timeout=5m \ --set="injector.replicas=3" . kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) [ "${#pods[@]}" == 3 ] - leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" + leader='' + tries=0 + until [ $tries -ge 60 ] + do + leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" + [ -n "${leader}" ] && break + ((tries++)) + sleep .5 + done + # Check the leader name is valid - i.e. one of the 3 pods [[ " ${pods[@]} " =~ " ${leader} " ]] diff --git a/test/kind/config.yaml b/test/kind/config.yaml new file mode 100644 index 000000000..250966401 --- /dev/null +++ b/test/kind/config.yaml @@ -0,0 +1,7 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: +- role: control-plane +- role: worker +- role: worker +- role: worker diff --git a/values.yaml b/values.yaml index 4598c8d7d..1275f310d 100644 --- a/values.yaml +++ b/values.yaml @@ -59,7 +59,7 @@ injector: # containers. This should be set to the official Vault image. Vault 1.3.1+ is # required. agentImage: - repository: "vault" + repository: "hashicorp/vault" tag: "1.7.3" # The default values for the injected Vault Agent containers. @@ -218,7 +218,7 @@ server: # By default no direct resource request is made. image: - repository: "vault" + repository: "hashicorp/vault" tag: "1.7.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 4a4295da812551b4555fd965127fe254fa58a03e Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Mon, 12 Jul 2021 15:47:07 -0400 Subject: [PATCH 065/115] Update acceptance tests to use the new stable GKE version 1.18.x (#569) --- test/terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 3556c6fd8..c56f409b9 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -8,7 +8,7 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = "${var.zone}" - version_prefix = "1.17." + version_prefix = "1.18." } data "google_service_account" "gcpapi" { From a0d7b84ec2d620818f8e2ec0b5d576dc9c0f3129 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Mon, 12 Jul 2021 17:33:03 -0400 Subject: [PATCH 066/115] ++changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7366d1a12..d2d15e64f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ Features: Improvements: * Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) +* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567) ## 0.13.0 (June 17th, 2021) From 255cdc7d265289c3dd47a630442b331f9bf0a322 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 15 Jul 2021 14:15:46 -0400 Subject: [PATCH 067/115] Add ingress/route configurable to specify active/general service (#570) * Add ingress/route configurable to specify active/general service * Update test/unit/server-ingress.bats Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * values.schema.json Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- templates/server-ingress.yaml | 2 +- templates/server-route.yaml | 66 +++++++++++++++++------------------ test/unit/server-ingress.bats | 34 ++++++++++++++++-- test/unit/server-route.bats | 29 ++++++++++++++- values.schema.json | 6 ++++ values.yaml | 9 +++++ 6 files changed, 109 insertions(+), 37 deletions(-) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index deaa0dd55..9da020e1a 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,7 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 2fccf0263..63055db39 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -1,33 +1,33 @@ -{{- if .Values.global.openshift }} -{{- if ne .mode "external" }} -{{- if .Values.server.route.enabled -}} -{{- $serviceName := include "vault.fullname" . -}} -{{- if eq .mode "ha" }} -{{- $serviceName = printf "%s-%s" $serviceName "active" -}} -{{- end }} -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: {{ template "vault.fullname" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- with .Values.server.route.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- template "vault.route.annotations" . }} -spec: - host: {{ .Values.server.route.host }} - to: - kind: Service - name: {{ $serviceName }} - weight: 100 - port: - targetPort: 8200 - tls: - termination: passthrough -{{- end }} -{{- end }} -{{- end }} +{{- if .Values.global.openshift }} +{{- if ne .mode "external" }} +{{- if .Values.server.route.enabled -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.route.annotations" . }} +spec: + host: {{ .Values.server.route.host }} + to: + kind: Service + name: {{ $serviceName }} + weight: 100 + port: + targetPort: 8200 + tls: + termination: passthrough +{{- end }} +{{- end }} +{{- end }} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index bf191c3a2..68183a51e 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -131,7 +131,7 @@ load _helpers [ "${actual}" = "nginx" ] } -@test "server/ingress: uses active service when ha - yaml" { +@test "server/ingress: uses active service when ha by default - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -145,6 +145,21 @@ load _helpers [ "${actual}" = "RELEASE-NAME-vault-active" ] } +@test "server/ingress: uses regular service when configured with ha - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.activeService=false' \ + --set 'server.dev.enabled=false' \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} + @test "server/ingress: uses regular service when not ha - yaml" { cd `chart_dir` @@ -157,4 +172,19 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] -} \ No newline at end of file +} + +@test "server/ingress: uses regular service when not ha and activeService is true - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.activeService=true' \ + --set 'server.dev.enabled=false' \ + --set 'server.ha.enabled=false' \ + --set 'server.service.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index f5830e6dd..d141fb635 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -102,7 +102,20 @@ load _helpers [ "${actual}" = "RELEASE-NAME-vault" ] } -@test "server/route: OpenShift - route points to active service by when HA" { +@test "server/route: OpenShift - route points to main service when not ha and activeService is true" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.activeService=true' \ + . | tee /dev/stderr | + yq -r '.spec.to.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} + +@test "server/route: OpenShift - route points to active service by when HA by default" { cd `chart_dir` local actual=$(helm template \ @@ -114,3 +127,17 @@ load _helpers yq -r '.spec.to.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault-active" ] } + +@test "server/route: OpenShift - route points to general service by when HA when configured" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.activeService=false' \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.to.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} diff --git a/values.schema.json b/values.schema.json index d9cbf926c..bd0713782 100644 --- a/values.schema.json +++ b/values.schema.json @@ -564,6 +564,9 @@ "ingress": { "type": "object", "properties": { + "activeService": { + "type": "boolean" + }, "annotations": { "type": [ "object", @@ -686,6 +689,9 @@ "route": { "type": "object", "properties": { + "activeService": { + "type": "boolean" + }, "annotations": { "type": [ "object", diff --git a/values.yaml b/values.yaml index 1275f310d..728769615 100644 --- a/values.yaml +++ b/values.yaml @@ -259,6 +259,10 @@ server: # or # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" + + # When HA mode is enabled and K8s service registration is being used, + # configure the ingress to point to the Vault active service. + activeService: true hosts: - host: chart-example.local paths: [] @@ -277,6 +281,11 @@ server: # The created route will be of type passthrough route: enabled: false + + # When HA mode is enabled and K8s service registration is being used, + # configure the route to point to the Vault active service. + activeService: true + labels: {} annotations: {} host: chart-example.local From 43656864c6802998d4dbbd0ebd804bcd88c4cdee Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 15 Jul 2021 14:18:08 -0400 Subject: [PATCH 068/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2d15e64f..35e019747 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ Improvements: * Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) * Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567) * Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) + ## 0.13.0 (June 17th, 2021) From 64b4d88c727a1d7ad163e5449a79ca21dce7ceaa Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Fri, 23 Jul 2021 12:05:24 -0400 Subject: [PATCH 069/115] feature: imagePullSecrets from string array. (#576) * allow configuring imagePullSecrets from an array of strings in addition to the already supported array of maps --- templates/_helpers.tpl | 17 +++++++++++++++++ templates/csi-daemonset.yaml | 5 +---- templates/injector-deployment.yaml | 5 +---- templates/server-statefulset.yaml | 5 +---- test/unit/csi-daemonset.bats | 27 +++++++++++++++++++++++++++ test/unit/server-statefulset.bats | 26 ++++++++++++++++++++++++++ values.yaml | 1 + 7 files changed, 74 insertions(+), 12 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 72b0e6803..29364aa33 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -623,3 +623,20 @@ Inject extra environment populated by secrets, if populated {{ "https" }} {{- end -}} {{- end -}} + +{{/* +imagePullSecrets generates pull secrets from either string or map values. +A map value must be indexable by the key 'name'. +*/}} +{{- define "imagePullSecrets" -}} +{{- with .Values.global.imagePullSecrets -}} +imagePullSecrets: +{{- range . -}} +{{- if typeIs "string" . }} + - name: {{ . }} +{{- else if index . "name" }} + - name: {{ .name }} +{{- end }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 75bde9a32..66fe055de 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -77,8 +77,5 @@ spec: {{- if .Values.csi.volumes }} {{- toYaml .Values.csi.volumes | nindent 8}} {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} - {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} {{- end }} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index c063a8705..261be1c2a 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -174,8 +174,5 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} - {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 718c9a03e..031b17905 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -202,10 +202,7 @@ spec: {{- if .Values.server.extraContainers }} {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} - {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index d7152c61f..c546d0a5b 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -72,6 +72,33 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + local actual=$(echo $object | + yq -r '. | length' | tee /dev/stderr) + [ "${actual}" = "2" ] + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: Custom imagePullSecrets - string array" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.imagePullSecrets[0]=foo' \ + --set 'global.imagePullSecrets[1]=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '. | length' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | yq -r '.[0].name' | tee /dev/stderr) [ "${actual}" = "foo" ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 62f252919..b93905188 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -146,6 +146,32 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + local actual=$(echo $object | + yq -r '. | length' | tee /dev/stderr) + [ "${actual}" = "2" ] + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: Custom imagePullSecrets - string array" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.imagePullSecrets[0]=foo' \ + --set 'global.imagePullSecrets[1]=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '. | length' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | yq -r '.[0].name' | tee /dev/stderr) [ "${actual}" = "foo" ] diff --git a/values.yaml b/values.yaml index 728769615..908e33213 100644 --- a/values.yaml +++ b/values.yaml @@ -5,6 +5,7 @@ global: # will enable or disable all the components within this chart by default. enabled: true # Image pull secret to use for registry authentication. + # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] # imagePullSecrets: # - name: image-pull-secret From 86ff773249927057646a0bbb700c93d95b407e74 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Fri, 23 Jul 2021 13:00:50 -0400 Subject: [PATCH 070/115] ++changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35e019747..f0517dac8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Improvements: * Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567) * Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) * Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576) ## 0.13.0 (June 17th, 2021) From a5c85627b3585d0f418675a7ed9e7d21a434088b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 28 Jul 2021 14:44:28 -0700 Subject: [PATCH 071/115] vault-helm 0.14.0 release (#578) --- CHANGELOG.md | 2 ++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0517dac8..ee0624618 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.14.0 (July 28th, 2021) + Features: * Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) diff --git a/Chart.yaml b/Chart.yaml index 045116268..a1f0cc49d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.13.0 -appVersion: 1.7.3 +version: 0.14.0 +appVersion: 1.8.0 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 1445ffb83..bd114f7e0 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.3_ent' \ + --set='server.image.tag=1.8.0_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.3_ent' \ + --set='server.image.tag=1.8.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 98fc3e6d6..70977be09 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.3_ent' \ + --set='server.image.tag=1.8.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.3_ent' \ + --set='server.image.tag=1.8.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 96198fe9b..168cf2b7e 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.10.2-ubi" + tag: "0.11.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.7.3-ubi" + tag: "1.8.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.7.3-ubi" + tag: "1.8.0-ubi" diff --git a/values.yaml b/values.yaml index 908e33213..4c358ced6 100644 --- a/values.yaml +++ b/values.yaml @@ -53,7 +53,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.10.2" + tag: "0.11.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -61,7 +61,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.7.3" + tag: "1.8.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -220,7 +220,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.7.3" + tag: "1.8.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From bfc01c1e5d108dd9c6a377e389593b1c24614f8c Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 29 Jul 2021 14:51:35 -0700 Subject: [PATCH 072/115] Update chart verifier (#579) The test names now have "v1.0/" prepended. chart-verifier docker images are now tagged too. --- .circleci/config.yml | 2 +- test/chart/verifier.bats | 29 ++++++++++++++--------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e1bce111f..dd0dc63a7 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -16,7 +16,7 @@ jobs: - image: docker.mirror.hashicorp.services/cimg/go:1.16 environment: BATS_VERSION: "1.3.0" - CHART_VERIFIER_VERSION: "1.0.0" + CHART_VERIFIER_VERSION: "1.2.1" steps: - checkout - run: diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index e7ab5aa72..63c793951 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -6,10 +6,9 @@ setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" export CHART_VOLUME=vault-helm-chart-src - # Note: currently `latest` is the only tag available in the chart-verifier repo. - local IMAGE="quay.io/redhat-certification/chart-verifier:latest" + local IMAGE="quay.io/redhat-certification/chart-verifier:1.2.1" # chart-verifier requires an openshift version if a cluster isn't available - local OPENSHIFT_VERSION="4.7" + local OPENSHIFT_VERSION="4.8" local DISABLED_TESTS="chart-testing" local run_cmd="chart-verifier" @@ -24,7 +23,7 @@ setup_file() { # Make sure we have the latest version of chart-verifier docker pull $IMAGE # Start chart-verifier using this volume - run_cmd="docker run --rm --volumes-from $CHART_VOLUME $IMAGE" + run_cmd="docker run --rm --volumes-from $CHART_VOLUME -w $chart_src $IMAGE" fi $run_cmd verify $chart_src \ @@ -41,46 +40,46 @@ teardown_file() { } @test "has-kubeversion" { - check_result has-kubeversion + check_result v1.0/has-kubeversion } @test "is-helm-v3" { - check_result is-helm-v3 + check_result v1.0/is-helm-v3 } @test "not-contains-crds" { - check_result not-contains-crds + check_result v1.0/not-contains-crds } @test "helm-lint" { - check_result helm-lint + check_result v1.0/helm-lint } @test "not-contain-csi-objects" { - check_result not-contain-csi-objects + check_result v1.0/not-contain-csi-objects } @test "has-readme" { - check_result has-readme + check_result v1.0/has-readme } @test "contains-values" { - check_result contains-values + check_result v1.0/contains-values } @test "contains-values-schema" { - check_result contains-values-schema + check_result v1.0/contains-values-schema } @test "contains-test" { - check_result contains-test + check_result v1.0/contains-test } @test "images-are-certified" { - check_result images-are-certified + check_result v1.0/images-are-certified } @test "chart-testing" { skip "Skipping since this test requires a kubernetes/openshift cluster" - check_result chart-testing + check_result v1.0/chart-testing } From c9c23b1a9b73645804334c0414891f55f3db7647 Mon Sep 17 00:00:00 2001 From: Maxime Bruneau <39189697+shiinro@users.noreply.github.com> Date: Thu, 12 Aug 2021 02:01:58 +0200 Subject: [PATCH 073/115] Add imagePullSecrets on server test (#572) Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Theron Voran --- templates/tests/server-test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 37819de5c..66aa178f5 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -7,6 +7,7 @@ metadata: annotations: "helm.sh/hook": test spec: + {{- include "imagePullSecrets" . | nindent 2 }} containers: - name: {{ .Release.Name }}-server-test image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} From 277317524a7744974d6929e424b7f3e7e49f1b7b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 11 Aug 2021 17:03:26 -0700 Subject: [PATCH 074/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee0624618..d95aefdf8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) + ## 0.14.0 (July 28th, 2021) Features: From f7ab37fd50e365735916ec71b0d5ef27e564c264 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 16 Aug 2021 13:49:26 -0700 Subject: [PATCH 075/115] Add injector.webhookAnnotations chart option (#584) --- templates/_helpers.tpl | 15 +++++++++++ templates/injector-mutating-webhook.yaml | 1 + test/unit/injector-mutating-webhook.bats | 32 ++++++++++++++++++++++++ values.schema.json | 6 +++++ values.yaml | 10 +++++--- 5 files changed, 61 insertions(+), 3 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 29364aa33..3e936f77e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -353,6 +353,21 @@ Sets extra injector service annotations {{- end }} {{- end -}} +{{/* +Sets extra injector webhook annotations +*/}} +{{- define "injector.webhookAnnotations" -}} + {{- if .Values.injector.webhookAnnotations }} + annotations: + {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra ui service annotations */}} diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index abe23aabc..de7dd5622 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -11,6 +11,7 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com sideEffects: None diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 65f505bcf..1e6e150d0 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -121,3 +121,35 @@ load _helpers [ "${actual}" = "\"Fail\"" ] } + +#-------------------------------------------------------------------- +# annotations + +@test "injector/MutatingWebhookConfiguration: default annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.webhookAnnotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.webhookAnnotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/values.schema.json b/values.schema.json index bd0713782..c159c0102 100644 --- a/values.schema.json +++ b/values.schema.json @@ -357,6 +357,12 @@ "array", "string" ] + }, + "webhookAnnotations": { + "type": [ + "object", + "string" + ] } } }, diff --git a/values.yaml b/values.yaml index 4c358ced6..26bb7e94d 100644 --- a/values.yaml +++ b/values.yaml @@ -119,6 +119,9 @@ injector: # failurePolicy: Ignore + # Extra annotations to attach to the webhook + webhookAnnotations: {} + certs: # secretName is the name of the secret that has the TLS certificate and # private key to serve the injector webhook. If this is null, then the @@ -126,9 +129,10 @@ injector: # a service account to the injector to generate its own certificates. secretName: null - # caBundle is a base64-encoded PEM-encoded certificate bundle for the - # CA that signed the TLS certificate that the webhook serves. This must - # be set if secretName is non-null. + # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA + # that signed the TLS certificate that the webhook serves. This must be set + # if secretName is non-null, unless an external service like cert-manager is + # keeping the caBundle updated. caBundle: "" # certName and keyName are the names of the files within the secret for From 22df6c0d9bdbfefecc7e53e9cdcabea7b2d2cb4c Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 16 Aug 2021 13:50:47 -0700 Subject: [PATCH 076/115] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d95aefdf8..87e9ce0fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Improvements: * Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) +* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) ## 0.14.0 (July 28th, 2021) From c820454dd5ac0d0e73968e24eddd053fb07b105f Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 23 Aug 2021 08:51:52 -0700 Subject: [PATCH 077/115] vault-helm 0.15.0 release (#598) --- CHANGELOG.md | 2 ++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87e9ce0fa..364950880 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.15.0 (August 23rd, 2021) + Improvements: * Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) * Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) diff --git a/Chart.yaml b/Chart.yaml index a1f0cc49d..57ec8667a 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.14.0 -appVersion: 1.8.0 +version: 0.15.0 +appVersion: 1.8.1 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index bd114f7e0..f34e0a038 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.0_ent' \ + --set='server.image.tag=1.8.1_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.0_ent' \ + --set='server.image.tag=1.8.1_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 70977be09..a11d2e79b 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.0_ent' \ + --set='server.image.tag=1.8.1_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.0_ent' \ + --set='server.image.tag=1.8.1_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 168cf2b7e..c724afb3f 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.11.0-ubi" + tag: "0.12.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.0-ubi" + tag: "1.8.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.0-ubi" + tag: "1.8.1-ubi" diff --git a/values.yaml b/values.yaml index 26bb7e94d..9969b2662 100644 --- a/values.yaml +++ b/values.yaml @@ -53,7 +53,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.11.0" + tag: "0.12.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -61,7 +61,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.0" + tag: "1.8.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -224,7 +224,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.0" + tag: "1.8.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From d31f942d3e75af96e4fa15c84edb27c21f90be0b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 31 Aug 2021 15:16:06 -0700 Subject: [PATCH 078/115] Support vault-k8s internal leader election (#568) --- templates/injector-deployment.yaml | 33 +------ templates/injector-leader-endpoint.yaml | 12 --- templates/injector-role.yaml | 8 +- test/acceptance/injector-leader-elector.bats | 13 +-- test/unit/injector-leader-elector.bats | 98 +------------------- values.schema.json | 14 --- values.yaml | 8 +- 7 files changed, 18 insertions(+), 168 deletions(-) delete mode 100644 templates/injector-leader-endpoint.yaml diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 261be1c2a..e753c9c95 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -110,6 +110,10 @@ spec: - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name args: - agent-inject - 2>&1 @@ -139,35 +143,6 @@ spec: mountPath: /etc/webhook/certs readOnly: true {{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/templates/injector-leader-endpoint.yaml b/templates/injector-leader-endpoint.yaml deleted file mode 100644 index fc4ef1608..000000000 --- a/templates/injector-leader-endpoint.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} -# This is created here so it can be cleaned up easily, since if -# the endpoint is left around the leader won't expire for about a minute. -apiVersion: v1 -kind: Endpoints -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} \ No newline at end of file diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index e74524cea..88fe53f62 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -9,11 +9,17 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} rules: - apiGroups: [""] - resources: ["endpoints", "secrets"] + resources: ["secrets", "configmaps"] verbs: - "create" - "get" - "watch" - "list" - "update" + - apiGroups: [""] + resources: ["pods"] + verbs: + - "get" + - "patch" + - "delete" {{- end }} \ No newline at end of file diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 04c1ae5fa..4c7154cb2 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -22,21 +22,16 @@ load _helpers tries=0 until [ $tries -ge 60 ] do - leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" - [ -n "${leader}" ] && break - ((tries++)) + owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name) + leader=$(kubectl get pods $owner -o json | jq -r .metadata.name) + [ -n "${leader}" ] && [ "${leader}" != "null" ] && break + let "tries=tries+1" sleep .5 done # Check the leader name is valid - i.e. one of the 3 pods [[ " ${pods[@]} " =~ " ${leader} " ]] - # Check every pod agrees on who the leader is - for pod in "${pods[@]}" - do - pod_leader="$(echo "$(kubectl exec $pod -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" - [ "${pod_leader}" == "${leader}" ] - done } setup() { diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index 6c77d81da..a1b27a455 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -5,7 +5,7 @@ load _helpers #-------------------------------------------------------------------- # Deployment -@test "injector/deployment: leader elector replica count" { +@test "injector/deployment: replica count" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -15,42 +15,6 @@ load _helpers [ "${actual}" = "2" ] } -@test "injector/deployment: leader elector - sidecar is created only when enabled" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - -@test "injector/deployment: leader elector image name is configurable" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.image.repository=SomeOtherImage" \ - --set "injector.leaderElector.image.tag=SomeOtherTag" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:SomeOtherTag" ] -} - @test "injector/deployment: leader elector configuration for sidecar-injector" { cd `chart_dir` local actual=$(helm template \ @@ -80,26 +44,6 @@ load _helpers [ "${actual}" = "metadata.namespace" ] } -@test "injector/deployment: leader elector TTL is configurable" { - cd `chart_dir` - # Default value 60s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=60s" ] - - # Configured to 30s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.ttl=30s" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=30s" ] -} - #-------------------------------------------------------------------- # Resource creation @@ -143,46 +87,6 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/leader-endpoint: created/skipped as appropriate" { - cd `chart_dir` - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "global.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - @test "injector/role: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.schema.json b/values.schema.json index c159c0102..c6d7d1039 100644 --- a/values.schema.json +++ b/values.schema.json @@ -281,20 +281,6 @@ "properties": { "enabled": { "type": "boolean" - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "ttl": { - "type": "string" } } }, diff --git a/values.yaml b/values.yaml index 9969b2662..4e3f70c9d 100644 --- a/values.yaml +++ b/values.yaml @@ -33,14 +33,10 @@ injector: # Configures the port the injector should listen on port: 8080 - # If multiple replicas are specified, by default a leader-elector side-car - # will be created so that only one injector attempts to create TLS certificates. + # If multiple replicas are specified, by default a leader will be determined + # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - image: - repository: "gcr.io/google_containers/leader-elector" - tag: "0.4" - ttl: 60s # If true, will enable a node exporter metrics endpoint at /metrics. metrics: From 87a0a56ad9e983a25080c2eaaf84d633d3bce38f Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 31 Aug 2021 15:21:49 -0700 Subject: [PATCH 079/115] changelog++ --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 364950880..1ed19eea6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,13 @@ ## 0.15.0 (August 23rd, 2021) +CHANGES: +* vault-helm 0.15.0 requires version 0.13.0+ of the vault-k8s injector when using multiple replicas and auto-tls, since the chart has dropped support for deploying leader-elector containers. + Improvements: * Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) * Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) +* Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) ## 0.14.0 (July 28th, 2021) From 8932c372b75be87540f30b194eac587c85b4a3d4 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 7 Sep 2021 18:09:30 -0700 Subject: [PATCH 080/115] Fix the CSI acceptance test (#608) The `master` branch was renamed to `main` for kubernetes-sigs/secrets-store-csi-driver * use a specific version in the URL * use csi driver 0.2.0 --- test/acceptance/csi.bats | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 67be09d6d..d222ca274 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -9,7 +9,8 @@ load _helpers kubectl create namespace acceptance # Install Secrets Store CSI driver - helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.20.tgz?raw=true \ + CSI_DRIVER_VERSION=0.2.0 + helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/v${CSI_DRIVER_VERSION}/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" From 23e034884292761badefa5bfe30c2bfe077989be Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Wed, 15 Sep 2021 20:12:24 +0200 Subject: [PATCH 081/115] feat(csi): make provider hostPaths configurable (#603) * add configurable values for providersDir and kubeletRootDir Signed-off-by: Toni Tauro Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- templates/csi-daemonset.yaml | 4 +-- test/unit/csi-daemonset.bats | 62 ++++++++++++++++++++++++++++++++++++ values.schema.json | 6 ++++ values.yaml | 4 +++ 4 files changed, 74 insertions(+), 2 deletions(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 66fe055de..0ab521151 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -70,10 +70,10 @@ spec: volumes: - name: providervol hostPath: - path: "/etc/kubernetes/secrets-store-csi-providers" + path: {{ .Values.csi.daemonSet.providersDir }} - name: mountpoint-dir hostPath: - path: /var/lib/kubelet/pods + path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods {{- if .Values.csi.volumes }} {{- toYaml .Values.csi.volumes | nindent 8}} {{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index c546d0a5b..5cfd8a7e8 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -315,6 +315,68 @@ load _helpers [ "${actual}" = "{}" ] } +@test "csi/daemonset: csi providersDir default" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "providervol")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.hostPath.path' | tee /dev/stderr) + [ "${actual}" = "/etc/kubernetes/secrets-store-csi-providers" ] +} + +@test "csi/daemonset: csi kubeletRootDir default" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.hostPath.path' | tee /dev/stderr) + [ "${actual}" = "/var/lib/kubelet/pods" ] +} + +@test "csi/daemonset: csi providersDir override " { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.providersDir=/alt/csi-prov-dir' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "providervol")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.hostPath.path' | tee /dev/stderr) + [ "${actual}" = "/alt/csi-prov-dir" ] +} + +@test "csi/daemonset: csi kubeletRootDir override" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.kubeletRootDir=/alt/kubelet-root' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.hostPath.path' | tee /dev/stderr) + [ "${actual}" = "/alt/kubelet-root/pods" ] +} + #-------------------------------------------------------------------- # volumeMounts diff --git a/values.schema.json b/values.schema.json index c6d7d1039..76ecb5933 100644 --- a/values.schema.json +++ b/values.schema.json @@ -24,6 +24,12 @@ "type": "string" } } + }, + "providersDir": { + "type": "string" + }, + "kubeletRootDir": { + "type": "string" } } }, diff --git a/values.yaml b/values.yaml index 4e3f70c9d..fe998f5a9 100644 --- a/values.yaml +++ b/values.yaml @@ -754,6 +754,10 @@ csi: # YAML-formatted multi-line templated string map of the annotations to apply # to the daemonSet. annotations: {} + # Provider host path (must match the CSI provider's path) + providersDir: "/etc/kubernetes/secrets-store-csi-providers" + # Kubelet host path + kubeletRootDir: "/var/lib/kubelet" pod: # Extra annotations for the provider pods. This can either be YAML or a From c267805dea623481ae7d7cbc1e99352bf12703ef Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Wed, 15 Sep 2021 14:22:02 -0400 Subject: [PATCH 082/115] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ed19eea6..a6b5ffa64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: + * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603(https://github.com/hashicorp/vault-helm/pull/603) + ## 0.15.0 (August 23rd, 2021) CHANGES: From dd3b3f06e038782e619197608d66ec416da069e1 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Wed, 15 Sep 2021 14:22:35 -0400 Subject: [PATCH 083/115] changelog++ --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6b5ffa64..efcde57f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ## Unreleased Improvements: - * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603(https://github.com/hashicorp/vault-helm/pull/603) + * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603) ## 0.15.0 (August 23rd, 2021) From 5a864f7cbb59e9147c34484f50cd0a4168600d51 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 15 Sep 2021 18:43:04 -0700 Subject: [PATCH 084/115] Adding support for the old leader-elector (#607) Adds the leader-elector container support that was removed in PR #568. The new vault-k8s uses an internal mechanism for leader determination, so this is just for backwards compatibility, and can be removed in the near future. * mark the endpoint as deprecated * add a new useContainer option for leaderElector Default to not deploying the old leader-elector container, unless injector.leaderElector.useContainer is `true`. --- templates/injector-certs-secret.yaml | 2 +- templates/injector-deployment.yaml | 29 +++++ templates/injector-leader-endpoint.yaml | 14 +++ templates/injector-role.yaml | 4 +- templates/injector-rolebinding.yaml | 2 +- test/acceptance/injector-leader-elector.bats | 13 ++- test/unit/injector-leader-elector.bats | 107 ++++++++++++++++++- values.schema.json | 17 +++ values.yaml | 10 ++ 9 files changed, 190 insertions(+), 8 deletions(-) create mode 100644 templates/injector-leader-endpoint.yaml diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index aec802140..78363be55 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -7,4 +7,4 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index e753c9c95..f4a796bf0 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -137,6 +137,35 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 + {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} + - name: leader-elector + image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} + args: + - --election={{ template "vault.fullname" . }}-agent-injector-leader + - --election-namespace={{ .Release.Namespace }} + - --http=0.0.0.0:4040 + - --ttl={{ .Values.injector.leaderElector.ttl }} + livenessProbe: + httpGet: + path: / + port: 4040 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: / + port: 4040 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + {{- end }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/templates/injector-leader-endpoint.yaml b/templates/injector-leader-endpoint.yaml new file mode 100644 index 000000000..42c4c0ae7 --- /dev/null +++ b/templates/injector-leader-endpoint.yaml @@ -0,0 +1,14 @@ +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true")}} +# This is created here so it can be cleaned up easily, since if +# the endpoint is left around the leader won't expire for about a minute. +apiVersion: v1 +kind: Endpoints +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-leader + annotations: + deprecated: "true" + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 88fe53f62..446efaf59 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} rules: - apiGroups: [""] - resources: ["secrets", "configmaps"] + resources: ["secrets", "configmaps", "endpoints"] verbs: - "create" - "get" @@ -22,4 +22,4 @@ rules: - "get" - "patch" - "delete" -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index e06d2425f..aa8179420 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -15,4 +15,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 4c7154cb2..6f9f0b41f 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -12,7 +12,8 @@ load _helpers helm install "$(name_prefix)" \ --wait \ --timeout=5m \ - --set="injector.replicas=3" . + --set="injector.replicas=3" \ + --set="injector.leaderElector.useContainer=true" . kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) @@ -22,15 +23,21 @@ load _helpers tries=0 until [ $tries -ge 60 ] do + ## The new internal leader mechanism uses a ConfigMap owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name) leader=$(kubectl get pods $owner -o json | jq -r .metadata.name) [ -n "${leader}" ] && [ "${leader}" != "null" ] && break - let "tries=tries+1" + + ## Also check the old leader-elector container + old_leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" + [ -n "${old_leader}" ] && break + + ((++tries)) sleep .5 done # Check the leader name is valid - i.e. one of the 3 pods - [[ " ${pods[@]} " =~ " ${leader} " ]] + [[ " ${pods[@]} " =~ " ${leader} " || " ${pods[@]} " =~ " ${old_leader} " ]] } diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index a1b27a455..75ab2982c 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -165,4 +165,109 @@ load _helpers . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} + +#-------------------------------------------------------------------- +# Old leader-elector container support +# Note: deprecated and will be removed soon + +@test "injector/deployment: leader elector - sidecar is created only when enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers | length' | tee /dev/stderr) + [ "${actual}" = "1" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.replicas=2" \ + --set "injector.leaderElector.enabled=false" \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers | length' | tee /dev/stderr) + [ "${actual}" = "1" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.replicas=2" \ + --set "injector.leaderElector.useContainer=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers | length' | tee /dev/stderr) + [ "${actual}" = "2" ] +} + +@test "injector/deployment: leader elector image name is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.replicas=2" \ + --set "injector.leaderElector.useContainer=true" \ + --set "injector.leaderElector.image.repository=SomeOtherImage" \ + --set "injector.leaderElector.image.tag=SomeOtherTag" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].image' | tee /dev/stderr) + [ "${actual}" = "SomeOtherImage:SomeOtherTag" ] +} + +@test "injector/deployment: leader elector TTL is configurable" { + cd `chart_dir` + # Default value 60s + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.replicas=2" \ + --set "injector.leaderElector.useContainer=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) + [ "${actual}" = "--ttl=60s" ] + + # Configured to 30s + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.replicas=2" \ + --set "injector.leaderElector.useContainer=true" \ + --set "injector.leaderElector.ttl=30s" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) + [ "${actual}" = "--ttl=30s" ] +} + +@test "injector/leader-endpoint: created/skipped as appropriate" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-leader-endpoint.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/injector-leader-endpoint.yaml \ + --set "injector.replicas=2" \ + --set "global.enabled=false" \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/injector-leader-endpoint.yaml \ + --set "injector.replicas=2" \ + --set "injector.enabled=false" \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/injector-leader-endpoint.yaml \ + --set "injector.replicas=2" \ + --set "injector.leaderElector.enabled=false" \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/injector-leader-endpoint.yaml \ + --set "injector.replicas=2" \ + --set "injector.leaderElector.useContainer=true" \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.schema.json b/values.schema.json index 76ecb5933..4c0a00498 100644 --- a/values.schema.json +++ b/values.schema.json @@ -287,6 +287,23 @@ "properties": { "enabled": { "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ttl": { + "type": "string" + }, + "useContainer": { + "type": "boolean" } } }, diff --git a/values.yaml b/values.yaml index fe998f5a9..d71460abb 100644 --- a/values.yaml +++ b/values.yaml @@ -37,6 +37,16 @@ injector: # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true + # Note: The deployment of the leader-elector container will soon be removed + # from this chart since vault-k8s now uses an internal mechanism to + # determine leadership. + # To enable the deployment of the leader-elector container for use with + # vault-k8s 0.12.0 and earlier, set `useContainer=true` + useContainer: false + image: + repository: "gcr.io/google_containers/leader-elector" + tag: "0.4" + ttl: 60s # If true, will enable a node exporter metrics endpoint at /metrics. metrics: From 78a355bffc64a94918cec2279636e14a1d388aeb Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 15 Sep 2021 18:59:34 -0700 Subject: [PATCH 085/115] changelog++ --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index efcde57f7..77e40526e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,17 @@ ## Unreleased +CHANGES: +* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`. + Improvements: * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603) + * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607) ## 0.15.0 (August 23rd, 2021) -CHANGES: -* vault-helm 0.15.0 requires version 0.13.0+ of the vault-k8s injector when using multiple replicas and auto-tls, since the chart has dropped support for deploying leader-elector containers. - Improvements: * Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) * Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) -* Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) ## 0.14.0 (July 28th, 2021) From cd2059147dbf2d0582083e314e86b380aa96d168 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 16 Sep 2021 09:39:59 -0700 Subject: [PATCH 086/115] vault 0.16.0 release (#612) --- CHANGELOG.md | 2 ++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 77e40526e..a71e8fc65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.16.0 (September 16th, 2021) + CHANGES: * Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`. diff --git a/Chart.yaml b/Chart.yaml index 57ec8667a..85075804c 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.15.0 -appVersion: 1.8.1 +version: 0.16.0 +appVersion: 1.8.2 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index f34e0a038..5954c3262 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index a11d2e79b..923fff7e3 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index c724afb3f..f02e9a93b 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.12.0-ubi" + tag: "0.13.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.1-ubi" + tag: "1.8.2-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.1-ubi" + tag: "1.8.2-ubi" diff --git a/values.yaml b/values.yaml index d71460abb..7d5d0469e 100644 --- a/values.yaml +++ b/values.yaml @@ -59,7 +59,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.12.0" + tag: "0.13.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -67,7 +67,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.1" + tag: "1.8.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -230,7 +230,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.1" + tag: "1.8.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From b69e3d927641944a0f68c7def3bb71fa9f9bdb8c Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 27 Sep 2021 21:40:09 -0700 Subject: [PATCH 087/115] vault-helm default branch is now `main` (#618) Updated the circleci config to use the `main` branch, and also changed a couple mentions in the contributing guide. --- .circleci/config.yml | 4 ++-- CONTRIBUTING.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index dd0dc63a7..f4a0ba88a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true @@ -94,7 +94,7 @@ workflows: - bats-unit-test filters: branches: - only: master + only: main update-helm-charts-index: jobs: - update-helm-charts-index: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f83d56747..f1c160000 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -26,7 +26,7 @@ quickly merge or address your contributions. * Make sure you test against the latest released version. It is possible we already fixed the bug you're experiencing. Even better is if you can test - against `master`, as bugs are fixed regularly but new versions are only + against `main`, as bugs are fixed regularly but new versions are only released every few months. * Provide steps to reproduce the issue, and if possible include the expected @@ -121,7 +121,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to start from a clean slate. **Note:** There is a Terraform configuration in the -[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/master/test/terraform) directory +[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory that can be used to quickly bring up a GKE cluster and configure `kubectl` and `helm` locally. This can be used to quickly spin up a test cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes From 5dfc3515c1712bba3239a3f0d781ecad5c939e99 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 29 Sep 2021 16:28:37 -0700 Subject: [PATCH 088/115] vault-helm 0.16.1 release (#619) --- CHANGELOG.md | 6 ++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 18 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a71e8fc65..5208330a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +## 0.16.1 (September 29th, 2021) + +CHANGES: +* Vault image default 1.8.3 +* Vault K8s image default 0.13.1 + ## 0.16.0 (September 16th, 2021) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index 85075804c..80c87c85a 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.16.0 -appVersion: 1.8.2 +version: 0.16.1 +appVersion: 1.8.3 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 5954c3262..f50f87f72 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 923fff7e3..abb7bea1f 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index f02e9a93b..4739231d1 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.13.0-ubi" + tag: "0.13.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.2-ubi" + tag: "1.8.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.2-ubi" + tag: "1.8.3-ubi" diff --git a/values.yaml b/values.yaml index 7d5d0469e..5d894fafa 100644 --- a/values.yaml +++ b/values.yaml @@ -59,7 +59,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.13.0" + tag: "0.13.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -67,7 +67,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.2" + tag: "1.8.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -230,7 +230,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.2" + tag: "1.8.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 97586662620ff66f961a8f2a99cf713a6f6c72e6 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 29 Sep 2021 18:01:14 -0700 Subject: [PATCH 089/115] fix chart publish job (#620) The branch parameter isn't for this repo --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f4a0ba88a..8de4c83c1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true From 72c485dd2c1e87c1e9fc193c0983b046656420d5 Mon Sep 17 00:00:00 2001 From: Vladislav Rumjantsev <13906830+vrumjantsev@users.noreply.github.com> Date: Sat, 9 Oct 2021 03:13:21 +0300 Subject: [PATCH 090/115] ingress stable networking api (#590) * Moved ingress to stable networking api * lower versions support * ingress disabled by default * added tests for old k8s --- templates/server-ingress.yaml | 12 +++++++++++- test/unit/server-ingress.bats | 31 +++++++++++++++++++++++-------- values.yaml | 6 ++++-- 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 9da020e1a..cc4f66dac 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -8,7 +8,10 @@ {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} -{{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +{{- $kubeVersion := .Capabilities.KubeVersion.Version }} +{{ if semverCompare ">= 1.19.0-0" $kubeVersion }} +apiVersion: networking.k8s.io/v1 +{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} apiVersion: networking.k8s.io/v1beta1 {{ else }} apiVersion: extensions/v1beta1 @@ -48,8 +51,15 @@ spec: {{- range (.paths | default (list "/")) }} - path: {{ . }} backend: + {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{ else }} serviceName: {{ $serviceName }} servicePort: {{ $servicePort }} + {{ end }} {{- end }} {{- end }} {{- end }} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 68183a51e..46794a429 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -52,7 +52,7 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName | length > 0' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name | length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -66,9 +66,9 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ --set 'server.ingress.extraPaths[0].path=/annotation-service' \ - --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + --set 'server.ingress.extraPaths[0].backend.service.name=ssl-redirect' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = 'ssl-redirect' ] local actual=$(helm template \ @@ -77,7 +77,7 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ --set 'server.ingress.extraPaths[0].path=/annotation-service' \ - --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + --set 'server.ingress.extraPaths[0].backend.service.name=ssl-redirect' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].path' | tee /dev/stderr) [ "${actual}" = '/annotation-service' ] @@ -88,7 +88,7 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ --set 'server.ingress.extraPaths[0].path=/annotation-service' \ - --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + --set 'server.ingress.extraPaths[0].backend.service.name=ssl-redirect' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[1].path' | tee /dev/stderr) [ "${actual}" = '/' ] @@ -141,7 +141,7 @@ load _helpers --set 'server.ha.enabled=true' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault-active" ] } @@ -156,7 +156,7 @@ load _helpers --set 'server.ha.enabled=true' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } @@ -170,6 +170,21 @@ load _helpers --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} + +@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.dev.enabled=false' \ + --set 'server.ha.enabled=false' \ + --set 'server.service.enabled=true' \ + --kube-version 1.18.3 \ + . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } @@ -185,6 +200,6 @@ load _helpers --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } diff --git a/values.yaml b/values.yaml index 5d894fafa..32c59c438 100644 --- a/values.yaml +++ b/values.yaml @@ -281,8 +281,10 @@ server: extraPaths: [] # - path: /* # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation + # service: + # name: ssl-redirect + # port: + # number: use-annotation tls: [] # - secretName: chart-example-tls # hosts: From ffd50861575c1ec130a38b5030e1b2c43baef639 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 11 Oct 2021 02:28:37 -0700 Subject: [PATCH 091/115] changelog++ (#623) --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5208330a4..076aff0f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) + ## 0.16.1 (September 29th, 2021) CHANGES: From 96b8c98b3b7c6db1a7eb59acc85650fc6322cc3e Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 11 Oct 2021 14:12:55 -0700 Subject: [PATCH 092/115] Updating acceptance tests (#624) GKE's stable K8s version is now 1.19. Also adding VAULT_LICENSE_CI to the `make test-acceptance` target to make it easier to run the acceptance tests manually, and mentioned it in the test README. --- Makefile | 1 + test/README.md | 2 ++ test/terraform/main.tf | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e4e9df1ed..0ac685013 100644 --- a/Makefile +++ b/Makefile @@ -40,6 +40,7 @@ else -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ -e KUBECONFIG=/helm-test/.kube/config \ + -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ -w /helm-test \ $(TEST_IMAGE) \ make acceptance diff --git a/test/README.md b/test/README.md index fdd586fc9..951a0616e 100644 --- a/test/README.md +++ b/test/README.md @@ -4,6 +4,8 @@ The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster. +Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license. + ### Running in a GKE cluster * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project. diff --git a/test/terraform/main.tf b/test/terraform/main.tf index c56f409b9..5c3570f27 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -8,7 +8,7 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = "${var.zone}" - version_prefix = "1.18." + version_prefix = "1.19." } data "google_service_account" "gcpapi" { From d96a4287faa7f490cbba012c7ef5bedabef4e121 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Mon, 18 Oct 2021 09:45:52 -0400 Subject: [PATCH 093/115] Feat: add externalTrafficPolicy support (#626) - externalTrafficPolicy can be set for both the ui and server services. It is only supported for NodePort or LoadBalancer service types. --- templates/_helpers.tpl | 35 +++++++++++++++++ templates/server-ha-active-service.yaml | 1 + templates/server-ha-standby-service.yaml | 3 +- templates/server-service.yaml | 1 + templates/ui-service.yaml | 12 +----- test/unit/server-ha-active-service.bats | 40 +++++++++++++++++++ test/unit/server-ha-standby-service.bats | 40 +++++++++++++++++++ test/unit/server-service.bats | 40 +++++++++++++++++++ test/unit/ui-service.bats | 50 ++++++++++++++++++++++++ values.yaml | 14 ++++++- 10 files changed, 224 insertions(+), 12 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 3e936f77e..731119a91 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -655,3 +655,38 @@ imagePullSecrets: {{- end -}} {{- end -}} {{- end -}} + +{{/* +externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable. +Supported inputs are Values.server.service and Values.ui +*/}} +{{- define "service.externalTrafficPolicy" -}} +{{- $type := "" -}} +{{- if .serviceType -}} +{{- $type = .serviceType -}} +{{- else if .type -}} +{{- $type = .type -}} +{{- end -}} +{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }} + externalTrafficPolicy: {{ .externalTrafficPolicy }} +{{- else }} +{{- end }} +{{- end -}} + +{{/* +loadBalancer configuration for the the UI service. +Supported inputs are Values.ui +*/}} +{{- define "service.loadBalancer" -}} +{{- if eq (.serviceType | toString) "LoadBalancer" }} +{{- if .loadBalancerIP }} + loadBalancerIP: {{ .loadBalancerIP }} +{{- end }} +{{- with .loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{- range . }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end }} +{{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 74fca41d7..c2a4f0227 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -21,6 +21,7 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: true ports: - name: {{ include "vault.scheme" . }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 9213b7452..fef92a1b2 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -21,6 +21,7 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: true ports: - name: {{ include "vault.scheme" . }} @@ -38,4 +39,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 6f82e3862..00996aa25 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -21,6 +21,7 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 9e90af4bb..ea27de282 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -30,16 +30,8 @@ spec: nodePort: {{ .Values.ui.serviceNodePort }} {{- end }} type: {{ .Values.ui.serviceType }} - {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerSourceRanges) }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.ui.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} - {{- end }} - {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerIP) }} - loadBalancerIP: {{ .Values.ui.loadBalancerIP }} - {{- end }} + {{- include "service.externalTrafficPolicy" .Values.ui }} + {{- include "service.loadBalancer" .Values.ui }} {{- end -}} - {{- end }} {{- end }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index be3060d64..a835c9d9c 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -157,3 +157,43 @@ load _helpers yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) [ "${actual}" = "https" ] } + +# duplicated in server-service.bats +@test "server/ha-active-Service: NodePort assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +# duplicated in server-service.bats +@test "server/ha-active-Service: NodePort assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +# duplicated in server-service.bats +@test "server/ha-active-Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=ClusterIP' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index e164cde1c..7dfd5d7fd 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -168,3 +168,43 @@ load _helpers yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) [ "${actual}" = "https" ] } + +# duplicated in server-service.bats +@test "server/ha-standby-Service: NodePort assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +# duplicated in server-service.bats +@test "server/ha-standby-Service: NodePort assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +# duplicated in server-service.bats +@test "server/ha-standby-Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=ClusterIP' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 7922f0ff3..4695f2fff 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -384,3 +384,43 @@ load _helpers yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) [ "${actual}" = "https" ] } + +# duplicated in server-ha-active-service.bats +@test "server/Service: NodePort assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +# duplicated in server-ha-active-service.bats +@test "server/ha-active-Service: NodePort assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +# duplicated in server-ha-active-service.bats +@test "server/Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=ClusterIP' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 9dade3db3..0603303cd 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -135,6 +135,16 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "LoadBalancer" ] + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=LoadBalancer' \ + --set 'ui.externalTrafficPolicy=Local' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Local" ] } @test "ui/Service: LoadBalancerIP set if specified and serviceType == LoadBalancer" { @@ -183,6 +193,19 @@ load _helpers [ "${actual}" = "null" ] } +@test "ui/Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=ClusterIP' \ + --set 'ui.externalTrafficPolicy=Foo' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + @test "ui/Service: specify annotations" { cd `chart_dir` local actual=$(helm template \ @@ -323,3 +346,30 @@ load _helpers yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "123" ] } + +@test "ui/Service: LoadBalancer assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=LoadBalancer' \ + --set 'ui.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +@test "ui/Service: LoadBalancer assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=LoadBalancer' \ + --set 'ui.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] + +} diff --git a/values.yaml b/values.yaml index 32c59c438..48b413acf 100644 --- a/values.yaml +++ b/values.yaml @@ -483,6 +483,12 @@ server: # or NodePort. #type: ClusterIP + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. #nodePort: 30000 @@ -704,7 +710,13 @@ ui: externalPort: 8200 targetPort: 8200 - # loadBalancerSourceRanges: + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + #loadBalancerSourceRanges: # - 10.0.0.0/16 # - 1.78.23.3/32 From 6914c4d877c310894bc18a9825c28fd0e6dafe7d Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Tue, 19 Oct 2021 21:06:07 +0200 Subject: [PATCH 094/115] fix(csi-ds): mountpoint-dir same mountpath in pod (#628) * fix(csi-ds): mountpoint-dir same mountpath in pod Signed-off-by: Toni Tauro * Update Chart.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- templates/csi-daemonset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 0ab521151..a6461fbd2 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -44,7 +44,7 @@ spec: - name: providervol mountPath: "/provider" - name: mountpoint-dir - mountPath: /var/lib/kubelet/pods + mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods mountPropagation: HostToContainer {{- if .Values.csi.volumeMounts }} {{- toYaml .Values.csi.volumeMounts | nindent 12}} From 4aa01e898652e939b2673a2de46046bfb6421727 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Thu, 21 Oct 2021 12:14:31 -0400 Subject: [PATCH 095/115] Update changelog for #626 and #628 (#631) --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 076aff0f9..056be87aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ Improvements: * Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) +* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) + +Bugs: +* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) ## 0.16.1 (September 29th, 2021) From 3b1bb783be1a4a9942355b3e337f41970becae64 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 21 Oct 2021 09:23:45 -0700 Subject: [PATCH 096/115] Add server.ingress.ingressClassName (#630) Co-authored-by: Joel Cressy --- CHANGELOG.md | 1 + templates/server-ingress.yaml | 3 +++ test/unit/server-ingress.bats | 23 +++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 4 ++++ 5 files changed, 34 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 056be87aa..9b461dcf9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) * Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) +* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630) Bugs: * Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index cc4f66dac..b814a6afe 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -39,6 +39,9 @@ spec: {{- end }} secretName: {{ .secretName }} {{- end }} +{{- end }} +{{- if .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} {{- end }} rules: {{- range .Values.server.ingress.hosts }} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 46794a429..56a3f9241 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -131,6 +131,29 @@ load _helpers [ "${actual}" = "nginx" ] } +@test "server/ingress: ingressClassName added to object spec - string" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.ingressClassName=nginx \ + . | tee /dev/stderr | + yq -r '.spec.ingressClassName' | tee /dev/stderr) + [ "${actual}" = "nginx" ] +} + +@test "server/ingress: ingressClassName is not added by default" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ingressClassName' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + @test "server/ingress: uses active service when ha by default - yaml" { cd `chart_dir` diff --git a/values.schema.json b/values.schema.json index 4c0a00498..4ddbedfaf 100644 --- a/values.schema.json +++ b/values.schema.json @@ -608,6 +608,9 @@ } } }, + "ingressClassName": { + "type": "string" + }, "labels": { "type": "object" }, diff --git a/values.yaml b/values.yaml index 48b413acf..735f15370 100644 --- a/values.yaml +++ b/values.yaml @@ -271,6 +271,10 @@ server: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" + # Optionally use ingressClassName instead of deprecated annotation. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + ingressClassName: "" + # When HA mode is enabled and K8s service registration is being used, # configure the ingress to point to the Vault active service. activeService: true From 91ac2eedbcc384c7b3ffa7710fa0058a63cc1a41 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 21 Oct 2021 12:12:45 -0700 Subject: [PATCH 097/115] vault-helm 0.17.0 release (#632) --- CHANGELOG.md | 6 ++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 18 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b461dcf9..63adb75f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +## 0.17.0 (October 21st, 2021) + +CHANGES: +* Vault image default 1.8.4 +* Vault K8s image default 0.14.0 + Improvements: * Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) * Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) diff --git a/Chart.yaml b/Chart.yaml index 80c87c85a..094ab89eb 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.16.1 -appVersion: 1.8.3 +version: 0.17.0 +appVersion: 1.8.4 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index f50f87f72..c9a5d1993 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index abb7bea1f..b42bb50d0 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 4739231d1..4db41c2e2 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.13.1-ubi" + tag: "0.14.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.3-ubi" + tag: "1.8.4-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.3-ubi" + tag: "1.8.4-ubi" diff --git a/values.yaml b/values.yaml index 735f15370..6abc909f5 100644 --- a/values.yaml +++ b/values.yaml @@ -59,7 +59,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.13.1" + tag: "0.14.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -67,7 +67,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.3" + tag: "1.8.4" # The default values for the injected Vault Agent containers. agentDefaults: @@ -230,7 +230,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.3" + tag: "1.8.4" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From dc08ab6324a879ea2670f4b7ff47ec4dbee6b84c Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 22 Oct 2021 18:00:29 -0700 Subject: [PATCH 098/115] note a regression in 0.17.0 (#635) --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63adb75f4..56ea96e43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## 0.17.0 (October 21st, 2021) +KNOWN ISSUES: +* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set + CHANGES: * Vault image default 1.8.4 * Vault K8s image default 0.14.0 From c09c50f9d6ed7fed6a2fb8b8508a8b7fbc88b687 Mon Sep 17 00:00:00 2001 From: Tim Collins <45351296+tico24@users.noreply.github.com> Date: Mon, 25 Oct 2021 16:30:06 +0100 Subject: [PATCH 099/115] Add option for Ingress pathType (#634) --- templates/server-ingress.yaml | 4 ++++ test/unit/server-ingress.bats | 39 +++++++++++++++++++++++++++++++++++ values.yaml | 4 ++++ 3 files changed, 47 insertions(+) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index b814a6afe..48c76a828 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -8,6 +8,7 @@ {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} +{{- $pathType := .Values.server.ingress.pathType -}} {{- $kubeVersion := .Capabilities.KubeVersion.Version }} {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} apiVersion: networking.k8s.io/v1 @@ -53,6 +54,9 @@ spec: {{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} + {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} + pathType: {{ $pathType }} + {{ end }} backend: {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} service: diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 56a3f9241..4132c16a7 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -226,3 +226,42 @@ load _helpers yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } + +@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.pathType=ImplementationSpecific \ + --kube-version 1.19.0 \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) + [ "${actual}" = "ImplementationSpecific" ] +} + +@test "server/ingress: pathType is not added to Kubernetes versions < 1.19" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.pathType=ImplementationSpecific \ + --kube-version 1.18.3 \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ingress: pathType is added to Kubernetes versions > 1.19" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.pathType=Prefix \ + --kube-version 1.20.0 \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) + [ "${actual}" = "Prefix" ] +} diff --git a/values.yaml b/values.yaml index 6abc909f5..44869da78 100644 --- a/values.yaml +++ b/values.yaml @@ -275,6 +275,10 @@ server: # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation ingressClassName: "" + # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. + pathType: Prefix + # When HA mode is enabled and K8s service registration is being used, # configure the ingress to point to the Vault active service. activeService: true From a186036e7daf9f69b364c2ef11847d36906d5d16 Mon Sep 17 00:00:00 2001 From: Gary Frederick Date: Mon, 25 Oct 2021 13:58:15 -0700 Subject: [PATCH 100/115] changelog++ (#636) --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56ea96e43..a20c68bd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ ## Unreleased +## 0.17.1 (October 25th, 2021) + +Improvements: + * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634) + ## 0.17.0 (October 21st, 2021) KNOWN ISSUES: From 4db9e831ad735826fe3bd799fad8f8d2149c3836 Mon Sep 17 00:00:00 2001 From: Gary Frederick Date: Mon, 25 Oct 2021 15:31:07 -0700 Subject: [PATCH 101/115] v0.17.1 (#637) --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 094ab89eb..7a4e86f59 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.17.0 +version: 0.17.1 appVersion: 1.8.4 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart From 8582cb359c32918fcb9a4b6b479132d056db4904 Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 102/115] Explain this fork in the README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index f95b26fc3..3b063ecd4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +# MaaS Vault + +This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. + # Vault Helm Chart > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If From 9ad36a1c69121d3160953618558f2c6de6c7b5ed Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 103/115] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 19 ++++++++++++++----- templates/server-service.yaml | 3 +++ values.yaml | 8 ++++++-- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3b063ecd4..603b405d4 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart @@ -43,7 +43,16 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm install vault hashicorp/vault ``` -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more -detailed installation instructions. +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + +## Customizations + +This Helm chart has been customized in the following ways: + +### Support LoadBalancerIP Field + +The Service spec in the **server-service.yaml** file now allows setting a +specific IP address when the Service type is set to `LoadBalancer` and a +**maas.lbAddress** value has been provided. diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 00996aa25..2e44ddf06 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -22,6 +22,9 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} + {{- if and (.Values.maas.lbAddress) (eq (.Values.server.service.type | toString) "LoadBalancer") }} + loadBalancerIP: {{ .Values.maas.lbAddress }} + {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true diff --git a/values.yaml b/values.yaml index 44869da78..3e66511e9 100644 --- a/values.yaml +++ b/values.yaml @@ -487,8 +487,8 @@ server: # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. + # Configures the service type for the main Vault service. Can be ClusterIP, + # NodePort, or LoadBalancer. #type: ClusterIP # The externalTrafficPolicy can be set to either Cluster or Local @@ -501,6 +501,10 @@ server: # will be random if left blank. #nodePort: 30000 + # If type is set to "LoadBalancer", a specific IP address can be attached + # to the load balancer, will be random if left blank. + #loadBalancerIP: + # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to From 6ee557e9bee8600432cada8f68e277ab52112582 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 104/115] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 6 ++++++ templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 28 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 731119a91..597f8496b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -90,6 +90,11 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} + {{- if .Values.server.logrotate }} + - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + configMap: + name: {{ template "vault.fullname" . }}-logrotate-config + {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -216,6 +221,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 3e66511e9..66a3f88e3 100644 --- a/values.yaml +++ b/values.yaml @@ -705,6 +705,8 @@ server: # YAML-formatted multi-line templated string map of the annotations to apply # to the statefulSet. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Vault UI ui: From d5313bf2c1fe81112d5f01574cdca6c675fecc8b Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 105/115] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/_helpers.tpl | 9 ++++++--- templates/datadog-audit-configmap.yaml | 10 ++++++++++ templates/logrotate-config-configmap.yaml | 20 -------------------- templates/logrotate-configmap.yaml | 10 ++++++++++ 4 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 templates/datadog-audit-configmap.yaml delete mode 100644 templates/logrotate-config-configmap.yaml create mode 100644 templates/logrotate-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 597f8496b..5b523c9db 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -90,10 +90,13 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} - {{- if .Values.server.logrotate }} - - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + {{- if .Values.server.logrotate.enabled }} + - name: {{ template "vault.fullname" . }}-logrotate-config configMap: - name: {{ template "vault.fullname" . }}-logrotate-config + name: {{ template "vault.fullname" . }}-logrotate-configmap + - name: {{ template "vault.fullname" . }}-datadog-config + configMap: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} diff --git a/templates/datadog-audit-configmap.yaml b/templates/datadog-audit-configmap.yaml new file mode 100644 index 000000000..5190d7fb7 --- /dev/null +++ b/templates/datadog-audit-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap + namespace: {{ .Release.Namespace }} +data: + conf.yaml: |- +{{ .Values.server.logrotate.datadogsidecar.config | indent 6 }} +{{ end }} diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file diff --git a/templates/logrotate-configmap.yaml b/templates/logrotate-configmap.yaml new file mode 100644 index 000000000..0e90cd293 --- /dev/null +++ b/templates/logrotate-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-configmap + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: |- +{{ .Values.server.logrotate.config.logRotateConf | indent 6 }} +{{ end }} From 7f03e7c0d64c85bff5d557d5f74882d56924aaf5 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 106/115] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - values.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5b523c9db..e5ea9264d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,7 +224,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* diff --git a/values.yaml b/values.yaml index 66a3f88e3..50fe6a37f 100644 --- a/values.yaml +++ b/values.yaml @@ -254,7 +254,6 @@ server: # limits: # memory: 256Mi # cpu: 250m - # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. # If deployment is on OpenShift, the following block is ignored. From 0e796d4cc388a214c9827892af55187fe78fb629 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 21 Feb 2020 14:50:42 -0500 Subject: [PATCH 107/115] Update to 0.4.0 --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 7a4e86f59..86a5beb6f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ name: vault version: 0.17.1 appVersion: 1.8.4 kubeVersion: ">= 1.14.0-0" -description: Official HashiCorp Vault Chart +description: Install and configure Vault on Kubernetes. home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] From a99988dc20e81edeee4302aeea838dd039c08d42 Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 108/115] Explain this fork in the README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 603b405d4..db4b88b15 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. # Vault Helm Chart From d7767ac3b6953b9f826efd3d9dcd93b660c73e4f Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 109/115] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index db4b88b15..603b405d4 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart From f8fc3b413db12566212ca4de62db2f0f41df2a8e Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 110/115] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 1 + templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 23 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e5ea9264d..5b523c9db 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,6 +224,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 50fe6a37f..845761a30 100644 --- a/values.yaml +++ b/values.yaml @@ -697,6 +697,8 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Settings for the statefulSet used to run Vault. statefulSet: From 8e98540db8d5fbd5e75066a18b0caacadc732e22 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 111/115] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/logrotate-config-configmap.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file From 3562df65937dc705ff577d0366b331a92189b6b6 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 112/115] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5b523c9db..e5ea9264d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,7 +224,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* From d92becff3551dcdbe615aaa1bc3087035d92438b Mon Sep 17 00:00:00 2001 From: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:54:46 -0400 Subject: [PATCH 113/115] feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham --- README.md | 1 + templates/injector-deployment.yaml | 7 +++++++ templates/server-ha-standby-service.yaml | 2 +- test/unit/injector-deployment.bats | 2 +- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 603b405d4..03afc2b3a 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,7 @@ Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + ## Customizations This Helm chart has been customized in the following ways: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f4a796bf0..c705f2a98 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -138,6 +138,13 @@ spec: successThreshold: 1 timeoutSeconds: 5 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} + {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} args: diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index fef92a1b2..dbba9d653 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -39,4 +39,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 0f475dfca..9a634c301 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -695,4 +695,4 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] -} \ No newline at end of file +} From fa13d7d0cb97a4133eedccae36f067cb13292604 Mon Sep 17 00:00:00 2001 From: adhish2001 Date: Thu, 14 Jul 2022 10:58:01 -0400 Subject: [PATCH 114/115] fix: deploy_local.sh error with file --- templates/injector-deployment.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index c705f2a98..e1b6d7b57 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -185,5 +185,8 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} - {{- include "imagePullSecrets" . | nindent 6 }} + {{- if .Values.global.imagePullSecrets }} {{- include "imagePullSecrets" . | nindent 6 }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end } {{ end }} From e4b72082f188cd3cfaf025b9b4441c5cd1a1b9ef Mon Sep 17 00:00:00 2001 From: adhish2001 Date: Thu, 14 Jul 2022 12:39:30 -0400 Subject: [PATCH 115/115] minor changes --- templates/injector-deployment.yaml | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index e1b6d7b57..0d3c89158 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -138,13 +138,6 @@ spec: successThreshold: 1 timeoutSeconds: 5 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} args: @@ -185,8 +178,5 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} - {{- if .Values.global.imagePullSecrets }} {{- include "imagePullSecrets" . | nindent 6 }} - imagePullSecrets: - {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} - {{- end } -{{ end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{ end }} \ No newline at end of file