Skip to content

Commit

Permalink
feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16)
Browse files Browse the repository at this point in the history
* add staticSecretRenderInterval to injector (hashicorp#621)

* make staticSecretRenderInterval default to empty string

* update values schema to add staticSecretRenderInterval

* add test for default value

* adding changelog entry

Co-authored-by: Theron Voran <[email protected]>

* Update jira action (hashicorp#644)

* No longer check for Vault team membership
* Tweak jira states and search parameters

* remove support for the leader-elector container (hashicorp#649)

* vault-helm 0.18.0 release (hashicorp#650)

* Run CI tests in github workflows  (hashicorp#657)

Ports the bats unit, chart-verifier, and bats acceptance tests to use
github workflows and actions. The acceptance tests run using kind, and
run for multiple k8s versions, on pushes to the main branch.

Adds a SKIP_CSI env check in the CSI acceptance test, set in the
workflow if K8s version is less than 1.16.

Adds kubeAdmConfigPatches to the kind config to allow testing the CSI
provider on K8s versions prior to 1.21.

Updates the Secrets Store CSI driver to 1.0.0 in tests.

Makes the HA Vault tests more robust by waiting for all consul client
pods to be Ready, and waits with a timeout for Vault to start
responding as sealed (since the tests on GitHub runners were often
failing at that point).

Co-authored-by: Tom Proctor <[email protected]>

* Configurable PodDisruptionBudget for Injector (hashicorp#653)

* Fix spelling error in server disruptionbudget test (hashicorp#654)

* Make terminationGracePeriodSeconds configurable (hashicorp#659)

Make terminationGracePeriodSeconds configurable for server pod

* injector: ability to set deployment update strategy (continued) (hashicorp#661)

Co-authored-by: Jason Hancock <[email protected]>

* csi: ability to set priorityClassName for csi daemonset pods (hashicorp#670)

* Fixed a small typo (hashicorp#672)

* Disable unit and acceptance tests in CircleCI (hashicorp#675)

* update CONTRIBUTING.md (hashicorp#677)

Link to the discuss forum instead of the old google group and irc
channel. Add info about the CLA.

* add namespace support for openshift route (hashicorp#679)

* Add volumes and env vars to helm hook test pod (hashicorp#673)

* Fix test typo

* Add basic server-test Pod tests

 - This covers all existing functionality that matches what's
   present in server-statefulset.bats

* Fix server-test helm hook Pod rendering

 - Properly adhere to the global.enabled flag and the presence of
   the injector.externalVaultAddr setting, the same way that
   the servers StatefulSet behaves

* Add volumes and env vars to helm hook test pod

 - Uses the same extraEnvironmentVars, volumes and volumeMounts set on
   the server statefulset to configure the Vault server test pod used by
   the helm test hook
 - This is necessary in situations where TLS is configured, but the
   certificates are not affiliated with the k8s CA / part of k8s PKI

 - Fixes hashicorpGH-665

* allow injection of TLS config for OpenShift routes (hashicorp#686)

* Add some tests on top of hashicorp#396

* convert server-route.yaml to unix newlines

* changelog

Co-authored-by: André Becker <[email protected]>
Co-authored-by: Theron Voran <[email protected]>

* Release 0.19.0 (hashicorp#687)

* Add extraLabels for CSI DaemonSet (hashicorp#690)

* Updated hashicorp/vault-csi-provider image to v1.0.0 (hashicorp#689)

* Fix unit test assertions (hashicorp#693)

* vault: bump image to 1.9.3 (hashicorp#695)


Signed-off-by: Lionel H <[email protected]>

* changelog++ (hashicorp#699)

* change helm trigger branch from master to main (hashicorp#700)

* Add namespace to injector-leader-elector role, rolebinding and secret (hashicorp#683)

* allow to configure publishNotReadyAddresses on server services (hashicorp#694)

* Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (hashicorp#692)

* Prepare default values for MutatingWebhookConfiguration hashicorp#691
* Add values.yaml values to injector-mutating-webhook.yaml hashicorp#691
* Duplicate and deprecate top-level webhook settings and put them in a webhook object
* Made the new values default with the fallback to the old values.yaml
* Fix _helpers.tpl to support both old and new webhook annotations
* Add new tests and deprecate old ones for injector webhook configuration
* Old tests now work with old values.yaml
* Add all new fields showing that they have priority over old ones
* Add deprecation note to injector.failurePolicy hashicorp#691

* VAULT-571 Matching documented behavior and consul (hashicorp#703)

VAULT-571 Matching documented behavior and consul

Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:

> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.

(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)

We also simplified the chart logic using a few template helpers.

Co-authored-by: Theron Voran <[email protected]>

* Update k8s versions (hashicorp#706)

* tests: updating the four most recent k8s versions

* bump oldest version to 1.16

* docs, Chart.yaml, and changelog for 1.14 -> 1.16

* Fix values schema to support config in YAML (hashicorp#684)

* Support policy/v1 disruptionbudget beyond kube 1.21 (hashicorp#710)

Issue hashicorp#667, adding updates to the disruptionbudget to support new
non beta spec beyond kube 1.21

* Remove unncessary template calls (hashicorp#712)

- As part of VAULT-571 / hashicorp#703 in 7109159, a new vault.serverEnabled
   template was added (and included in vault.mode)

   Various templates were updated accordingly, but those that were
   already calling vault.mode had an additonal call to
   vault.serverEnabled made which was unnecessary

   Remove those

* Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (hashicorp#709)

* Issue hashicorp#629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it

* Issue-hashicorp#629 removing extra whitespace I added accidently.

* Issue-hashicorp#629 fixing extra whitespace added.

* Update values.yaml

Co-authored-by: Joaco Muleiro Beltran <[email protected]>

* Issue hashicorp#629 adding changelog

Co-authored-by: Joaco Muleiro Beltran <[email protected]>

* VAULT-5838 Update CSI provider to 1.1.0 (hashicorp#721)

* VAULT-5838 Update CSI provider to 1.1.0

* Update test/acceptance/csi.bats

Co-authored-by: Theron Voran <[email protected]>

Co-authored-by: Theron Voran <[email protected]>

* VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (hashicorp#722)

1.0.1+ seems to only support Kubernetes 1.19+, so we break support for
1.16 if we upgrade

* Implement support for Topology Spread Constraints (hashicorp#652)

* Implemented support for topology spread constraints

* Update values.yaml

Co-authored-by: Ben Ash <[email protected]>

* Update values.yaml

Co-authored-by: Ben Ash <[email protected]>

* Add topologySpreadConstraints to values schema

* Implement injector deployment topology spread UTs

* also remove string from the relevant schema types

* Implement injector statefulset topology spread UTs

* Implement injector HA statefulset topology UTs

* Allow topologySpreadConstraints to be a string

Co-authored-by: Ellis Tarn <[email protected]>
Co-authored-by: Ben Ash <[email protected]>
Co-authored-by: Christopher Swenson <[email protected]>

* Update the changelog with changes from 614 and 652 (hashicorp#723)

* Update the changelog with changes from 614 and 652

* Update CHANGELOG.md

Co-authored-by: Theron Voran <[email protected]>

Co-authored-by: Theron Voran <[email protected]>

* Prepare v0.20.0 release (hashicorp#727)

---------

Signed-off-by: Lionel H <[email protected]>
Co-authored-by: Kaito Ii <[email protected]>
Co-authored-by: Theron Voran <[email protected]>
Co-authored-by: Tom Proctor <[email protected]>
Co-authored-by: Eric Miller <[email protected]>
Co-authored-by: Takumi Sue <[email protected]>
Co-authored-by: Jason Hancock <[email protected]>
Co-authored-by: Vadim Grek <[email protected]>
Co-authored-by: nikstur <[email protected]>
Co-authored-by: Jacob Mammoliti <[email protected]>
Co-authored-by: Ethan J. Brown <[email protected]>
Co-authored-by: Michele Baldessari <[email protected]>
Co-authored-by: André Becker <[email protected]>
Co-authored-by: Michael Schuett <[email protected]>
Co-authored-by: Troy Fluegge <[email protected]>
Co-authored-by: lion24 <[email protected]>
Co-authored-by: Alvin Huang <[email protected]>
Co-authored-by: Christian <[email protected]>
Co-authored-by: Viacheslav Vasilyev <[email protected]>
Co-authored-by: Remco Buddelmeijer <[email protected]>
Co-authored-by: Christopher Swenson <[email protected]>
Co-authored-by: gw0 <[email protected]>
Co-authored-by: Stephen Herd <[email protected]>
Co-authored-by: Joaco Muleiro Beltran <[email protected]>
Co-authored-by: Ellis Tarn <[email protected]>
Co-authored-by: Ben Ash <[email protected]>
  • Loading branch information
1 parent 7f26aa5 commit c575574
Show file tree
Hide file tree
Showing 72 changed files with 1,046 additions and 196 deletions.
2 changes: 1 addition & 1 deletion .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ jobs:
-X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
-d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
"${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
- slack/status:
fail_only: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/acceptance.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
strategy:
fail-fast: false
matrix:
kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4]
kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Expand Down
20 changes: 20 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,25 @@
## Unreleased

## 0.20.0 (May 16th, 2022)

CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.10.3
* CSI provider default image to 1.1.0
* Vault K8s default image to 0.16.0
* Earliest Kubernetes version tested is now 1.16
* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)

Improvements:
* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)

## 0.19.0 (January 20th, 2022)

CHANGES:
Expand Down
8 changes: 4 additions & 4 deletions Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
apiVersion: v2
name: vault
version: 0.19.0
appVersion: 1.9.2
kubeVersion: ">= 1.14.0-0"
description: Install and configure Vault on Kubernetes.
version: 0.20.0
appVersion: 1.10.3
kubeVersion: ">= 1.16.0-0"
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ The versions required are:

* **Helm 3.0+** - This is the earliest version of Helm tested. It is possible
it works with earlier versions but this chart is untested for those versions.
* **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested.
* **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is
untested.

Expand Down
86 changes: 81 additions & 5 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,50 @@ Expand the name of the chart.
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}

{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
Expand All @@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- if .Values.injector.externalVaultAddr -}}
{{- $_ := set . "mode" "external" -}}
{{- else if ne (.Values.server.enabled | toString) "true" -}}
{{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}}
Expand Down Expand Up @@ -256,6 +301,37 @@ Sets the injector affinity for pod placement
{{ end }}
{{- end -}}
{{/*
Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}}
{{- define "vault.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the injector topologySpreadConstraints for pod placement
*/}}
{{- define "injector.topologySpreadConstraints" -}}
{{- if .Values.injector.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.injector.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the toleration for pod placement when running in standalone and HA modes.
*/}}
Expand Down Expand Up @@ -380,13 +456,13 @@ Sets extra injector service annotations
Sets extra injector webhook annotations
*/}}
{{- define "injector.webhookAnnotations" -}}
{{- if .Values.injector.webhookAnnotations }}
{{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }}
annotations:
{{- $tp := typeOf .Values.injector.webhookAnnotations }}
{{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
{{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
{{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
Expand Down
3 changes: 2 additions & 1 deletion templates/csi-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down
3 changes: 2 additions & 1 deletion templates/csi-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand Down
9 changes: 8 additions & 1 deletion templates/csi-daemonset.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
Expand All @@ -8,6 +9,9 @@ metadata:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
Expand All @@ -25,6 +29,9 @@ spec:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{- if .Values.csi.priorityClassName }}
Expand Down
6 changes: 5 additions & 1 deletion templates/csi-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -8,5 +9,8 @@ metadata:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}
{{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.serviceAccount.annotations" . }}
{{- end }}
6 changes: 5 additions & 1 deletion templates/injector-certs-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}
5 changes: 3 additions & 2 deletions templates/injector-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -10,7 +11,7 @@ metadata:
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
verbs:
- "get"
- "list"
- "watch"
Expand Down
3 changes: 2 additions & 1 deletion templates/injector-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand Down
39 changes: 3 additions & 36 deletions templates/injector-deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
Expand Down Expand Up @@ -30,6 +31,7 @@ spec:
{{ template "injector.annotations" . }}
spec:
{{ template "injector.affinity" . }}
{{ template "injector.topologySpreadConstraints" . }}
{{ template "injector.tolerations" . }}
{{ template "injector.nodeselector" . }}
{{- if .Values.injector.priorityClassName }}
Expand Down Expand Up @@ -142,41 +144,6 @@ spec:
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
{{- end }}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- name: leader-elector
image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }}
args:
- --election={{ template "vault.fullname" . }}-agent-injector-leader
- --election-namespace={{ .Release.Namespace }}
- --http=0.0.0.0:4040
- --ttl={{ .Values.injector.leaderElector.ttl }}
livenessProbe:
httpGet:
path: /
port: 4040
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /
port: 4040
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
{{- end }}
{{- if .Values.injector.certs.secretName }}
volumes:
- name: webhook-certs
Expand Down
2 changes: 1 addition & 1 deletion templates/injector-disruptionbudget.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.injector.podDisruptionBudget }}
apiVersion: policy/v1beta1
apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
Expand Down
21 changes: 10 additions & 11 deletions templates/injector-mutating-webhook.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
Expand All @@ -14,10 +15,11 @@ metadata:
{{- template "injector.webhookAnnotations" . }}
webhooks:
- name: vault.hashicorp.com
failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
Expand All @@ -29,15 +31,12 @@ webhooks:
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
{{- if .Values.injector.namespaceSelector }}
{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
namespaceSelector:
{{ toYaml .Values.injector.namespaceSelector | indent 6}}
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- if .Values.injector.objectSelector }}
{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }}
objectSelector:
{{ toYaml .Values.injector.objectSelector | indent 6}}
{{ end }}
{{- with .Values.injector.failurePolicy }}
failurePolicy: {{.}}
{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}}
{{ end }}
{{ end }}
Loading

0 comments on commit c575574

Please sign in to comment.