From c575574628584f315389dca1535e8d70a83f16d9 Mon Sep 17 00:00:00 2001 From: xiaocongji <85846543+xiaocongji@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:47:22 -0400 Subject: [PATCH] feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- .circleci/config.yml | 2 +- .github/workflows/acceptance.yaml | 2 +- CHANGELOG.md | 20 ++ Chart.yaml | 8 +- README.md | 2 +- templates/_helpers.tpl | 86 ++++++- templates/csi-clusterrole.yaml | 3 +- templates/csi-clusterrolebinding.yaml | 3 +- templates/csi-daemonset.yaml | 9 +- templates/csi-serviceaccount.yaml | 6 +- templates/injector-certs-secret.yaml | 6 +- templates/injector-clusterrole.yaml | 5 +- templates/injector-clusterrolebinding.yaml | 3 +- templates/injector-deployment.yaml | 39 +-- templates/injector-disruptionbudget.yaml | 2 +- templates/injector-mutating-webhook.yaml | 21 +- templates/injector-network-policy.yaml | 5 +- templates/injector-psp-role.yaml | 5 +- templates/injector-psp-rolebinding.yaml | 5 +- templates/injector-psp.yaml | 5 +- templates/injector-role.yaml | 6 +- templates/injector-rolebinding.yaml | 6 +- templates/injector-service.yaml | 3 +- templates/injector-serviceaccount.yaml | 3 +- templates/server-clusterrolebinding.yaml | 4 +- templates/server-config-configmap.yaml | 4 +- templates/server-discovery-role.yaml | 4 +- templates/server-discovery-rolebinding.yaml | 4 +- templates/server-disruptionbudget.yaml | 6 +- templates/server-ha-active-service.yaml | 7 +- templates/server-ha-standby-service.yaml | 7 +- templates/server-headless-service.yaml | 5 +- templates/server-ingress.yaml | 5 +- templates/server-psp-role.yaml | 4 +- templates/server-psp-rolebinding.yaml | 4 +- templates/server-psp.yaml | 4 +- templates/server-service.yaml | 5 +- templates/server-serviceaccount.yaml | 2 +- templates/server-statefulset.yaml | 9 +- templates/tests/server-test.yaml | 2 +- templates/ui-service.yaml | 6 +- test/acceptance/csi.bats | 3 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/unit/csi-clusterrole.bats | 2 +- test/unit/csi-clusterrolebinding.bats | 4 +- test/unit/csi-daemonset.bats | 53 ++++- test/unit/csi-serviceaccount.bats | 19 +- test/unit/injector-deployment.bats | 37 ++- test/unit/injector-disruptionbudget.bats | 27 ++- test/unit/injector-leader-elector.bats | 33 +++ test/unit/injector-mutating-webhook.bats | 223 ++++++++++++++++-- test/unit/injector-psp-role.bats | 4 +- test/unit/injector-psp-rolebinding.bats | 4 +- test/unit/injector-psp.bats | 4 +- test/unit/injector-service.bats | 2 +- test/unit/schema.bats | 16 +- test/unit/server-ha-active-service.bats | 17 ++ test/unit/server-ha-disruptionbudget.bats | 24 ++ test/unit/server-ha-standby-service.bats | 17 ++ test/unit/server-ha-statefulset.bats | 75 +++++- test/unit/server-headless-service.bats | 19 ++ test/unit/server-ingress.bats | 10 +- test/unit/server-route.bats | 46 +++- test/unit/server-service.bats | 7 + test/unit/server-serviceaccount.bats | 2 +- test/unit/server-statefulset.bats | 25 +- test/unit/server-test.bats | 13 +- test/unit/ui-service.bats | 12 + values.openshift.yaml | 6 +- values.schema.json | 80 ++++++- values.yaml | 113 +++++++-- 72 files changed, 1046 insertions(+), 196 deletions(-) create mode 100644 test/unit/server-headless-service.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 70c2453fb..7582bdc21 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 644875e26..2261ea63a 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -11,7 +11,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index bfb3af04f..7b7783a94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,25 @@ ## Unreleased +## 0.20.0 (May 16th, 2022) + +CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Vault default image to 1.10.3 +* CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 +* Earliest Kubernetes version tested is now 1.16 +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) + +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) + ## 0.19.0 (January 20th, 2022) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index 9f1440436..fc5527d10 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: vault -version: 0.19.0 -appVersion: 1.9.2 -kubeVersion: ">= 1.14.0-0" -description: Install and configure Vault on Kubernetes. +version: 0.20.0 +appVersion: 1.10.3 +kubeVersion: ">= 1.16.0-0" +description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] diff --git a/README.md b/README.md index 03afc2b3a..49ded6e8b 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index dd53fd5a6..a50fed899 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -31,6 +31,50 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. @@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} {{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} @@ -256,6 +301,37 @@ Sets the injector affinity for pod placement {{ end }} {{- end -}} +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} @@ -380,13 +456,13 @@ Sets extra injector service annotations Sets extra injector webhook annotations */}} {{- define "injector.webhookAnnotations" -}} - {{- if .Values.injector.webhookAnnotations }} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} annotations: - {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} {{- if eq $tp "string" }} - {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} {{- else }} - {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} {{- end }} {{- end }} {{- end -}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index a19e520f5..ec6a3d2b9 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index 63d69c7b1..d5b62a5f0 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index f0bf639f3..5c21752d6 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -8,6 +9,9 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: @@ -25,6 +29,9 @@ spec: labels: app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} {{ template "csi.pod.annotations" . }} spec: {{- if .Values.csi.priorityClassName }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index ee127481b..8d6fa5329 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,5 +9,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.serviceAccount.annotations" . }} {{- end }} diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 78363be55..e88685b5e 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,10 +1,14 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: name: vault-injector-certs + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 4ff25abe5..6a0d6be1a 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10,7 +11,7 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: + verbs: - "get" - "list" - "watch" diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 35d30b393..4c193f8a2 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index d58fc03fa..588efe400 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment @@ -30,6 +31,7 @@ spec: {{ template "injector.annotations" . }} spec: {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} {{ template "injector.tolerations" . }} {{ template "injector.nodeselector" . }} {{- if .Values.injector.priorityClassName }} @@ -142,41 +144,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 59c998551..b44fd7300 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.injector.podDisruptionBudget }} -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index de7dd5622..f873f61c9 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} @@ -14,10 +15,11 @@ metadata: {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} sideEffects: None - admissionReviewVersions: - - "v1beta1" - - "v1" + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc @@ -29,15 +31,12 @@ webhooks: apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] -{{- if .Values.injector.namespaceSelector }} +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} namespaceSelector: -{{ toYaml .Values.injector.namespaceSelector | indent 6}} +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} -{{- if .Values.injector.objectSelector }} +{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }} objectSelector: -{{ toYaml .Values.injector.objectSelector | indent 6}} -{{ end }} -{{- with .Values.injector.failurePolicy }} - failurePolicy: {{.}} +{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}} {{ end }} {{ end }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 7a399a538..68892d23b 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -19,3 +21,4 @@ spec: - port: 8080 protocol: TCP {{ end }} +{{ end }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 20c87bb2a..5d23c7556 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -15,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index d6d0d5e24..4f6b0a851 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index c024ac107..1eee2fcd0 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -41,3 +43,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index e7e383d16..08c8264cc 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,8 +1,11 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -23,3 +26,4 @@ rules: - "patch" - "delete" {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index aa8179420..ea0db11b9 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,8 +1,11 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -16,3 +19,4 @@ subjects: name: {{ template "vault.fullname" . }}-agent-injector namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 3138b7a5b..5e747d6f1 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index a28d38fab..ebc57b56f 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e5e0f5fec..e045b9ec3 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,3 +23,4 @@ subjects: name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} +{{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index b8093ad03..f40c69608 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} apiVersion: v1 kind: ConfigMap @@ -36,3 +37,4 @@ data: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4a39cec21..9ca23dd4c 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,3 +18,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} +{{ end }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 47526650b..6e22e4c2b 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -25,3 +26,4 @@ subjects: namespace: {{ .Release.Namespace }} {{ end }} {{ end }} +{{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3c45cc04e..d940fa4da 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,9 +1,10 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} @@ -22,3 +23,4 @@ spec: component: server {{- end -}} {{- end -}} +{{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index c2a4f0227..90761a468 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -22,7 +24,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} @@ -40,3 +42,4 @@ spec: vault-active: "true" {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index dbba9d653..03260ffaf 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -22,7 +24,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} @@ -39,4 +41,5 @@ spec: component: server vault-active: "false" {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index a37c63957..fffaaacbb 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service @@ -16,7 +17,7 @@ metadata: {{ template "vault.service.annotations" .}} spec: clusterIP: None - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 48c76a828..c81e5f5ce 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,9 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} @@ -72,3 +74,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index fd12e1eb3..b8eb897e5 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index b2a43c834..fded9fbc6 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 2d9426819..d210af351 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -45,3 +46,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 2e44ddf06..68207a2db 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service @@ -27,7 +28,7 @@ spec: {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 925b166bb..2d1a104bf 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index cbcda967d..518a19336 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if ne .mode "" }} +{{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet @@ -36,6 +37,7 @@ spec: {{ template "vault.annotations" . }} spec: {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} {{ template "vault.tolerations" . }} {{ template "vault.nodeselector" . }} {{- if .Values.server.priorityClassName }} @@ -108,7 +110,11 @@ spec: fieldRef: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr }} + {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - name: VAULT_RAFT_NODE_ID valueFrom: @@ -206,3 +212,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} +{{ end }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index d983b9df6..56dbee78c 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index ea27de282..d45afdda4 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,7 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if eq (.Values.ui.enabled | toString) "true" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + apiVersion: v1 kind: Service metadata: @@ -34,4 +35,3 @@ spec: {{- include "service.loadBalancer" .Values.ui }} {{- end -}} {{- end }} -{{- end }} diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c7c6549e2..bf6f85b5e 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -18,7 +18,8 @@ check_skip_csi() { # Install Secrets Store CSI driver CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version="${CSI_DRIVER_VERSION}" --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 54a310f3a..5cc1a9b06 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5ba78c9fe..6deec78f9 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 68ea7ce78..2bed54136 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -29,5 +29,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index cff3a3699..ccd98c55a 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.roleRef.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } # ClusterRoleBinding service account name @@ -40,5 +40,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index dd88d829a..6893b06ac 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -27,7 +27,30 @@ load _helpers --set "global.enabled=false" \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] +} + +# priorityClassName + +@test "csi/daemonset: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.priorityClassName=armaggeddon' \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] } # priorityClassName @@ -61,7 +84,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } # Image @@ -318,6 +341,32 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# Extra Labels + +@test "csi/daemonset: specify csi.daemonSet.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + #-------------------------------------------------------------------- # volumes diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 22ba06df2..41c17349f 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } @test "csi/serviceAccount: specify annotations" { @@ -56,4 +56,19 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} + +# serviceAccount extraLabels + +@test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 6443ca495..f69a585b0 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -26,12 +26,22 @@ load _helpers local actual=$( (helm template \ --show-only templates/injector-deployment.yaml \ --set 'global.enabled=false' \ - --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "injector/deployment: enable with injector.enabled true and global.enabled false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.enabled=false' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ @@ -157,7 +167,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] + [ "${value}" = "release-name-vault-agent-injector-cfg" ] # helm template does uses current context namespace and ignores namespace flags, so # discover the targeted namespace so we can check the rendered value correctly. @@ -165,7 +175,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] + [ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: manual TLS adds volume mount" { @@ -452,6 +462,27 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "injector/deployment: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "injector/deployment: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.topologySpreadConstraints[0].foo=bar,injector.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # tolerations diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index a0cee27d7..4373d839f 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,16 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { cd `chart_dir` local actual=$(helm template \ @@ -21,12 +31,25 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + +@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.19.5 \ . | tee /dev/stderr | - yq '.spec.minAvailable == 2' | tee /dev/stderr) + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index b6fa4ae62..bbd482985 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -87,6 +87,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/certs-secret: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/role: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -127,6 +138,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/role: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/rolebinding: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -166,3 +188,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/rolebinding: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 1e6e150d0..ef9bf8321 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -53,103 +53,274 @@ load _helpers [ "${actual}" = "\"\"" ] } -@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" { +@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.webhook=null' \ + --set 'injector.failurePolicy=Fail' \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set objectSelector" { +@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.objectSelector.matchLabels.injector=true' \ + --set 'injector.webhook.failurePolicy=Fail' \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { +@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "\"Ignore\"" ] + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Exact\"" ] } -@test "injector/MutatingWebhookConfiguration: can set failurePolicy" { +@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.failurePolicy=Fail' \ + --set 'injector.webhook.matchPolicy=Equivalent' \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) - [ "${actual}" = "\"Fail\"" ] + [ "${actual}" = "\"Equivalent\"" ] +} + +@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "30" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.timeoutSeconds=50' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "50" ] } #-------------------------------------------------------------------- # annotations -@test "injector/MutatingWebhookConfiguration: default annotations" { +@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ . | tee /dev/stderr | yq -r '.metadata.annotations' | tee /dev/stderr) [ "${actual}" = "null" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations.foo=bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +@test "injector/MutatingWebhookConfiguration: default webhook.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations.foo=bar' \ + --set 'injector.webhookAnnotations.invalid=invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations=foo: bar' \ + --set 'injector.webhookAnnotations=invalid: invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# namespaceSelector + +@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# objectSelector + +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.objectSelector.matchLabels.injector=true' \ + --set 'injector.objectSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index c6dc522af..8e7acd7d5 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-Role: disable with global.enabled" { +@test "injector/PodSecurityPolicy-Role: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-role.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index f8a8255fb..88bfe7900 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" { +@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-rolebinding.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats index fa14b0f1e..a415358b2 100644 --- a/test/unit/injector-psp.bats +++ b/test/unit/injector-psp.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy: disable with global.enabled" { +@test "injector/PodSecurityPolicy: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp.yaml \ @@ -31,7 +31,7 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/PodSecurityPolicy: annotations are templated correctly by default" { diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index ad4800991..027eaa080 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -52,7 +52,7 @@ load _helpers --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/Service: generic annotations" { diff --git a/test/unit/schema.bats b/test/unit/schema.bats index a42614bf6..9a61d7d5a 100644 --- a/test/unit/schema.bats +++ b/test/unit/schema.bats @@ -7,9 +7,9 @@ load _helpers # schema, setting it as a string fails 'helm template'. @test "schema: csi enabled datatype" { cd `chart_dir` - run helm template . --set csi.enabled="nope" + run helm template . --set csi.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set csi.enabled=true [ "$status" -eq 0 ] @@ -17,9 +17,9 @@ load _helpers @test "schema: injector enabled datatype" { cd `chart_dir` - run helm template . --set injector.enabled="nope" + run helm template . --set injector.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set injector.enabled=true [ "$status" -eq 0 ] @@ -27,9 +27,9 @@ load _helpers @test "schema: server enabled datatype" { cd `chart_dir` - run helm template . --set server.enabled="nope" + run helm template . --set server.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set server.enabled=true [ "$status" -eq 0 ] @@ -37,9 +37,9 @@ load _helpers @test "schema: ui enabled datatype" { cd `chart_dir` - run helm template . --set ui.enabled="nope" + run helm template . --set ui.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set ui.enabled=true [ "$status" -eq 0 ] diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index a835c9d9c..80e26dd4e 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -197,3 +197,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-active-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 9271c019f..bd71ca241 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -97,3 +97,27 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.19.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 7dfd5d7fd..df0f9071e 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -208,3 +208,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-standby-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index cc77e7e39..342fa433d 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -417,7 +417,7 @@ load _helpers #-------------------------------------------------------------------- # VAULT_CLUSTER_ADDR renders -@test "server/ha-StatefulSet: cluster addr renders" { +@test "server/ha-StatefulSet: clusterAddr not set" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -428,7 +428,52 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to null" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=null' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=https://test.example.com:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://test.example.com:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url with environment variable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] } #-------------------------------------------------------------------- @@ -540,6 +585,32 @@ load _helpers [ "${actual}" = "1" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/ha-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/ha-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations + @test "server/ha-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats new file mode 100644 index 000000000..4e2d13537 --- /dev/null +++ b/test/unit/server-headless-service.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/headless-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 4132c16a7..aade5d57c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -165,7 +165,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -180,7 +180,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -194,7 +194,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { @@ -209,7 +209,7 @@ load _helpers --kube-version 1.18.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -224,7 +224,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 53e1e619b..1daea2684 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -99,7 +99,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -112,7 +112,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -125,7 +125,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -139,7 +139,45 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] +} + +@test "server/route: OpenShift - route termination mode set to default passthrough" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "passthrough" ] +} + +@test "server/route: OpenShift - route termination mode set to edge" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.termination=edge' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "edge" ] +} + +@test "server/route: OpenShift - route custom tls entry" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ + . | tee /dev/stderr | + yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) + [ "${actual}" = "Redirect" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 4695f2fff..5208f6e30 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -175,6 +175,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] } @test "server/Service: type empty by default" { diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 29e18b56f..fbc2b94bf 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,7 +26,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0a83ec6a1..a240e3dad 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -784,6 +784,29 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/standalone-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/standalone-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations @test "server/standalone-StatefulSet: tolerations not set by default" { cd `chart_dir` @@ -1640,7 +1663,7 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 5fd65d561..de82f84c3 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -66,14 +66,25 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/standalone-server-test-Pod: disable with global.enabled" { +@test "server/standalone-server-test-Pod: not disabled with global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ --set 'global.enabled=false' \ + --set 'server.enabled=true' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index f439aecfb..f73bbce3f 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -53,6 +53,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "ui/Service: 'disable with global, enable with ui.enabled'" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'global.enabled=false' \ + --set 'server.enabled=true' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "ui/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.openshift.yaml b/values.openshift.yaml index d24ac6e21..e59bb8677 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.2-ubi" + tag: "0.16.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.10.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.10.3-ubi" diff --git a/values.schema.json b/values.schema.json index 15440431a..87a02f803 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "kubeletRootDir": { "type": "string" }, @@ -40,7 +43,10 @@ "type": "boolean" }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "extraArgs": { "type": "array" @@ -88,6 +94,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "tolerations": { "type": [ "null", @@ -128,6 +137,9 @@ "object", "string" ] + }, + "extraLabels": { + "type": "object" } } }, @@ -257,7 +269,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalVaultAddr": { "type": "string" @@ -365,6 +380,39 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": "object" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "webhookAnnotations": { "type": [ "object", @@ -472,7 +520,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "enterpriseLicense": { "type": "object", @@ -522,7 +573,10 @@ ] }, "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "disruptionBudget": { "type": "object", @@ -545,7 +599,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": "boolean" @@ -740,6 +797,9 @@ "enabled": { "type": "boolean" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "externalTrafficPolicy": { "type": "string" }, @@ -775,7 +835,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": [ @@ -836,7 +899,10 @@ ] }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalPort": { "type": "integer" diff --git a/values.yaml b/values.yaml index 027a90053..fcb1be9f2 100644 --- a/values.yaml +++ b/values.yaml @@ -26,7 +26,8 @@ global: injector: # True if you want to enable vault agent injection. - enabled: true + # @default: global.enabled + enabled: "-" replicas: 1 @@ -49,7 +50,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.2" + tag: "0.16.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +58,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.6" + tag: "1.10.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -90,6 +91,61 @@ injector: # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -99,6 +155,8 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector @@ -109,13 +167,7 @@ injector: # vault-sidecar-injector: enabled objectSelector: {} - # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - + # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} @@ -166,6 +218,12 @@ injector: component: webhook topologyKey: kubernetes.io/hostname + # Topology settings for injector pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for injector pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. @@ -215,8 +273,9 @@ injector: # type: RollingUpdate server: - # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details - enabled: true + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" # [Enterprise Only] This value refers to a Kubernetes secret that you have # created that contains your enterprise license. If you are not using an @@ -236,7 +295,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.6" + tag: "1.10.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -454,6 +513,12 @@ server: component: server topologyKey: kubernetes.io/hostname + # Topology settings for server pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for server pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. @@ -505,6 +570,9 @@ server: # NodePort, or LoadBalancer. #type: ClusterIP + # Do not wait for pods to be ready + publishNotReadyAddresses: true + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. @@ -627,6 +695,11 @@ server: # If set to null, this will be set to the Pod IP Address apiAddr: null + # Set the cluster_addr confuguration for Vault HA + # See https://www.vaultproject.io/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where # Vault's persistence is external (such as Consul), enabling Raft mode will create # persistent volumes for Vault to store data according to the configuration under server.dataStorage. @@ -771,7 +844,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.4.0" + tag: "1.1.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -812,6 +885,9 @@ csi: providersDir: "/etc/kubernetes/secrets-store-csi-providers" # Kubelet host path kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} pod: # Extra annotations for the provider pods. This can either be YAML or a @@ -824,6 +900,11 @@ csi: # in a PodSpec. tolerations: [] + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + # Priority class for csi pods priorityClassName: "" @@ -833,6 +914,10 @@ csi: # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + # Used to configure readinessProbe for the pods. readinessProbe: # When a probe fails, Kubernetes will try failureThreshold times before giving up