From 690ee410efac3aae6f46600aca4bd567b7d42a77 Mon Sep 17 00:00:00 2001 From: guru1306 Date: Sat, 20 Feb 2021 09:32:04 +0530 Subject: [PATCH 01/70] Add objectSelector to webhookconfiguration (#456) --- templates/injector-mutating-webhook.yaml | 4 ++++ test/unit/injector-mutating-webhook.bats | 23 +++++++++++++++++++++++ values.yaml | 9 +++++++++ 3 files changed, 36 insertions(+) diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index df28dc81a..abe23aabc 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -32,6 +32,10 @@ webhooks: namespaceSelector: {{ toYaml .Values.injector.namespaceSelector | indent 6}} {{ end }} +{{- if .Values.injector.objectSelector }} + objectSelector: +{{ toYaml .Values.injector.objectSelector | indent 6}} +{{ end }} {{- with .Values.injector.failurePolicy }} failurePolicy: {{.}} {{ end }} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index bb307f857..65f505bcf 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -76,6 +76,29 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + @test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.yaml b/values.yaml index 2aa0e3bbc..49836b73c 100644 --- a/values.yaml +++ b/values.yaml @@ -80,6 +80,15 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the # API Version of the WebHook. From ff735774c43cc94a64bf58c2f7d0de44f057dbd6 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 23:03:15 -0500 Subject: [PATCH 02/70] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67e53fce8..7206d1c7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) + ## 0.9.1 (February 2nd, 2021) Bugs: From 4c1d79f46ec6557140756ba713a2e79ec0579fbc Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 19 Mar 2021 14:14:38 +0000 Subject: [PATCH 03/70] Add CSI secrets store provider (#461) --- templates/_helpers.tpl | 55 +++ templates/csi-clusterrole.yaml | 17 + templates/csi-clusterrolebinding.yaml | 18 + templates/csi-daemonset.yaml | 89 ++++ templates/csi-serviceaccount.yaml | 12 + test/acceptance/csi-test/nginx.yaml | 26 ++ .../vault-kv-secretproviderclass.yaml | 15 + test/acceptance/csi-test/vault-policy.hcl | 7 + test/acceptance/csi.bats | 59 +++ test/unit/csi-clusterrole.bats | 22 + test/unit/csi-clusterrolebinding.bats | 22 + test/unit/csi-daemonset.bats | 380 ++++++++++++++++++ test/unit/csi-serviceaccount.bats | 48 +++ values.yaml | 77 ++++ 14 files changed, 847 insertions(+) create mode 100644 templates/csi-clusterrole.yaml create mode 100644 templates/csi-clusterrolebinding.yaml create mode 100644 templates/csi-daemonset.yaml create mode 100644 templates/csi-serviceaccount.yaml create mode 100644 test/acceptance/csi-test/nginx.yaml create mode 100644 test/acceptance/csi-test/vault-kv-secretproviderclass.yaml create mode 100644 test/acceptance/csi-test/vault-policy.hcl create mode 100644 test/acceptance/csi.bats create mode 100644 test/unit/csi-clusterrole.bats create mode 100644 test/unit/csi-clusterrolebinding.bats create mode 100644 test/unit/csi-daemonset.bats create mode 100644 test/unit/csi-serviceaccount.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 512bb32f3..bee8f81d2 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -475,6 +475,61 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "csi.resources" -}} + {{- if .Values.csi.resources -}} + resources: +{{ toYaml .Values.csi.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets extra CSI daemonset annotations +*/}} +{{- define "csi.daemonSet.annotations" -}} + {{- if .Values.csi.daemonSet.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.daemonSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI provider pod annotations +*/}} +{{- define "csi.pod.annotations" -}} + {{- if .Values.csi.pod.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.pod.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.pod.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI service account annotations +*/}} +{{- define "csi.serviceAccount.annotations" -}} + {{- if .Values.csi.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Inject extra environment vars in the format key:value, if populated */}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml new file mode 100644 index 000000000..35625a493 --- /dev/null +++ b/templates/csi-clusterrole.yaml @@ -0,0 +1,17 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "vault.name" . }}-csi-provider-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{- end }} diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml new file mode 100644 index 000000000..63d69c7b1 --- /dev/null +++ b/templates/csi-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml new file mode 100644 index 000000000..b7a762213 --- /dev/null +++ b/templates/csi-daemonset.yaml @@ -0,0 +1,89 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "csi.daemonSet.annotations" . }} +spec: + updateStrategy: + type: {{ .Values.csi.daemonSet.updateStrategy.type }} + {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + {{ template "csi.pod.annotations" . }} + spec: + serviceAccountName: {{ include "vault.name" . }}-csi-provider + containers: + - name: {{ include "vault.name" . }}-csi-provider + {{ template "csi.resources" . }} + image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + imagePullPolicy: {{ .Values.csi.image.pullPolicy }} + args: + - --endpoint=/provider/vault.sock + - --debug={{ .Values.csi.debug }} + volumeMounts: + - name: providervol + mountPath: "/provider" + - name: mountpoint-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: HostToContainer + {{- range .Values.csi.extraVolumes }} + - name: userconfig-{{ .name }} + mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + readOnly: true + {{- end }} + {{- if .Values.csi.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.csi.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- end }} + volumes: + - name: providervol + hostPath: + path: "/etc/kubernetes/secrets-store-csi-providers" + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + {{- range .Values.csi.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + defaultMode: {{ .defaultMode | default 420 }} + {{- end }} +{{- end }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml new file mode 100644 index 000000000..ee127481b --- /dev/null +++ b/templates/csi-serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "csi.serviceAccount.annotations" . }} +{{- end }} diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml new file mode 100644 index 000000000..882202ac1 --- /dev/null +++ b/test/acceptance/csi-test/nginx.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx +--- +kind: Pod +apiVersion: v1 +metadata: + name: nginx +spec: + terminationGracePeriodSeconds: 0 + containers: + - image: docker.mirror.hashicorp.services/nginx + name: nginx + volumeMounts: + - name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true + volumes: + - name: secrets-store-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "vault-kv" diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml new file mode 100644 index 000000000..9d89fa8e6 --- /dev/null +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -0,0 +1,15 @@ +# The "Hello World" Vault SecretProviderClass +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: vault-kv +spec: + provider: vault + parameters: + roleName: "kv-role" + vaultAddress: http://vault:8200 + objects: | + array: + - | + objectName: "bar1" + objectPath: "v1/secret/kv1" diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl new file mode 100644 index 000000000..0590d898e --- /dev/null +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -0,0 +1,7 @@ +path "sys/mounts" { + capabilities = ["read"] +} + +path "secret/*" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats new file mode 100644 index 000000000..93149596c --- /dev/null +++ b/test/acceptance/csi.bats @@ -0,0 +1,59 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi: testing deployment" { + cd `chart_dir` + + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + + # Install Secrets Store CSI driver + helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.19.tgz?raw=true \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set linux.image.pullPolicy="IfNotPresent" \ + --set grpcSupportedProviders="azure;gcp;vault" + # Install Vault and Vault provider + helm install vault \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set="server.dev.enabled=true" \ + --set="csi.enabled=true" \ + --set="injector.enabled=false" . + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider + + # Set up k8s auth and a kv secret. + cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - + kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes + kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' + kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ + bound_service_account_names=vault-csi-provider \ + bound_service_account_namespaces=acceptance \ + policies=kv-policy \ + ttl=20m + kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 + + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx + + result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar1) + [[ "$result" == "hello1" ]] +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm --namespace=acceptance delete vault + helm --namespace=acceptance delete secrets-store-csi-driver + kubectl delete --all pvc + kubectl delete namespace acceptance + fi +} diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats new file mode 100644 index 000000000..0fa626e0f --- /dev/null +++ b/test/unit/csi-clusterrole.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ClusterRole: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-clusterrole.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ClusterRole: enabled with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrole.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats new file mode 100644 index 000000000..ba37fb4c7 --- /dev/null +++ b/test/unit/csi-clusterrolebinding.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ClusterRoleBinding: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + . || echo "---")| tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ClusterRoleBinding: enabled with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats new file mode 100644 index 000000000..79f748c9f --- /dev/null +++ b/test/unit/csi-daemonset.bats @@ -0,0 +1,380 @@ +#!/usr/bin/env bats + +load _helpers + +#-------------------------------------------------------------------- +# Daemonset + +# Enabled +@test "csi/daemonset: created only when enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-daemonset.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$( (helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "global.enabled=false" \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +# Image +@test "csi/daemonset: image is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.image.repository=SomeOtherImage" \ + --set "csi.image.tag=0.0.1" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "SomeOtherImage:0.0.1" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.image.pullPolicy=SomePullPolicy" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "SomePullPolicy" ] +} + +# Debug arg +@test "csi/daemonset: debug arg is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr) + [ "${actual}" = "--debug=false" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.debug=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr) + [ "${actual}" = "--debug=true" ] +} + +# updateStrategy +@test "csi/daemonset: updateStrategy is configurable" { + cd `chart_dir` + # Default + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.type' | tee /dev/stderr) + [ "${actual}" = "RollingUpdate" ] + + # OnDelete + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.daemonSet.updateStrategy.type=OnDelete" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.type' | tee /dev/stderr) + [ "${actual}" = "OnDelete" ] + + # Max unavailable + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.daemonSet.updateStrategy.maxUnavailable=25%" \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.rollingUpdate.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "25%" ] +} + +#-------------------------------------------------------------------- +# Extra annotations +@test "csi/daemonset: default csi.daemonSet.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.daemonSet.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.daemonSet.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: default csi.pod.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.pod.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# extraVolumes + +@test "csi/daemonset: csi.extraVolumes adds extra volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=configMap' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.configMap.name' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + local actual=$(echo $object | + yq -r '.configMap.secretName' | tee /dev/stderr) + [ "${actual}" = "null" ] + + # Test that it mounts it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=configMap' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/vault/userconfig/foo" ] +} + +@test "csi/daemonset: csi.extraVolumes adds extra secret volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=secret' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.secret.name' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(echo $object | + yq -r '.secret.secretName' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + # Test that it mounts it + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.extraVolumes[0].type=configMap' \ + --set 'csi.extraVolumes[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/vault/userconfig/foo" ] +} + +#-------------------------------------------------------------------- +# Readiness/liveness probes + +@test "csi/daemonset: csi.livenessProbe and csi.readinessProbe default to disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: csi.livenessProbe is configurable" { + cd `chart_dir` + + # Test the defaults + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "3" ] + + # Test it is configurable + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.livenessProbe.enabled=true' \ + --set 'csi.livenessProbe.failureThreshold=10' \ + --set 'csi.livenessProbe.initialDelaySeconds=11' \ + --set 'csi.livenessProbe.periodSeconds=12' \ + --set 'csi.livenessProbe.successThreshold=13' \ + --set 'csi.livenessProbe.timeoutSeconds=14' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "10" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "11" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "13" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "14" ] +} + +@test "csi/daemonset: csi.readinessProbe is configurable" { + cd `chart_dir` + + # Test the defaults + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.readinessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "3" ] + + # Test it is configurable + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.readinessProbe.enabled=true' \ + --set 'csi.readinessProbe.failureThreshold=10' \ + --set 'csi.readinessProbe.initialDelaySeconds=11' \ + --set 'csi.readinessProbe.periodSeconds=12' \ + --set 'csi.readinessProbe.successThreshold=13' \ + --set 'csi.readinessProbe.timeoutSeconds=14' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "10" ] + local actual=$(echo $object | + yq -r '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "11" ] + local actual=$(echo $object | + yq -r '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo $object | + yq -r '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "13" ] + local actual=$(echo $object | + yq -r '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "14" ] +} diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats new file mode 100644 index 000000000..63ead313a --- /dev/null +++ b/test/unit/csi-serviceaccount.bats @@ -0,0 +1,48 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/ServiceAccount: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-serviceaccount.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/ServiceAccount: enable with csi.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/serviceAccount: specify annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.annotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'server.serviceAccount.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 49836b73c..c661192ec 100644 --- a/values.yaml +++ b/values.yaml @@ -638,3 +638,80 @@ ui: # This can either be YAML or a YAML-formatted multi-line templated string map # of the annotations to apply to the ui service annotations: {} + +# secrets-store-csi-driver-provider-vault +csi: + # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # + # Requires installing the secrets-store-csi-driver separately, see: + # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver + # + # With the driver and provider installed, you can mount Vault secrets into volumes + # similar to the Vault Agent injector, and you can also sync those secrets into + # Kubernetes secrets. + enabled: false + + image: + repository: "hashicorp/secrets-store-csi-driver-provider-vault" + tag: "0.0.7" + pullPolicy: IfNotPresent + + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Vault in the path `/vault/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # path: null # default is `/vault/userconfig` + + resources: {} + # resources: + # requests: + # cpu: 50m + # memory: 128Mi + # limits: + # cpu: 50m + # memory: 128Mi + + # Settings for the daemonSet used to run the provider. + daemonSet: + updateStrategy: + type: RollingUpdate + maxUnavailable: "" + # Extra annotations for the daemonSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the daemonSet. + annotations: {} + pod: + # Extra annotations for the provider pods. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the pod. + annotations: {} + + serviceAccount: + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + + # Used to configure readinessProbe for the pods. + readinessProbe: + # Vault CSI provider does not support a readiness probe in versions <= 0.7.0 + enabled: false + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # Used to configure livenessProbe for the pods. + livenessProbe: + # Vault CSI provider does not support a liveness probe in versions <= 0.7.0 + enabled: false + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + + # Enables debug logging. + debug: false \ No newline at end of file From 3e36bb70d558fa96bc74b8490ad2e8191a99fd60 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 24 Mar 2021 06:20:06 -0700 Subject: [PATCH 04/70] updating acceptance tests to k8s 1.17 on gke (#473) --- test/terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 1c3f035c1..3556c6fd8 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -8,7 +8,7 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = "${var.zone}" - version_prefix = "1.15." + version_prefix = "1.17." } data "google_service_account" "gcpapi" { From 2ddac08c51ce4636909ffa886d135d9a43cc0fba Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 24 Mar 2021 14:03:21 +0000 Subject: [PATCH 05/70] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7206d1c7e..4d6e6a7cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* Add support for Vault CSI provider [GH-461](https://github.com/hashicorp/vault-helm/pull/461) + Improvements: * `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) From 102f9e49e2a9e0db6f64fe88427082ef3c3de404 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 25 Mar 2021 13:02:36 +0000 Subject: [PATCH 06/70] Target vault-csi-provider release 0.1.0 (#475) --- templates/csi-daemonset.yaml | 4 ---- test/acceptance/csi-test/nginx.yaml | 1 + .../vault-kv-secretproviderclass.yaml | 7 +++---- test/acceptance/csi-test/vault-policy.hcl | 6 +----- test/acceptance/csi.bats | 12 +++++------ test/unit/csi-daemonset.bats | 21 ------------------- values.yaml | 8 ++----- 7 files changed, 13 insertions(+), 46 deletions(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index b7a762213..4a1c17d2c 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -47,7 +47,6 @@ spec: mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} readOnly: true {{- end }} - {{- if .Values.csi.livenessProbe.enabled }} livenessProbe: httpGet: path: /health/ready @@ -57,8 +56,6 @@ spec: periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} - {{- end }} - {{- if .Values.csi.readinessProbe.enabled }} readinessProbe: httpGet: path: /health/ready @@ -68,7 +65,6 @@ spec: periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} - {{- end }} volumes: - name: providervol hostPath: diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml index 882202ac1..fed1137f7 100644 --- a/test/acceptance/csi-test/nginx.yaml +++ b/test/acceptance/csi-test/nginx.yaml @@ -10,6 +10,7 @@ metadata: name: nginx spec: terminationGracePeriodSeconds: 0 + serviceAccountName: nginx containers: - image: docker.mirror.hashicorp.services/nginx name: nginx diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml index 9d89fa8e6..e793bde64 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -9,7 +9,6 @@ spec: roleName: "kv-role" vaultAddress: http://vault:8200 objects: | - array: - - | - objectName: "bar1" - objectPath: "v1/secret/kv1" + - objectName: "bar" + secretPath: "secret/data/kv1" + secretKey: "bar1" diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl index 0590d898e..48b670ea7 100644 --- a/test/acceptance/csi-test/vault-policy.hcl +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -1,7 +1,3 @@ -path "sys/mounts" { - capabilities = ["read"] -} - -path "secret/*" { +path "secret/data/kv1" { capabilities = ["read"] } \ No newline at end of file diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 93149596c..67be09d6d 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -9,11 +9,10 @@ load _helpers kubectl create namespace acceptance # Install Secrets Store CSI driver - helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.19.tgz?raw=true \ + helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.20.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ - --set linux.image.pullPolicy="IfNotPresent" \ - --set grpcSupportedProviders="azure;gcp;vault" + --set linux.image.pullPolicy="IfNotPresent" # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ @@ -30,9 +29,10 @@ load _helpers kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + disable_iss_validation=true' kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ - bound_service_account_names=vault-csi-provider \ + bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ policies=kv-policy \ ttl=20m @@ -42,7 +42,7 @@ load _helpers kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx - result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar1) + result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) [[ "$result" == "hello1" ]] } diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 79f748c9f..dec29c940 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -248,23 +248,6 @@ load _helpers #-------------------------------------------------------------------- # Readiness/liveness probes -@test "csi/daemonset: csi.livenessProbe and csi.readinessProbe default to disabled" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) - [ "${actual}" = "null" ] - - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - @test "csi/daemonset: csi.livenessProbe is configurable" { cd `chart_dir` @@ -272,7 +255,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.livenessProbe.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) @@ -296,7 +278,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.livenessProbe.enabled=true' \ --set 'csi.livenessProbe.failureThreshold=10' \ --set 'csi.livenessProbe.initialDelaySeconds=11' \ --set 'csi.livenessProbe.periodSeconds=12' \ @@ -329,7 +310,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.readinessProbe.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) @@ -353,7 +333,6 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.readinessProbe.enabled=true' \ --set 'csi.readinessProbe.failureThreshold=10' \ --set 'csi.readinessProbe.initialDelaySeconds=11' \ --set 'csi.readinessProbe.periodSeconds=12' \ diff --git a/values.yaml b/values.yaml index c661192ec..c64d3af7e 100644 --- a/values.yaml +++ b/values.yaml @@ -652,8 +652,8 @@ csi: enabled: false image: - repository: "hashicorp/secrets-store-csi-driver-provider-vault" - tag: "0.0.7" + repository: "hashicorp/vault-csi-provider" + tag: "0.1.0" pullPolicy: IfNotPresent # extraVolumes is a list of extra volumes to mount. These will be exposed @@ -696,8 +696,6 @@ csi: # Used to configure readinessProbe for the pods. readinessProbe: - # Vault CSI provider does not support a readiness probe in versions <= 0.7.0 - enabled: false failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 @@ -705,8 +703,6 @@ csi: timeoutSeconds: 3 # Used to configure livenessProbe for the pods. livenessProbe: - # Vault CSI provider does not support a liveness probe in versions <= 0.7.0 - enabled: false failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 From f75b19f068a39f428024e8ce7f9c5983ad7d1082 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 25 Mar 2021 10:19:31 -0400 Subject: [PATCH 07/70] Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog --- CHANGELOG.md | 4 ++-- Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 2 +- test/acceptance/server-ha-enterprise-perf.bats | 2 +- values.yaml | 18 ++++++++++++++---- 5 files changed, 20 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d6e6a7cf..4e9008658 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ -## Unreleased +## 0.10.0 (March 25th, 2021) Features: -* Add support for Vault CSI provider [GH-461](https://github.com/hashicorp/vault-helm/pull/461) +* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461) Improvements: * `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) diff --git a/Chart.yaml b/Chart.yaml index 3456fa48f..04370699d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.9.1 -appVersion: 1.6.2 +version: 0.10.0 +appVersion: 1.7.0 description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 3698f08c4..5b04d2c01 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.0_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5fcfbcef2..5c9b0c547 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-east-0" diff --git a/values.yaml b/values.yaml index c64d3af7e..fe4f6d1f6 100644 --- a/values.yaml +++ b/values.yaml @@ -49,7 +49,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.8.0" + tag: "0.9.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.6.2" + tag: "1.7.0" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" @@ -180,7 +180,7 @@ server: image: repository: "vault" - tag: "1.6.2" + tag: "1.7.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -696,18 +696,28 @@ csi: # Used to configure readinessProbe for the pods. readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 + # Number of seconds after the container has started before probe initiates initialDelaySeconds: 5 + # How often (in seconds) to perform the probe periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + # Number of seconds after which the probe times out. timeoutSeconds: 3 # Used to configure livenessProbe for the pods. livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 + # Number of seconds after the container has started before probe initiates initialDelaySeconds: 5 + # How often (in seconds) to perform the probe periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + # Number of seconds after which the probe times out. timeoutSeconds: 3 # Enables debug logging. - debug: false \ No newline at end of file + debug: false From 7fd6959cdc0b4da3ec09be4f52fd90f985ba6e51 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 25 Mar 2021 10:21:21 -0400 Subject: [PATCH 08/70] Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example --- templates/csi-daemonset.yaml | 19 +++------- test/unit/csi-daemonset.bats | 68 +++++++++--------------------------- values.yaml | 23 ++++++++---- 3 files changed, 38 insertions(+), 72 deletions(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 4a1c17d2c..10a0d6340 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -42,10 +42,8 @@ spec: - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: HostToContainer - {{- range .Values.csi.extraVolumes }} - - name: userconfig-{{ .name }} - mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} - readOnly: true + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12}} {{- end }} livenessProbe: httpGet: @@ -72,14 +70,7 @@ spec: - name: mountpoint-dir hostPath: path: /var/lib/kubelet/pods - {{- range .Values.csi.extraVolumes }} - - name: userconfig-{{ .name }} - {{ .type }}: - {{- if (eq .type "configMap") }} - name: {{ .name }} - {{- else if (eq .type "secret") }} - secretName: {{ .name }} - {{- end }} - defaultMode: {{ .defaultMode | default 420 }} - {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} {{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index dec29c940..31540fbfa 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -167,82 +167,48 @@ load _helpers } #-------------------------------------------------------------------- -# extraVolumes +# volumes -@test "csi/daemonset: csi.extraVolumes adds extra volume" { +@test "csi/daemonset: csi.volumes adds volume" { cd `chart_dir` # Test that it defines it local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=configMap' \ - --set 'csi.extraVolumes[0].name=foo' \ + --set 'csi.volumes[0].name=plugins' \ + --set 'csi.volumes[0].emptyDir=\{\}' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + yq -r '.spec.template.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.configMap.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] - - local actual=$(echo $object | - yq -r '.configMap.secretName' | tee /dev/stderr) - [ "${actual}" = "null" ] - - # Test that it mounts it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=configMap' \ - --set 'csi.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.readOnly' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + yq -r '.emptyDir' | tee /dev/stderr) + [ "${actual}" = "{}" ] } -@test "csi/daemonset: csi.extraVolumes adds extra secret volume" { +#-------------------------------------------------------------------- +# volumeMounts + +@test "csi/daemonset: csi.volumeMounts adds volume mounts" { cd `chart_dir` # Test that it defines it local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=secret' \ - --set 'csi.extraVolumes[0].name=foo' \ + --set 'csi.volumeMounts[0].name=plugins' \ + --set 'csi.volumeMounts[0].mountPath=/usr/local/libexec/vault' \ + --set 'csi.volumeMounts[0].readOnly=true' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.secret.name' | tee /dev/stderr) - [ "${actual}" = "null" ] - - local actual=$(echo $object | - yq -r '.secret.secretName' | tee /dev/stderr) - [ "${actual}" = "foo" ] - - # Test that it mounts it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.extraVolumes[0].type=configMap' \ - --set 'csi.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/usr/local/libexec/vault" ] local actual=$(echo $object | yq -r '.readOnly' | tee /dev/stderr) [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] } #-------------------------------------------------------------------- diff --git a/values.yaml b/values.yaml index fe4f6d1f6..80c78051a 100644 --- a/values.yaml +++ b/values.yaml @@ -320,6 +320,7 @@ server: # secretName: vault # secretKey: AWS_SECRET_ACCESS_KEY + # Deprecated: please use 'volumes' instead. # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. @@ -656,13 +657,21 @@ csi: tag: "0.1.0" pullPolicy: IfNotPresent - # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is - # an array of objects, examples are shown below. - extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # path: null # default is `/vault/userconfig` + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: tls + # secret: + # secretName: vault-tls + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - name: tls + # mountPath: "/vault/tls" + # readOnly: true resources: {} # resources: From 703ba50d4776c7d7fbce673544cd6b1a573768be Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 25 Mar 2021 10:56:59 -0400 Subject: [PATCH 09/70] changelog++ --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e9008658..3dde192e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +## Unreleased + ## 0.10.0 (March 25th, 2021) Features: From a6856646aa48f661ca323cc7ceecd11ce7a5475f Mon Sep 17 00:00:00 2001 From: Paul Date: Tue, 30 Mar 2021 03:12:09 +0200 Subject: [PATCH 10/70] Remove extra word in readme (#482) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 29db84819..25cc872be 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ use Vault with Kubernetes, please see the ## Prerequisites To use the charts here, [Helm](https://helm.sh/) must be configured for your -Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope of +Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of this README. Please refer to the Kubernetes and Helm documentation. The versions required are: From 7a71c0fec489759ad7293869e816ae6ca34c403a Mon Sep 17 00:00:00 2001 From: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Date: Tue, 6 Apr 2021 16:56:11 +0300 Subject: [PATCH 11/70] fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests --- templates/_helpers.tpl | 2 ++ templates/csi-clusterrole.yaml | 2 +- templates/csi-daemonset.yaml | 2 +- test/unit/csi-clusterrole.bats | 11 +++++++++ test/unit/csi-clusterrolebinding.bats | 22 +++++++++++++++++ test/unit/csi-daemonset.bats | 11 +++++++++ test/unit/csi-serviceaccount.bats | 11 +++++++++ test/unit/server-statefulset.bats | 35 +++++++++++++++++++++++++++ values.yaml | 3 +++ 9 files changed, 97 insertions(+), 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index bee8f81d2..ca57fa167 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -53,6 +53,8 @@ template logic. {{- define "vault.mode" -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} + {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index 35625a493..a19e520f5 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "vault.name" . }}-csi-provider-clusterrole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 10a0d6340..5f80ed174 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -27,7 +27,7 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} {{ template "csi.pod.annotations" . }} spec: - serviceAccountName: {{ include "vault.name" . }}-csi-provider + serviceAccountName: {{ template "vault.fullname" . }}-csi-provider containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 0fa626e0f..68ea7ce78 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -20,3 +20,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +# ClusterRole name +@test "csi/ClusterRole: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrole.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] +} \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index ba37fb4c7..cff3a3699 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -20,3 +20,25 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +# ClusterRoleBinding cluster role ref name +@test "csi/ClusterRoleBinding: cluster role ref name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.roleRef.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] +} + +# ClusterRoleBinding service account name +@test "csi/ClusterRoleBinding: service account name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.subjects[0].name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 31540fbfa..127ac54e9 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,17 @@ load _helpers [ "${actual}" = "false" ] } +# serviceAccountName reference name +@test "csi/daemonset: serviceAccountName reference name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} + # Image @test "csi/daemonset: image is configurable" { cd `chart_dir` diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 63ead313a..22ba06df2 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -21,6 +21,17 @@ load _helpers [ "${actual}" = "true" ] } +# serviceAccountName reference name +@test "csi/daemonset: serviceAccountName name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] +} + @test "csi/serviceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7a0533cd9..b34636262 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -2,6 +2,41 @@ load _helpers +#-------------------------------------------------------------------- +# disable / enable server deployment + +@test "server/StatefulSet: disabled server.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: disabled server.enabled random string" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=blabla' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: enabled server.enabled explicit true" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- + @test "server/standalone-StatefulSet: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.yaml b/values.yaml index 80c78051a..4f84d928e 100644 --- a/values.yaml +++ b/values.yaml @@ -174,6 +174,9 @@ injector: annotations: {} server: + # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details + enabled: true + # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. From b24457323b6c98df4a885a93faba14974b4de2a1 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 7 Apr 2021 14:24:00 +0100 Subject: [PATCH 12/70] changelog++ --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3dde192e9..7b5a66845 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +Features: +* Set `server.enabled=false` to skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + +Bugs: +* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + ## 0.10.0 (March 25th, 2021) Features: From a2a07b2a02d1e1abddf314af5f08e106f7876092 Mon Sep 17 00:00:00 2001 From: Paul Witt Date: Thu, 8 Apr 2021 10:03:56 -0400 Subject: [PATCH 13/70] add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests --- templates/injector-deployment.yaml | 1 + test/unit/injector-deployment.bats | 22 ++++++++++++++++++++++ values.yaml | 4 ++++ 3 files changed, 27 insertions(+) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f5d8fc2ef..594575f24 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -36,6 +36,7 @@ spec: {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.injector.hostNetwork }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.injector.gid | default 1000 }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index a1174808b..133e27993 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -543,3 +543,25 @@ load _helpers yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# hostNetwork + +@test "injector/deployment: injector.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/deployment: injector.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.yaml b/values.yaml index 4f84d928e..277630afc 100644 --- a/values.yaml +++ b/values.yaml @@ -168,6 +168,10 @@ injector: # This should be a YAML map of the labels to apply to the injector extraLabels: {} + # Should the injector pods run on the host network (useful when using + # an alternate CNI in EKS) + hostNetwork: false + # Injector service specific config service: # Extra annotations to attach to the injector service From 6e46bcf529290f4cc57517a1d26fb38e5926a24e Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 10:05:47 -0400 Subject: [PATCH 14/70] changelog++ --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b5a66845..4cd11a5eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ ## Unreleased Features: -* Set `server.enabled=false` to skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From bfbeba256af05d21afd266f3ef9d24cd0a2daa22 Mon Sep 17 00:00:00 2001 From: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Date: Fri, 9 Apr 2021 00:09:19 +1000 Subject: [PATCH 15/70] feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 --- templates/server-ingress.yaml | 4 ++++ test/unit/server-ingress.bats | 37 +++++++++++++++++++++++++++++++++++ values.yaml | 7 ++++++- 3 files changed, 47 insertions(+), 1 deletion(-) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 7c19f5fea..5faac60f4 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -2,6 +2,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} {{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} @@ -41,6 +42,9 @@ spec: - host: {{ .host | quote }} http: paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} backend: diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 5af493847..bf191c3a2 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -57,6 +57,43 @@ load _helpers } +@test "server/ingress: extra paths prepend host configuration" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + [ "${actual}" = 'ssl-redirect' ] + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].path' | tee /dev/stderr) + [ "${actual}" = '/annotation-service' ] + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.hosts[0].host=test.com' \ + --set 'server.ingress.hosts[0].paths[0]=/' \ + --set 'server.ingress.extraPaths[0].path=/annotation-service' \ + --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[1].path' | tee /dev/stderr) + [ "${actual}" = '/' ] +} + @test "server/ingress: labels gets added to object" { cd `chart_dir` diff --git a/values.yaml b/values.yaml index 277630afc..c08e9acf2 100644 --- a/values.yaml +++ b/values.yaml @@ -222,7 +222,12 @@ server: hosts: - host: chart-example.local paths: [] - + ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation tls: [] # - secretName: chart-example-tls # hosts: From ccebde9dae6cdca00dc0dfe9285a4e2f01b9d8a2 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 10:10:01 -0400 Subject: [PATCH 16/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cd11a5eb..e1c01a224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From ec67b5dd45c60346f709630e0d9acbd6f538ac69 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 11:18:16 -0400 Subject: [PATCH 17/70] Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor --- templates/server-statefulset.yaml | 8 ++ test/unit/server-dev-statefulset.bats | 50 ++++------- test/unit/server-ha-statefulset.bats | 115 +++++++++----------------- test/unit/server-statefulset.bats | 96 ++++++++++++++------- values.yaml | 11 ++- 5 files changed, 144 insertions(+), 136 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 62296af5e..69232ede8 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -117,6 +117,14 @@ spec: {{- end }} - name: HOME value: "/home/vault" + {{- if .Values.server.logLevel }} + - name: VAULT_LOG_LEVEL + value: "{{ .Values.server.logLevel }}" + {{- end }} + {{- if .Values.server.logFormat }} + - name: VAULT_LOG_FORMAT + value: "{{ .Values.server.logFormat }}" + {{- end }} {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 4e47fea69..3c5f9d8fb 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -246,13 +246,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_DEV_ROOT_TOKEN_ID" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "root" ] + local name=$(echo $object | + yq -r 'map(select(.name=="VAULT_DEV_ROOT_TOKEN_ID")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "root" ] } @test "server/dev-StatefulSet: set custom devRootToken" { @@ -264,13 +260,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_DEV_ROOT_TOKEN_ID" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "customtoken" ] + local name=$(echo $object | + yq -r 'map(select(.name=="VAULT_DEV_ROOT_TOKEN_ID")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "customtoken" ] } #-------------------------------------------------------------------- @@ -340,27 +332,21 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_0" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_0" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_1" ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 6df4dfe30..43e1acef2 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -70,14 +70,11 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) - [ "${actual}" = "http://127.0.0.1:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://127.0.0.1:8200" ] } + @test "server/ha-StatefulSet: tls enabled" { cd `chart_dir` local object=$(helm template \ @@ -86,13 +83,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) - [ "${actual}" = "https://127.0.0.1:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "https://127.0.0.1:8200" ] } #-------------------------------------------------------------------- @@ -348,21 +341,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foobar" ] } #-------------------------------------------------------------------- @@ -382,25 +367,21 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_0" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_0" ] - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "ENV_FOO_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "secret_name_1" ] - local actual=$(echo $object | - yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "secret_key_1" ] + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_0")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_0" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.name' | tee /dev/stderr) + [ "${value}" = "secret_name_1" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="ENV_FOO_1")) | .[] .valueFrom.secretKeyRef.key' | tee /dev/stderr) + [ "${value}" = "secret_key_1" ] } #-------------------------------------------------------------------- @@ -414,16 +395,12 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_API_ADDR" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = 'http://$(POD_IP):8200' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(POD_IP):8200' ] } -@test "server/ha-StatefulSet: api addr can be overriden" { +@test "server/ha-StatefulSet: api addr is configurable" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -432,13 +409,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_API_ADDR" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = 'https://example.com:8200' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "https://example.com:8200" ] } #-------------------------------------------------------------------- @@ -453,13 +426,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_CLUSTER_ADDR" ] - - local actual=$(echo $object | - yq -r '.[9].value' | tee /dev/stderr) - [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] } #-------------------------------------------------------------------- @@ -475,13 +444,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) - [ "${actual}" = "VAULT_RAFT_NODE_ID" ] - - local actual=$(echo $object | - yq -r '.[10].valueFrom.fieldRef.fieldPath' | tee /dev/stderr) - [ "${actual}" = 'metadata.name' ] + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + [ "${value}" = "metadata.name" ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b34636262..0c674d6c9 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -448,6 +448,62 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# log level + +@test "server/standalone-StatefulSet: default log level to empty" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .name' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "server/standalone-StatefulSet: log level can be changed" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set='server.logLevel=debug' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "debug" ] +} + +#-------------------------------------------------------------------- +# log format + +@test "server/standalone-StatefulSet: default log format to empty" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .name' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "server/standalone-StatefulSet: can set log format" { + cd `chart_dir` + local objects=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set='server.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $objects | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} + #-------------------------------------------------------------------- # extraEnvironmentVars @@ -461,21 +517,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -484,21 +532,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] - - local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] } #-------------------------------------------------------------------- diff --git a/values.yaml b/values.yaml index c08e9acf2..89d713cf8 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,8 @@ injector: # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" - # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info + # Configures the log verbosity of the injector. + # Supported log levels include: trace, debug, info, warn, error logLevel: "info" # Configures the log format of the injector. Supported log formats: "standard", "json". @@ -195,6 +196,14 @@ server: # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" + # Configure the logging verbosity for the Vault server. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "" + + # Configure the logging format for the Vault server. + # Supported log formats include: standard, json + logFormat: "" + resources: {} # resources: # requests: From dc696bb1f31d75c97a6906be2e4ecdbce2f341f6 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 11:21:25 -0400 Subject: [PATCH 18/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1c01a224..870e631f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) +* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From d8c2d2058cc25d601c66e3edd880bf7c5d618f30 Mon Sep 17 00:00:00 2001 From: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Date: Mon, 12 Apr 2021 22:59:38 +0200 Subject: [PATCH 19/70] Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- templates/injector-deployment.yaml | 6 ++--- templates/injector-service.yaml | 2 +- test/unit/injector-deployment.bats | 36 ++++++++++++++++++++++++++++++ test/unit/injector-service.bats | 19 ++++++++++++++++ values.yaml | 3 +++ 5 files changed, 62 insertions(+), 4 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 594575f24..ba606a941 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -53,7 +53,7 @@ spec: {{- end }} env: - name: AGENT_INJECT_LISTEN - value: ":8080" + value: {{ printf ":%v" .Values.injector.port }} - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR @@ -104,7 +104,7 @@ spec: livenessProbe: httpGet: path: /health/ready - port: 8080 + port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 @@ -114,7 +114,7 @@ spec: readinessProbe: httpGet: path: /health/ready - port: 8080 + port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 0e5172743..73c517580 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -12,7 +12,7 @@ metadata: spec: ports: - port: 443 - targetPort: 8080 + targetPort: {{ .Values.injector.port }} selector: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 133e27993..895bec124 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -422,6 +422,42 @@ load _helpers [ "${actual}" = "bar" ] } +#-------------------------------------------------------------------- +# agent port + +@test "injector/deployment: default agentPort" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LISTEN" ] + + local actual=$(echo $object | + yq -r '.[0].value' | tee /dev/stderr) + [ "${actual}" = ":8080" ] +} + +@test "injector/deployment: custom agentPort" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.port=8443' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LISTEN" ] + + local actual=$(echo $object | + yq -r '.[0].value' | tee /dev/stderr) + [ "${actual}" = ":8443" ] +} + #-------------------------------------------------------------------- # affinity diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index f9d872256..ad4800991 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -18,6 +18,25 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/Service: service with default port" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8080" ] +} + +@test "injector/Service: service with custom port" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --set 'injector.port=8443' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8443" ] +} + @test "injector/Service: disable with global.enabled false" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.yaml b/values.yaml index 89d713cf8..0d78e3910 100644 --- a/values.yaml +++ b/values.yaml @@ -29,6 +29,9 @@ injector: replicas: 1 + # Configures the port the injector should listen on + port: 8080 + # If multiple replicas are specified, by default a leader-elector side-car # will be created so that only one injector attempts to create TLS certificates. leaderElector: From b838d4b843b7f1a78535beaed33b474ddee997a7 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 12 Apr 2021 17:00:51 -0400 Subject: [PATCH 20/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 870e631f9..d1a392c50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) * Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) From bf5783ef6b3aaec6680b63079fca5a68d0fe14ea Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 12 Apr 2021 17:01:14 -0400 Subject: [PATCH 21/70] Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran --- templates/injector-deployment.yaml | 10 ++ test/unit/injector-deployment.bats | 245 +++++++++++++++-------------- values.yaml | 13 ++ 3 files changed, 154 insertions(+), 114 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index ba606a941..5dd3553e9 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -97,6 +97,16 @@ spec: fieldRef: fieldPath: metadata.namespace {{- end }} + - name: AGENT_INJECT_CPU_REQUEST + value: "{{ .Values.injector.agentDefaults.cpuRequest }}" + - name: AGENT_INJECT_CPU_LIMIT + value: "{{ .Values.injector.agentDefaults.cpuLimit }}" + - name: AGENT_INJECT_MEM_REQUEST + value: "{{ .Values.injector.agentDefaults.memRequest }}" + - name: AGENT_INJECT_MEM_LIMIT + value: "{{ .Values.injector.agentDefaults.memLimit }}" + - name: AGENT_INJECT_DEFAULT_TEMPLATE + value: "{{ .Values.injector.agentDefaults.template }}" {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 895bec124..dbeb1d9ec 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -133,21 +133,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ] - - local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) - [ "${actual}" = "/etc/webhook/certs/test.crt" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_CERT_FILE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "/etc/webhook/certs/test.crt" ] - local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ] - - local actual=$(echo $object | - yq -r '.[6].value' | tee /dev/stderr) - [ "${actual}" = "/etc/webhook/certs/test.key" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_KEY_FILE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "/etc/webhook/certs/test.key" ] } @test "injector/deployment: auto TLS by default" { @@ -163,13 +155,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_AUTO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] - local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.default,RELEASE-NAME-vault-agent-injector-svc.default.svc" ] } @test "injector/deployment: with externalVaultAddr" { @@ -180,13 +172,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) - [ "${actual}" = "http://vault-outside" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://vault-outside" ] } @test "injector/deployment: without externalVaultAddr" { @@ -198,13 +186,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] - - local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) - [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] } @test "injector/deployment: default authPath" { @@ -214,13 +198,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[3].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] - - local actual=$(echo $object | - yq -r '.[3].value' | tee /dev/stderr) - [ "${actual}" = "auth/kubernetes" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_AUTH_PATH")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "auth/kubernetes" ] } @test "injector/deployment: custom authPath" { @@ -231,13 +211,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[3].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] - - local actual=$(echo $object | - yq -r '.[3].value' | tee /dev/stderr) - [ "${actual}" = "auth/k8s" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_AUTH_PATH")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "auth/k8s" ] } @test "injector/deployment: default logLevel" { @@ -247,13 +223,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[1].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] - - local actual=$(echo $object | - yq -r '.[1].value' | tee /dev/stderr) - [ "${actual}" = "info" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "info" ] } @test "injector/deployment: custom logLevel" { @@ -264,13 +236,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[1].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] - - local actual=$(echo $object | - yq -r '.[1].value' | tee /dev/stderr) - [ "${actual}" = "foo" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foo" ] } @test "injector/deployment: default logFormat" { @@ -280,13 +248,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] - - local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) - [ "${actual}" = "standard" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "standard" ] } @test "injector/deployment: custom logFormat" { @@ -297,13 +261,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] - - local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) - [ "${actual}" = "json" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] } @test "injector/deployment: default revoke on shutdown" { @@ -313,13 +273,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] - - local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) - [ "${actual}" = "false" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_REVOKE_ON_SHUTDOWN")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "false" ] } @test "injector/deployment: custom revoke on shutdown" { @@ -330,13 +286,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] - - local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) - [ "${actual}" = "true" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_REVOKE_ON_SHUTDOWN")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "true" ] } @test "injector/deployment: disable security context when openshift enabled" { @@ -347,9 +299,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ] + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_SET_SECURITY_CONTEXT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "false" ] } #-------------------------------------------------------------------- @@ -365,29 +317,17 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) - [ "${actual}" = "FOO" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "bar" ] - local actual=$(echo $object | - yq -r '.[9].value' | tee /dev/stderr) - [ "${actual}" = "bar" ] + local value=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "foobar" ] - local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) - [ "${actual}" = "FOOBAR" ] - - local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) - [ "${actual}" = "foobar" ] - - local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) - [ "${actual}" = "LOWER_CASE" ] - - local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) - [ "${actual}" = "sanitized" ] + local value=$(echo $object | + yq -r 'map(select(.name=="LOWER_CASE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "sanitized" ] } #-------------------------------------------------------------------- @@ -601,3 +541,80 @@ load _helpers yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/deployment: agent default resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "500m" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "250m" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "128Mi" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "64Mi" ] +} + +@test "injector/deployment: can set agent default resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.agentDefaults.cpuLimit=cpuLimit' \ + --set 'injector.agentDefaults.cpuRequest=cpuRequest' \ + --set 'injector.agentDefaults.memLimit=memLimit' \ + --set 'injector.agentDefaults.memRequest=memRequest' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "cpuLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_CPU_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "cpuRequest" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "memLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "memRequest" ] +} + +@test "injector/deployment: agent default template" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_DEFAULT_TEMPLATE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "map" ] +} + +@test "injector/deployment: can set agent default template" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.template=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_DEFAULT_TEMPLATE")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} diff --git a/values.yaml b/values.yaml index 0d78e3910..b08b1312a 100644 --- a/values.yaml +++ b/values.yaml @@ -62,6 +62,19 @@ injector: repository: "vault" tag: "1.7.0" + # The default values for the injected Vault Agent containers. + agentDefaults: + # For more information on configuring resources, see the K8s documentation: + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + cpuLimit: "500m" + cpuRequest: "250m" + memLimit: "128Mi" + memRequest: "64Mi" + + # Default template type for secrets when no custom template is specified. + # Possible values include: "json" and "map". + template: "map" + # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" From 366cf23a7566b438d3955ae8f60616561837e7c7 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 12 Apr 2021 17:02:16 -0400 Subject: [PATCH 22/70] changelog++ --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1a392c50..4b8fda9fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,10 @@ Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) * Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) +* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) * Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) +* Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From 088ce89dc18e05a2b7995167ad6c377db7928fff Mon Sep 17 00:00:00 2001 From: Javier Criado Marcos Date: Tue, 13 Apr 2021 17:20:31 +0200 Subject: [PATCH 23/70] [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https --- templates/injector-service.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 73c517580..3138b7a5b 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -11,7 +11,8 @@ metadata: {{ template "injector.service.annotations" . }} spec: ports: - - port: 443 + - name: https + port: 443 targetPort: {{ .Values.injector.port }} selector: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector From f2e3d57a653de749c00b104bad743f263b7508ef Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 13 Apr 2021 11:21:08 -0400 Subject: [PATCH 24/70] changelog++ --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b8fda9fa..d9549805e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,9 @@ Features: * Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) * Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) * Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) -* + +Improvements: +* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495) Bugs: * CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) From 5f2e1d470fc1f04972232f90c43883873bae0485 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 14 Apr 2021 08:23:50 -0400 Subject: [PATCH 25/70] Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI --- test/unit/injector-deployment.bats | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index dbeb1d9ec..3b6efbc38 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -159,9 +159,13 @@ load _helpers yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] + # helm template does uses current context namespace and ignores namespace flags, so + # discover the targeted namespace so we can check the rendered value correctly. + local namespace=$(kubectl config view --minify --output 'jsonpath={..namespace}') + local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.default,RELEASE-NAME-vault-agent-injector-svc.default.svc" ] + [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: with externalVaultAddr" { From be1721fc8461ea4a73f8ae54cc33384ec070eec4 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 14 Apr 2021 14:53:52 +0100 Subject: [PATCH 26/70] Remove redundant logic (#434) --- templates/injector-network-policy.yaml | 2 +- templates/injector-psp-role.yaml | 2 +- templates/injector-psp-rolebinding.yaml | 2 +- templates/injector-psp.yaml | 2 +- templates/server-clusterrolebinding.yaml | 2 +- templates/server-disruptionbudget.yaml | 2 +- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 4 ++-- templates/server-ingress.yaml | 2 +- templates/server-psp-role.yaml | 2 +- templates/server-psp-rolebinding.yaml | 2 +- templates/server-psp.yaml | 2 +- 12 files changed, 13 insertions(+), 13 deletions(-) diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index f2dfd511e..7a399a538 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 5fd264923..20c87bb2a 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index f7ae7fe6d..d6d0d5e24 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index 5871eb91d..c024ac107 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,4 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index ecf6a705e..e5e0f5fec 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 6d7f8240a..3c45cc04e 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. apiVersion: policy/v1beta1 diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index b6366b022..74fca41d7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for active Vault pod apiVersion: v1 kind: Service diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 473de5517..9213b7452 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -38,4 +38,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 5faac60f4..deaa0dd55 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,7 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index b4bea0602..fd12e1eb3 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index 923102733..b2a43c834 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 32c152634..2d9426819 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: From 27338595e81d0f54810665b6c5d653fd8ad6b5f8 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 14 Apr 2021 10:26:33 -0400 Subject: [PATCH 27/70] Update to v0.11.0 (#497) --- CHANGELOG.md | 2 ++ Chart.yaml | 3 ++- values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9549805e..2ed15ac47 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.11.0 (April 14th, 2021) + Features: * Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) * Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) diff --git a/Chart.yaml b/Chart.yaml index 04370699d..562323859 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.10.0 +version: 0.11.0 appVersion: 1.7.0 description: Official HashiCorp Vault Chart home: https://www.vaultproject.io @@ -10,3 +10,4 @@ sources: - https://github.com/hashicorp/vault - https://github.com/hashicorp/vault-helm - https://github.com/hashicorp/vault-k8s + - https://github.com/hashicorp/vault-csi-provider diff --git a/values.yaml b/values.yaml index b08b1312a..f31d13209 100644 --- a/values.yaml +++ b/values.yaml @@ -52,7 +52,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.9.0" + tag: "0.10.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -691,7 +691,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.1.0" + tag: "0.2.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From dcb4b102835d1c9911cfc9a47fb9bfc2084ffdbf Mon Sep 17 00:00:00 2001 From: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Date: Wed, 14 Apr 2021 20:05:38 +0300 Subject: [PATCH 28/70] Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- CONTRIBUTING.md | 21 ++++++++++++++++++--- test/docker/Test.dockerfile | 2 +- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 431dfa897..642226278 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -62,8 +62,23 @@ The unit tests don't require any active Kubernetes cluster and complete very quickly. These should be used for fast feedback during development. The acceptance tests require a Kubernetes cluster with a configured `kubectl`. -### Prequisites -* [Bats](https://github.com/bats-core/bats-core) +### Test Using Docker Container + +The following are the instructions for running bats tests using a Docker container. + +#### Prerequisites + +* Docker installed +* `vault-helm` checked out locally + +#### Test + +**Note:** the following commands should be run from the `vault-helm` directory. + +First, build the Docker image for running the tests: + +```shell +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test ```bash brew install bats-core ``` @@ -76,7 +91,7 @@ The acceptance tests require a Kubernetes cluster with a configured `kubectl`. brew install kubernetes-helm ``` -### Running The Tests +#### Test To run the unit tests: diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 4b1c37579..98afeace2 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -9,7 +9,7 @@ FROM docker.mirror.hashicorp.services/alpine:latest WORKDIR /root -ENV BATS_VERSION "1.1.0" +ENV BATS_VERSION "1.3.0" ENV TERRAFORM_VERSION "0.12.10" # base packages From b59cbf6dc63b6f6c74ffa4f61b42150ad93ddb04 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 10 May 2021 16:56:31 -0700 Subject: [PATCH 29/70] Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. --- .circleci/config.yml | 24 +++++++++++++ Chart.yaml | 1 + README.md | 4 +-- test/chart/_helpers.bash | 18 ++++++++++ test/chart/verifier.bats | 77 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 122 insertions(+), 2 deletions(-) create mode 100644 test/chart/_helpers.bash create mode 100644 test/chart/verifier.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 4e0f623be..0b0c91543 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -10,6 +10,29 @@ jobs: steps: - checkout - run: bats ./test/unit -t + + chart-verifier: + docker: + - image: docker.mirror.hashicorp.services/cimg/go:1.16 + environment: + BATS_VERSION: "1.3.0" + # Note: the commit SHA is used here since the repo doesn't use release tags + CHART_VERIFIER_VERSION: "190d532246a5936dc6a7125e2da917d04e38a672" + steps: + - checkout + - run: + name: install chart-verifier + command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: + name: install bats + command: | + curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz + tar -zxf /tmp/bats.tgz -C /tmp + sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local + - run: + name: run chart-verifier tests + command: bats ./test/chart -t + acceptance: docker: # This image is build from test/docker/Test.dockerfile @@ -66,6 +89,7 @@ workflows: build_and_test: jobs: - bats-unit-test + - chart-verifier - acceptance: requires: - bats-unit-test diff --git a/Chart.yaml b/Chart.yaml index 562323859..6a0daf403 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,6 +2,7 @@ apiVersion: v2 name: vault version: 0.11.0 appVersion: 1.7.0 +kubeVersion: ">= 1.14" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/README.md b/README.md index 25cc872be..f95b26fc3 100644 --- a/README.md +++ b/README.md @@ -22,9 +22,9 @@ The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is - untested. Other versions verified are Kubernetes 1.10, 1.11. + untested. ## Usage diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash new file mode 100644 index 000000000..fb9db31da --- /dev/null +++ b/test/chart/_helpers.bash @@ -0,0 +1,18 @@ +# chart_dir returns the directory for the chart +chart_dir() { + echo ${BATS_TEST_DIRNAME}/../.. +} + +# check_result checks if the specified test passed +# results schema example: +# { +# "check": "has-minkubeversion", +# "type": "Mandatory", +# "outcome": "PASS", +# "reason": "Minimum Kubernetes version specified" +# } +check_result() { + local -r var="$1" + local check=$(cat $VERIFY_OUTPUT | jq -r ".results[] | select(.check==\"${var}\").outcome") + [ "$check" = "PASS" ] +} diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats new file mode 100644 index 000000000..a4df5cfdb --- /dev/null +++ b/test/chart/verifier.bats @@ -0,0 +1,77 @@ +#!/usr/bin/env bats + +load _helpers + +setup_file() { + cd `chart_dir` + export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" + export CHART_VOLUME=vault-helm-chart-src + # Note: currently `latest` is the only tag available in the chart-verifier repo. + local IMAGE="quay.io/redhat-certification/chart-verifier:latest" + + local run_cmd="chart-verifier" + local chart_src="." + + if [ ! -e $USE_DOCKER ]; then + chart_src="/chart" + # Create a dummy container which will hold a volume with chart source + docker create -v $chart_src --name $CHART_VOLUME alpine:3 /bin/true + # Copy the chart source into this volume + docker cp . $CHART_VOLUME:$chart_src + # Make sure we have the latest version of chart-verifier + docker pull $IMAGE + # Start chart-verifier using this volume + run_cmd="docker run --rm --volumes-from $CHART_VOLUME $IMAGE" + fi + + $run_cmd verify --output json $chart_src 2>&1 | tee $VERIFY_OUTPUT +} + +teardown_file() { + if [ ! -e $USE_DOCKER ]; then + docker rm $CHART_VOLUME + fi +} + +@test "has-minkubeversion" { + check_result has-minkubeversion +} + +@test "is-helm-v3" { + check_result is-helm-v3 +} + +@test "not-contains-crds" { + check_result not-contains-crds +} + +@test "helm-lint" { + check_result helm-lint +} + +@test "not-contain-csi-objects" { + check_result not-contain-csi-objects +} + +@test "has-readme" { + check_result has-readme +} + +@test "contains-values" { + check_result contains-values +} + +@test "images-are-certified" { + skip "Skipping until this has been addressed" + check_result images-are-certified +} + +@test "contains-test" { + skip "Skipping until this has been addressed" + check_result contains-test +} + +@test "contains-values-schema" { + skip "Skipping until this has been addressed" + check_result contains-values-schema +} From 794a86a28b9abda62958947a45d1b08710e21158 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 10 May 2021 16:58:25 -0700 Subject: [PATCH 30/70] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ed15ac47..a9a895095 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) + ## 0.11.0 (April 14th, 2021) Features: From 6e8ef40840a9949c3ed4a5894251625cace9dae5 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 11 May 2021 08:25:50 -0700 Subject: [PATCH 31/70] match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 6a0daf403..f048aee9c 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: vault version: 0.11.0 appVersion: 1.7.0 -kubeVersion: ">= 1.14" +kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png From 92aed2cbee07466872b6b7807b11c1f7ac4c5714 Mon Sep 17 00:00:00 2001 From: mehmetsalgar Date: Wed, 12 May 2021 13:06:54 +0200 Subject: [PATCH 32/70] Add ImagePullSecrets to CSI daemonset (#519) --- templates/csi-daemonset.yaml | 4 ++++ test/unit/csi-daemonset.bats | 29 +++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 5f80ed174..94b765d34 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -73,4 +73,8 @@ spec: {{- if .Values.csi.volumes }} {{- toYaml .Values.csi.volumes | nindent 8}} {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end }} {{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 127ac54e9..992d1cf48 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -62,6 +62,35 @@ load _helpers [ "${actual}" = "SomePullPolicy" ] } +@test "csi/daemonset: Custom imagePullSecrets" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.imagePullSecrets[0].name=foo' \ + --set 'global.imagePullSecrets[1].name=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[0].name' | tee /dev/stderr) + [ "${actual}" = "foo" ] + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: default imagePullSecrets" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + # Debug arg @test "csi/daemonset: debug arg is configurable" { cd `chart_dir` From f84fc7e30bdaf1301b1332732d529fc8c87e1075 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 12 May 2021 12:11:15 +0100 Subject: [PATCH 33/70] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9a895095..2567b0539 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +Bugs: +* CSI: global.imagePullSecrets are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) + ## 0.11.0 (April 14th, 2021) Features: From 1505e7754bfab98ec8e8b0d34ffe57e8b27d44ca Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 12 May 2021 12:11:42 +0100 Subject: [PATCH 34/70] changelog++ --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2567b0539..790f52fea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) Bugs: -* CSI: global.imagePullSecrets are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) +* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) ## 0.11.0 (April 14th, 2021) From 2a70a9f50d1a22aa479a7dcf51eadaa1ae51ca74 Mon Sep 17 00:00:00 2001 From: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Date: Wed, 12 May 2021 17:44:11 +0300 Subject: [PATCH 35/70] fix CONTRIBUTING.md (#501) --- CONTRIBUTING.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 642226278..f83d56747 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -79,6 +79,21 @@ First, build the Docker image for running the tests: ```shell docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +``` +Next, execute the tests with the following commands: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +``` +It's possible to only run specific bats tests using regular expressions. +For example, the following will run only tests with "injector" in the name: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +``` + +### Test Manually +The following are the instructions for running bats tests on your workstation. +#### Prerequisites +* [Bats](https://github.com/bats-core/bats-core) ```bash brew install bats-core ``` From f226051e53227521beded82442baf97ea28d666f Mon Sep 17 00:00:00 2001 From: Sarah Thompson Date: Thu, 13 May 2021 11:56:01 +0100 Subject: [PATCH 36/70] updating to use new dedicated context and token (#515) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 0b0c91543..2f86aad37 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -99,7 +99,7 @@ workflows: update-helm-charts-index: jobs: - update-helm-charts-index: - context: helm-charts-trigger + context: helm-charts-trigger-vault filters: tags: only: /^v.*/ From ed38f6d3a6ca5b6207c61a3ebe89ce5d29676787 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 14 May 2021 08:59:36 -0700 Subject: [PATCH 37/70] added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- Makefile | 6 +- test/README.md | 28 +- test/chart/verifier.bats | 9 +- values.schema.json | 687 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 722 insertions(+), 8 deletions(-) create mode 100644 values.schema.json diff --git a/Makefile b/Makefile index 96bb17ebe..1b3020c59 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,10 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance +# Generate json schema for chart values. See test/README.md for more details. +values-schema: + helm schema-gen values.yaml > values.schema.json + test-image: @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) @@ -62,4 +66,4 @@ provision-cluster: destroy-cluster: terraform destroy -auto-approve -.PHONY: test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster +.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/test/README.md b/test/README.md index e4ce89144..722bc4034 100644 --- a/test/README.md +++ b/test/README.md @@ -1,4 +1,6 @@ -# Running Vault Helm Acceptance tests +# Vault Helm Tests + +## Running Vault Helm Acceptance tests The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance. @@ -7,4 +9,26 @@ The Makefile at the top level of this repo contains a few target that should hel * Run `make test-provision` to provision the GKE cluster using terraform. * Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster. * You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target. -* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. \ No newline at end of file +* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. + +## Running chart verification tests + +If [chart-verifier](https://github.com/redhat-certification/chart-verifier) is built and available in your PATH, run: + + bats test/chart/verifier.bats + +Or if you'd rather use the latest chart-verifier docker container, set +USE_DOCKER: + + USE_DOCKER=true bats test/chart/verifier.bats + +## Generating the values json schema + +There is a make target for generating values.schema.json: + + make values-schema + +It relies on the helm [schema-gen plugin][schema-gen]. Note that some manual +editing will be required, since several properties accept multiple data types. + +[schema-gen]: https://github.com/karuppiah7890/helm-schema-gen diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index a4df5cfdb..eab216dcf 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -61,6 +61,10 @@ teardown_file() { check_result contains-values } +@test "contains-values-schema" { + check_result contains-values-schema +} + @test "images-are-certified" { skip "Skipping until this has been addressed" check_result images-are-certified @@ -70,8 +74,3 @@ teardown_file() { skip "Skipping until this has been addressed" check_result contains-test } - -@test "contains-values-schema" { - skip "Skipping until this has been addressed" - check_result contains-values-schema -} diff --git a/values.schema.json b/values.schema.json new file mode 100644 index 000000000..95c2fd733 --- /dev/null +++ b/values.schema.json @@ -0,0 +1,687 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "csi": { + "type": "object", + "properties": { + "daemonSet": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "updateStrategy": { + "type": "object", + "properties": { + "maxUnavailable": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + }, + "debug": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "pod": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "volumeMounts": { + "type": ["null", "array"] + }, + "volumes": { + "type": ["null", "array"] + } + } + }, + "global": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "imagePullSecrets": { + "type": "array" + }, + "openshift": { + "type": "boolean" + }, + "psp": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enable": { + "type": "boolean" + } + } + }, + "tlsDisable": { + "type": "boolean" + } + } + }, + "injector": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + }, + "agentDefaults": { + "type": "object", + "properties": { + "cpuLimit": { + "type": "string" + }, + "cpuRequest": { + "type": "string" + }, + "memLimit": { + "type": "string" + }, + "memRequest": { + "type": "string" + }, + "template": { + "type": "string" + } + } + }, + "agentImage": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "annotations": { + "type": ["object", "string"] + }, + "authPath": { + "type": "string" + }, + "certs": { + "type": "object", + "properties": { + "caBundle": { + "type": "string" + }, + "certName": { + "type": "string" + }, + "keyName": { + "type": "string" + }, + "secretName": { + "type": ["null", "string"] + } + } + }, + "enabled": { + "type": "boolean" + }, + "externalVaultAddr": { + "type": "string" + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraLabels": { + "type": "object" + }, + "failurePolicy": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "leaderElector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ttl": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "namespaceSelector": { + "type": "object" + }, + "nodeSelector": { + "type": ["null", "string"] + }, + "objectSelector": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "revokeOnShutdown": { + "type": "boolean" + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "tolerations": { + "type": ["null", "string"] + } + } + }, + "server": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + }, + "annotations": { + "type": ["object", "string"] + }, + "auditStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": ["boolean", "string"] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": ["null", "string"] + } + } + }, + "authDelegator": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "dataStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": ["boolean", "string"] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": ["null", "string"] + } + } + }, + "dev": { + "type": "object", + "properties": { + "devRootToken": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + }, + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "string" + }, + "extraContainers": { + "type": ["null", "array"] + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraInitContainers": { + "type": ["null", "array"] + }, + "extraLabels": { + "type": "object" + }, + "extraSecretEnvironmentVars": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "ha": { + "type": "object", + "properties": { + "apiAddr": { + "type": ["null", "string"] + }, + "config": { + "type": "string" + }, + "disruptionBudget": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxUnavailable": { + "type": "null" + } + } + }, + "enabled": { + "type": "boolean" + }, + "raft": { + "type": "object", + "properties": { + "config": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "setNodeId": { + "type": "boolean" + } + } + }, + "replicas": { + "type": "integer" + } + } + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "extraPaths": { + "type": "array" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array" + } + } + } + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "networkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + } + } + }, + "nodeSelector": { + "type": ["null", "string"] + }, + "postStart": { + "type": "array" + }, + "preStopSleepSeconds": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "route": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "labels": { + "type": "object" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "port": { + "type": "integer" + }, + "targetPort": { + "type": "integer" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "standalone": { + "type": "object", + "properties": { + "config": { + "type": "string" + }, + "enabled": { + "type": ["string", "boolean"] + } + } + }, + "statefulSet": { + "type": "object", + "properties": { + "annotations": { + "type": ["object", "string"] + } + } + }, + "tolerations": { + "type": ["null", "string"] + }, + "updateStrategyType": { + "type": "string" + }, + "volumeMounts": { + "type": ["null", "array"] + }, + "volumes": { + "type": ["null", "array"] + } + } + }, + "ui": { + "type": "object", + "properties": { + "activeVaultPodOnly": { + "type": "boolean" + }, + "annotations": { + "type": ["object", "string"] + }, + "enabled": { + "type": "boolean" + }, + "externalPort": { + "type": "integer" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "serviceNodePort": { + "type": "null" + }, + "serviceType": { + "type": "string" + } + } + } + } +} From e817b1d254e04a63987f8c39d8458dd9ece11226 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 14 May 2021 10:49:37 -0700 Subject: [PATCH 38/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 790f52fea..8478374fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) Bugs: * CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) From 0ab15dfb844b1b88377ef1167acc3d45fee1baa4 Mon Sep 17 00:00:00 2001 From: mehmetsalgar Date: Tue, 18 May 2021 02:14:19 +0200 Subject: [PATCH 39/70] [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran --- templates/_helpers.tpl | 10 ++++++++++ templates/csi-daemonset.yaml | 1 + test/unit/csi-daemonset.bats | 21 +++++++++++++++++++++ values.yaml | 6 ++++++ 4 files changed, 38 insertions(+) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ca57fa167..505275b91 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -502,6 +502,16 @@ Sets extra CSI daemonset annotations {{- end }} {{- end -}} +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "csi.pod.tolerations" -}} + {{- if .Values.csi.pod.tolerations }} + tolerations: + {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} + {{- end }} +{{- end -}} + {{/* Sets extra CSI provider pod annotations */}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 94b765d34..b505d14bb 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -28,6 +28,7 @@ spec: {{ template "csi.pod.annotations" . }} spec: serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + {{- template "csi.pod.tolerations" . }} containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 992d1cf48..d2156ee63 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -206,6 +206,27 @@ load _helpers [ "${actual}" = "bar" ] } +@test "csi/daemonset: tolerations not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: tolerations can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.tolerations=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # volumes diff --git a/values.yaml b/values.yaml index f31d13209..32975bc15 100644 --- a/values.yaml +++ b/values.yaml @@ -728,12 +728,18 @@ csi: # YAML-formatted multi-line templated string map of the annotations to apply # to the daemonSet. annotations: {} + pod: # Extra annotations for the provider pods. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply # to the pod. annotations: {} + # Toleration Settings for provider pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: null + serviceAccount: # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the From dbd99b10c06dbdcb4d9e56c45fb4b5dc5e8eb303 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 17 May 2021 17:16:34 -0700 Subject: [PATCH 40/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8478374fe..dc4c4534d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) * Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) +* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) Bugs: * CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) From 030d3cd89db0e6d99ba5038bd12e2d0153112586 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 21 May 2021 12:48:21 +0100 Subject: [PATCH 41/70] Add extraArgs value for CSI (#526) --- templates/csi-daemonset.yaml | 3 +++ test/unit/csi-daemonset.bats | 30 ++++++++++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 4 files changed, 39 insertions(+) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index b505d14bb..75bde9a32 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -37,6 +37,9 @@ spec: args: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.extraArgs }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} volumeMounts: - name: providervol mountPath: "/provider" diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index d2156ee63..f0a62c2b2 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -110,6 +110,36 @@ load _helpers [ "${actual}" = "--debug=true" ] } +# Extra args +@test "csi/daemonset: extra args can be passed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) + [ "${actual}" = "2" ] + + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.extraArgs={--foo=bar,--bar baz,first}" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0]') + local actual=$(echo $object | + yq -r '.args | length' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo $object | + yq -r '.args[2]' | tee /dev/stderr) + [ "${actual}" = "--foo=bar" ] + local actual=$(echo $object | + yq -r '.args[3]' | tee /dev/stderr) + [ "${actual}" = "--bar baz" ] + local actual=$(echo $object | + yq -r '.args[4]' | tee /dev/stderr) + [ "${actual}" = "first" ] +} + # updateStrategy @test "csi/daemonset: updateStrategy is configurable" { cd `chart_dir` diff --git a/values.schema.json b/values.schema.json index 95c2fd733..c3999654b 100644 --- a/values.schema.json +++ b/values.schema.json @@ -30,6 +30,9 @@ "enabled": { "type": "boolean" }, + "extraArgs": { + "type": "array" + }, "image": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index 32975bc15..f6b513e80 100644 --- a/values.yaml +++ b/values.yaml @@ -773,3 +773,6 @@ csi: # Enables debug logging. debug: false + + # Pass arbitrary additional arguments to vault-csi-provider. + extraArgs: [] From 23ff8a1d83ba03935d5b6bb4f90ad926591febd3 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 21 May 2021 12:50:44 +0100 Subject: [PATCH 42/70] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc4c4534d..d5655308f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) + Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) * Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) From e206fadd9ed248a0316fee0bea98bcaa8f6ba9d0 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 25 May 2021 07:16:29 -0700 Subject: [PATCH 43/70] add schema unit tests (#530) --- test/unit/schema.bats | 46 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 test/unit/schema.bats diff --git a/test/unit/schema.bats b/test/unit/schema.bats new file mode 100644 index 000000000..a42614bf6 --- /dev/null +++ b/test/unit/schema.bats @@ -0,0 +1,46 @@ +#!/usr/bin/env bats + +load _helpers + +# These tests are just to verify there is a schema file used in the chart. Since +# .enabled is defined as a boolean type for each of the top-level blocks in the +# schema, setting it as a string fails 'helm template'. +@test "schema: csi enabled datatype" { + cd `chart_dir` + run helm template . --set csi.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set csi.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: injector enabled datatype" { + cd `chart_dir` + run helm template . --set injector.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set injector.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: server enabled datatype" { + cd `chart_dir` + run helm template . --set server.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set server.enabled=true + [ "$status" -eq 0 ] +} + +@test "schema: ui enabled datatype" { + cd `chart_dir` + run helm template . --set ui.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + + run helm template . --set ui.enabled=true + [ "$status" -eq 0 ] +} From 4c71c268b98baf1efa6c178edbace969502c104c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Horcajo?= Date: Tue, 25 May 2021 16:20:23 +0200 Subject: [PATCH 44/70] Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 --- templates/ui-service.yaml | 2 +- values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index a1498d5fd..9e90af4bb 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -25,7 +25,7 @@ spec: ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.ui.externalPort }} - targetPort: 8200 + targetPort: {{ .Values.ui.targetPort }} {{- if .Values.ui.serviceNodePort }} nodePort: {{ .Values.ui.serviceNodePort }} {{- end }} diff --git a/values.yaml b/values.yaml index f6b513e80..5fe4290d5 100644 --- a/values.yaml +++ b/values.yaml @@ -665,6 +665,7 @@ ui: serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 + targetPort: 8200 # loadBalancerSourceRanges: # - 10.0.0.0/16 From d53b011ae97a8c46f333210f3219af571a59728c Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 25 May 2021 10:21:01 -0400 Subject: [PATCH 45/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5655308f..4385a7420 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ Improvements: * Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) * Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) * Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) +* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437) Bugs: * CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) From b21b37b07a439e8c0ae6ddd133aca71c719a01ca Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 25 May 2021 13:46:48 -0400 Subject: [PATCH 46/70] Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo --- CHANGELOG.md | 2 + Chart.yaml | 4 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- values.schema.json | 161 ++++++++++++++---- values.yaml | 6 +- 6 files changed, 141 insertions(+), 40 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4385a7420..5b9459835 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.12.0 (May 25th, 2021) + Features: * Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) diff --git a/Chart.yaml b/Chart.yaml index f048aee9c..4bd306fdc 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.11.0 -appVersion: 1.7.0 +version: 0.12.0 +appVersion: 1.7.2 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 5b04d2c01..55182441e 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.0_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5c9b0c547..7497dbc3e 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.0_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-east-0" @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.6.2_ent' \ + --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/values.schema.json b/values.schema.json index c3999654b..87130e998 100644 --- a/values.schema.json +++ b/values.schema.json @@ -9,7 +9,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "updateStrategy": { "type": "object", @@ -71,7 +74,13 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] + }, + "tolerations": { + "type": ["null", "string"] } } }, @@ -102,15 +111,24 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] } } }, "volumeMounts": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "volumes": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] } } }, @@ -130,7 +148,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enable": { "type": "boolean" @@ -180,7 +201,10 @@ } }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "authPath": { "type": "string" @@ -198,7 +222,10 @@ "type": "string" }, "secretName": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -298,12 +325,18 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] } } }, "tolerations": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -314,7 +347,10 @@ "type": "string" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "auditStorage": { "type": "object", @@ -323,10 +359,16 @@ "type": "string" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { - "type": ["boolean", "string"] + "type": [ + "boolean", + "string" + ] }, "mountPath": { "type": "string" @@ -335,7 +377,10 @@ "type": "string" }, "storageClass": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -354,10 +399,16 @@ "type": "string" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { - "type": ["boolean", "string"] + "type": [ + "boolean", + "string" + ] }, "mountPath": { "type": "string" @@ -366,7 +417,10 @@ "type": "string" }, "storageClass": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] } } }, @@ -388,13 +442,19 @@ "type": "string" }, "extraContainers": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "extraEnvironmentVars": { "type": "object" }, "extraInitContainers": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "extraLabels": { "type": "object" @@ -409,7 +469,10 @@ "type": "object", "properties": { "apiAddr": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] }, "config": { "type": "string" @@ -465,7 +528,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -539,7 +605,10 @@ } }, "nodeSelector": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] }, "postStart": { "type": "array" @@ -580,7 +649,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -597,7 +669,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -614,7 +689,10 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "create": { "type": "boolean" @@ -634,7 +712,10 @@ "type": "string" }, "enabled": { - "type": ["string", "boolean"] + "type": [ + "string", + "boolean" + ] } } }, @@ -642,21 +723,33 @@ "type": "object", "properties": { "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] } } }, "tolerations": { - "type": ["null", "string"] + "type": [ + "null", + "string" + ] }, "updateStrategyType": { "type": "string" }, "volumeMounts": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] }, "volumes": { - "type": ["null", "array"] + "type": [ + "null", + "array" + ] } } }, @@ -667,7 +760,10 @@ "type": "boolean" }, "annotations": { - "type": ["object", "string"] + "type": [ + "object", + "string" + ] }, "enabled": { "type": "boolean" @@ -683,6 +779,9 @@ }, "serviceType": { "type": "string" + }, + "targetPort": { + "type": "integer" } } } diff --git a/values.yaml b/values.yaml index 5fe4290d5..acab97a3b 100644 --- a/values.yaml +++ b/values.yaml @@ -52,7 +52,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.10.0" + tag: "0.10.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -60,7 +60,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.7.0" + tag: "1.7.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -204,7 +204,7 @@ server: image: repository: "vault" - tag: "1.7.0" + tag: "1.7.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 35937391604baaea86d1fcd2adaef12e4d2a9877 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 27 May 2021 17:09:50 -0700 Subject: [PATCH 47/70] Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. --- .circleci/config.yml | 2 +- templates/tests/server-test.yaml | 39 ++++++++++++++++++++++++++++++++ test/README.md | 7 ++++++ test/acceptance/helm-test.bats | 27 ++++++++++++++++++++++ test/chart/verifier.bats | 28 +++++++++++++++-------- 5 files changed, 93 insertions(+), 10 deletions(-) create mode 100644 templates/tests/server-test.yaml create mode 100644 test/acceptance/helm-test.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 2f86aad37..c5673d792 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,7 +17,7 @@ jobs: environment: BATS_VERSION: "1.3.0" # Note: the commit SHA is used here since the repo doesn't use release tags - CHART_VERIFIER_VERSION: "190d532246a5936dc6a7125e2da917d04e38a672" + CHART_VERIFIER_VERSION: "e2c03bd1a4aea20deb0a4a03ebfde254b1672050" steps: - checkout - run: diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml new file mode 100644 index 000000000..37819de5c --- /dev/null +++ b/templates/tests/server-test.yaml @@ -0,0 +1,39 @@ +{{- if .Values.server.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-server-test" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: {{ .Release.Name }}-server-test + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + env: + - name: VAULT_ADDR + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'vault status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + vault status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'vault status' output" + exit 1 + fi + + exit 0 + + restartPolicy: Never +{{- end }} diff --git a/test/README.md b/test/README.md index 722bc4034..28431dbf9 100644 --- a/test/README.md +++ b/test/README.md @@ -32,3 +32,10 @@ It relies on the helm [schema-gen plugin][schema-gen]. Note that some manual editing will be required, since several properties accept multiple data types. [schema-gen]: https://github.com/karuppiah7890/helm-schema-gen + +## Helm test + +Vault Helm also contains a simple helm test under +[templates/tests/](../templates/tests/) that may be run against a helm release: + + helm test diff --git a/test/acceptance/helm-test.bats b/test/acceptance/helm-test.bats new file mode 100644 index 000000000..c5f9553df --- /dev/null +++ b/test/acceptance/helm-test.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats + +load _helpers + +@test "helm/test: running helm test" { + cd `chart_dir` + + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance + + helm install "$(name_prefix)" . + wait_for_running $(name_prefix)-0 + + helm test "$(name_prefix)" +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm delete vault + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index eab216dcf..f8e298623 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -8,6 +8,9 @@ setup_file() { export CHART_VOLUME=vault-helm-chart-src # Note: currently `latest` is the only tag available in the chart-verifier repo. local IMAGE="quay.io/redhat-certification/chart-verifier:latest" + # chart-verifier requires an openshift version if a cluster isn't available + local OPENSHIFT_VERSION="4.7" + local DISABLED_TESTS="chart-testing" local run_cmd="chart-verifier" local chart_src="." @@ -23,8 +26,11 @@ setup_file() { # Start chart-verifier using this volume run_cmd="docker run --rm --volumes-from $CHART_VOLUME $IMAGE" fi - - $run_cmd verify --output json $chart_src 2>&1 | tee $VERIFY_OUTPUT + + $run_cmd verify $chart_src \ + --output json \ + --openshift-version $OPENSHIFT_VERSION \ + --disable $DISABLED_TESTS 2>&1 | tee $VERIFY_OUTPUT } teardown_file() { @@ -33,8 +39,8 @@ teardown_file() { fi } -@test "has-minkubeversion" { - check_result has-minkubeversion +@test "has-kubeversion" { + check_result has-kubeversion } @test "is-helm-v3" { @@ -65,12 +71,16 @@ teardown_file() { check_result contains-values-schema } -@test "images-are-certified" { - skip "Skipping until this has been addressed" - check_result images-are-certified +@test "contains-test" { + check_result contains-test } -@test "contains-test" { +@test "chart-testing" { + skip "Skipping since this test requires a kubernetes/openshift cluster" + check_result chart-testing +} + +@test "images-are-certified" { skip "Skipping until this has been addressed" - check_result contains-test + check_result images-are-certified } From 3afcb463f8672e55c5632312228a02422eeb7cc9 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 27 May 2021 17:11:17 -0700 Subject: [PATCH 48/70] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b9459835..c5a15319b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) + ## 0.12.0 (May 25th, 2021) Features: From af25981752b6850d343729053c104f0f82d9ab6d Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 1 Jun 2021 10:41:02 -0700 Subject: [PATCH 49/70] fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer --- test/unit/ui-service.bats | 23 +++++++++++++++++++++++ values.schema.json | 5 ++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 499f7326c..9dade3db3 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -300,3 +300,26 @@ load _helpers yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) [ "${actual}" = 'true' ] } + +@test "ui/Service: default is no nodePort" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "ui/Service: can set nodePort" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceNodePort=123' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "123" ] +} diff --git a/values.schema.json b/values.schema.json index 87130e998..2535c1d9e 100644 --- a/values.schema.json +++ b/values.schema.json @@ -775,7 +775,10 @@ "type": "boolean" }, "serviceNodePort": { - "type": "null" + "type": [ + "null", + "integer" + ] }, "serviceType": { "type": "string" From 828b31287b2ce6fab97db5ebde1abee34ce60c50 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 1 Jun 2021 10:42:21 -0700 Subject: [PATCH 50/70] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5a15319b..0b097f908 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +Bugs: +* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) + ## 0.12.0 (May 25th, 2021) Features: From 458876007a9b8aadb762ce84605f37ec8d115904 Mon Sep 17 00:00:00 2001 From: Rule88 Date: Tue, 1 Jun 2021 19:51:18 +0200 Subject: [PATCH 51/70] change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran --- test/unit/server-ha-disruptionbudget.bats | 12 ++++++++++++ values.schema.json | 5 ++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index f3c329ec6..6cf21f200 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -85,3 +85,15 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: correct maxUnavailable with custom value" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=3' \ + --set 'server.ha.disruptionBudget.maxUnavailable=2' \ + . | tee /dev/stderr | + yq '.spec.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "2" ] +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index 2535c1d9e..e2d00454f 100644 --- a/values.schema.json +++ b/values.schema.json @@ -484,7 +484,10 @@ "type": "boolean" }, "maxUnavailable": { - "type": "null" + "type": [ + "null", + "integer" + ] } } }, From ad9a46ae66e66a9c099162b84520b17db783d54b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 1 Jun 2021 10:52:44 -0700 Subject: [PATCH 52/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b097f908..9839420c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ Improvements: Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) +* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) ## 0.12.0 (May 25th, 2021) From 637087fa70ad6da1b92f8aad772c5f7a71fa7196 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 2 Jun 2021 09:12:15 -0700 Subject: [PATCH 53/70] use vault-helm-test:0.2.0 (#543) --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c5673d792..cef29305b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,7 +6,7 @@ jobs: bats-unit-test: docker: # This image is built from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0 + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 steps: - checkout - run: bats ./test/unit -t @@ -36,7 +36,7 @@ jobs: acceptance: docker: # This image is build from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0 + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 steps: - checkout From d27121c223368fcc77f6eb2eaf29eee1500c1c9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20G=C3=A2ndara=20Pinto?= Date: Thu, 10 Jun 2021 23:32:22 +0100 Subject: [PATCH 54/70] Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount --- templates/injector-deployment.yaml | 10 ++++++---- test/unit/injector-deployment.bats | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 5dd3553e9..4756a253d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -131,6 +131,12 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} @@ -161,10 +167,6 @@ spec: timeoutSeconds: 5 {{- end }} {{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true volumes: - name: webhook-certs secret: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 3b6efbc38..cd6f1ddd3 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -168,6 +168,24 @@ load _helpers [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } +@test "injector/deployment: manual TLS adds volume mount" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.certs.secretName=vault-tls' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/etc/webhook/certs" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: with externalVaultAddr" { cd `chart_dir` local object=$(helm template \ From bb63d73b5a0b1367c9a75c3d1352affb08ae366f Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 10 Jun 2021 15:34:49 -0700 Subject: [PATCH 55/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9839420c0..7d655e701 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Improvements: Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) * Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) +* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545) ## 0.12.0 (May 25th, 2021) From 4d23074cd3eeb9f129418a5b75dd0b605eb7ae88 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 11 Jun 2021 13:29:30 -0700 Subject: [PATCH 56/70] Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. --- templates/_helpers.tpl | 11 ++++ templates/server-statefulset.yaml | 4 ++ test/acceptance/server-ha-enterprise-dr.bats | 7 ++- .../acceptance/server-ha-enterprise-perf.bats | 7 ++- test/unit/server-statefulset.bats | 56 +++++++++++++++++++ values.schema.json | 11 ++++ values.yaml | 12 ++++ 7 files changed, 104 insertions(+), 4 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 505275b91..63011d31e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -103,6 +103,12 @@ extra volumes the user may have specified (such as a secret with TLS). {{- if .Values.server.volumes }} {{- toYaml .Values.server.volumes | nindent 8}} {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + secret: + secretName: {{ .Values.server.enterpriseLicense.secretName }} + defaultMode: 0440 + {{- end }} {{- end -}} {{/* @@ -166,6 +172,11 @@ based on the mode configured. {{- if .Values.server.volumeMounts }} {{- toYaml .Values.server.volumeMounts | nindent 12}} {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + mountPath: /vault/license + readOnly: true + {{- end }} {{- end -}} {{/* diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 69232ede8..718c9a03e 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -125,6 +125,10 @@ spec: - name: VAULT_LOG_FORMAT value: "{{ .Values.server.logFormat }}" {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: VAULT_LICENSE_PATH + value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} + {{- end }} {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 55182441e..c7119d535 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -10,7 +10,8 @@ load _helpers --set='server.image.tag=1.7.2_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized @@ -78,7 +79,8 @@ load _helpers --set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized @@ -153,6 +155,7 @@ setup() { kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance + kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI } #cleanup diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 7497dbc3e..eb08b31a1 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -10,7 +10,8 @@ load _helpers --set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized @@ -78,7 +79,8 @@ load _helpers --set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.tag=1.7.2_ent' \ --set='server.ha.enabled=true' \ - --set='server.ha.raft.enabled=true' . + --set='server.ha.raft.enabled=true' \ + --set='server.enterpriseLicense.secretName=vault-license' . wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized @@ -151,6 +153,7 @@ setup() { kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance + kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI } #cleanup diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0c674d6c9..d7edb969d 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1566,3 +1566,59 @@ load _helpers } + +#-------------------------------------------------------------------- +# enterprise license autoload support +@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] +} + +@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] +} + +@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] +} + +@test "server/StatefulSet: blank secretName does not set env var" { + cd `chart_dir` + + # setting secretName=null + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=null' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] + + # omitting secretName + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] +} diff --git a/values.schema.json b/values.schema.json index e2d00454f..db3b80679 100644 --- a/values.schema.json +++ b/values.schema.json @@ -438,6 +438,17 @@ "enabled": { "type": "boolean" }, + "enterpriseLicense": { + "type": "object", + "properties": { + "secretKey": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, "extraArgs": { "type": "string" }, diff --git a/values.yaml b/values.yaml index acab97a3b..a85514b3d 100644 --- a/values.yaml +++ b/values.yaml @@ -198,6 +198,18 @@ server: # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details enabled: true + # [Enterprise Only] This value refers to a Kubernetes secret that you have + # created that contains your enterprise license. If you are not using an + # enterprise image or if you plan to introduce the license key via another + # route, then leave secretName blank ("") or set it to null. + # Requires Vault Enterprise 1.8 or later. + enterpriseLicense: + # The name of the Kubernetes secret that holds the enterprise license. The + # secret must be in the same namespace that Vault is installed into. + secretName: "" + # The key within the Kubernetes secret that holds the enterprise license. + secretKey: "license" + # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. From 3a6e097ae51646d1b98e3900a3dc7a713fc13146 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 11 Jun 2021 13:31:41 -0700 Subject: [PATCH 57/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d655e701..6eb008994 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) From 0f832e01fc9019bef0425dbcae60bda59ab9e4a0 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 16 Jun 2021 13:54:22 -0700 Subject: [PATCH 58/70] Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. --- .circleci/config.yml | 3 +-- test/chart/verifier.bats | 12 ++++++------ values.openshift.yaml | 18 ++++++++++++++++++ 3 files changed, 25 insertions(+), 8 deletions(-) create mode 100644 values.openshift.yaml diff --git a/.circleci/config.yml b/.circleci/config.yml index cef29305b..e1bce111f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -16,8 +16,7 @@ jobs: - image: docker.mirror.hashicorp.services/cimg/go:1.16 environment: BATS_VERSION: "1.3.0" - # Note: the commit SHA is used here since the repo doesn't use release tags - CHART_VERIFIER_VERSION: "e2c03bd1a4aea20deb0a4a03ebfde254b1672050" + CHART_VERIFIER_VERSION: "1.0.0" steps: - checkout - run: diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index f8e298623..e7ab5aa72 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -30,7 +30,8 @@ setup_file() { $run_cmd verify $chart_src \ --output json \ --openshift-version $OPENSHIFT_VERSION \ - --disable $DISABLED_TESTS 2>&1 | tee $VERIFY_OUTPUT + --disable $DISABLED_TESTS \ + --chart-values values.openshift.yaml 2>&1 | tee $VERIFY_OUTPUT } teardown_file() { @@ -75,12 +76,11 @@ teardown_file() { check_result contains-test } +@test "images-are-certified" { + check_result images-are-certified +} + @test "chart-testing" { skip "Skipping since this test requires a kubernetes/openshift cluster" check_result chart-testing } - -@test "images-are-certified" { - skip "Skipping until this has been addressed" - check_result images-are-certified -} diff --git a/values.openshift.yaml b/values.openshift.yaml new file mode 100644 index 000000000..2e3ed77b8 --- /dev/null +++ b/values.openshift.yaml @@ -0,0 +1,18 @@ +# These overrides are appropriate defaults for deploying this chart on OpenShift + +global: + openshift: true + +injector: + image: + repository: "registry.connect.redhat.com/hashicorp/vault-k8s" + tag: "0.10.1-ubi" + + agentImage: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.7.2-ubi" + +server: + image: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.7.2-ubi" From 7509bc739d84f0a87881b8436b498a3a5ff8e47b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 16 Jun 2021 13:57:16 -0700 Subject: [PATCH 59/70] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6eb008994..ee5ed3d52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) * Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) +* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549) Bugs: * Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) From f67b844d3027b981d12a56957f5fbcbf85ec5adc Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 17 Jun 2021 10:52:21 -0700 Subject: [PATCH 60/70] Update to v0.13.0 (#554) --- CHANGELOG.md | 2 ++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 8 ++++---- 6 files changed, 15 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee5ed3d52..5c58777ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.13.0 (June 17th, 2021) + Improvements: * Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) * Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) diff --git a/Chart.yaml b/Chart.yaml index 4bd306fdc..045116268 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.12.0 -appVersion: 1.7.2 +version: 0.13.0 +appVersion: 1.7.3 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index c7119d535..1445ffb83 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index eb08b31a1..98fc3e6d6 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.7.2_ent' \ + --set='server.image.tag=1.7.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 2e3ed77b8..96198fe9b 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.10.1-ubi" + tag: "0.10.2-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.7.2-ubi" + tag: "1.7.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.7.2-ubi" + tag: "1.7.3-ubi" diff --git a/values.yaml b/values.yaml index a85514b3d..4516e8777 100644 --- a/values.yaml +++ b/values.yaml @@ -52,7 +52,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.10.1" + tag: "0.10.2" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -60,7 +60,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.7.2" + tag: "1.7.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -216,7 +216,7 @@ server: image: repository: "vault" - tag: "1.7.2" + tag: "1.7.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -704,7 +704,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.2.0" + tag: "0.3.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From e08ffefc510238073b4f4f97a0ec9a47f7248284 Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 61/70] Explain this fork in the README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index f95b26fc3..3b063ecd4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +# MaaS Vault + +This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. + # Vault Helm Chart > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If From 5ce26d847e2c6d561480df94956637ab9db7448b Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 62/70] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 19 ++++++++++++++----- templates/server-service.yaml | 3 +++ values.yaml | 8 ++++++-- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3b063ecd4..603b405d4 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart @@ -43,7 +43,16 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm install vault hashicorp/vault ``` -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more -detailed installation instructions. +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + +## Customizations + +This Helm chart has been customized in the following ways: + +### Support LoadBalancerIP Field + +The Service spec in the **server-service.yaml** file now allows setting a +specific IP address when the Service type is set to `LoadBalancer` and a +**maas.lbAddress** value has been provided. diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 6f82e3862..85a05db34 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -21,6 +21,9 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- if and (.Values.maas.lbAddress) (eq (.Values.server.service.type | toString) "LoadBalancer") }} + loadBalancerIP: {{ .Values.maas.lbAddress }} + {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true diff --git a/values.yaml b/values.yaml index 4516e8777..3bc971175 100644 --- a/values.yaml +++ b/values.yaml @@ -454,14 +454,18 @@ server: # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. + # Configures the service type for the main Vault service. Can be ClusterIP, + # NodePort, or LoadBalancer. #type: ClusterIP # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. #nodePort: 30000 + # If type is set to "LoadBalancer", a specific IP address can be attached + # to the load balancer, will be random if left blank. + #loadBalancerIP: + # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to From 4104066b87bb258f7991623d8f16bb5801a1c14c Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 63/70] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 6 ++++++ templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 28 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 63011d31e..8482ae646 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -90,6 +90,11 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} + {{- if .Values.server.logrotate }} + - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + configMap: + name: {{ template "vault.fullname" . }}-logrotate-config + {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -216,6 +221,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 3bc971175..7878ea40e 100644 --- a/values.yaml +++ b/values.yaml @@ -666,6 +666,8 @@ server: # YAML-formatted multi-line templated string map of the annotations to apply # to the statefulSet. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Vault UI ui: From 2d56a25ae9418295eb27b06f44e5bb24e9563242 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 64/70] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/_helpers.tpl | 9 ++++++--- templates/datadog-audit-configmap.yaml | 10 ++++++++++ templates/logrotate-config-configmap.yaml | 20 -------------------- templates/logrotate-configmap.yaml | 10 ++++++++++ 4 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 templates/datadog-audit-configmap.yaml delete mode 100644 templates/logrotate-config-configmap.yaml create mode 100644 templates/logrotate-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8482ae646..00b456b51 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -90,10 +90,13 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} - {{- if .Values.server.logrotate }} - - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + {{- if .Values.server.logrotate.enabled }} + - name: {{ template "vault.fullname" . }}-logrotate-config configMap: - name: {{ template "vault.fullname" . }}-logrotate-config + name: {{ template "vault.fullname" . }}-logrotate-configmap + - name: {{ template "vault.fullname" . }}-datadog-config + configMap: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} diff --git a/templates/datadog-audit-configmap.yaml b/templates/datadog-audit-configmap.yaml new file mode 100644 index 000000000..5190d7fb7 --- /dev/null +++ b/templates/datadog-audit-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap + namespace: {{ .Release.Namespace }} +data: + conf.yaml: |- +{{ .Values.server.logrotate.datadogsidecar.config | indent 6 }} +{{ end }} diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file diff --git a/templates/logrotate-configmap.yaml b/templates/logrotate-configmap.yaml new file mode 100644 index 000000000..0e90cd293 --- /dev/null +++ b/templates/logrotate-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-configmap + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: |- +{{ .Values.server.logrotate.config.logRotateConf | indent 6 }} +{{ end }} From 919ccb4cdfcca2ad0e908777b94b14dc257bc39a Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 65/70] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - values.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 00b456b51..5e3269f78 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,7 +224,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* diff --git a/values.yaml b/values.yaml index 7878ea40e..ededa07bb 100644 --- a/values.yaml +++ b/values.yaml @@ -240,7 +240,6 @@ server: # limits: # memory: 256Mi # cpu: 250m - # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. # If deployment is on OpenShift, the following block is ignored. From efd1de698726b5d646dd48e144f1ede7d0a2f31c Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 66/70] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 1 + templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 23 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5e3269f78..00b456b51 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,6 +224,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index ededa07bb..e62b88997 100644 --- a/values.yaml +++ b/values.yaml @@ -658,6 +658,8 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Settings for the statefulSet used to run Vault. statefulSet: From 1e3b002f35cae6433585191ca56bf4589fd8d9df Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 67/70] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/logrotate-config-configmap.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file From 48c9d8c45dbe366f809648be28909c6ac116fb93 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 68/70] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 00b456b51..5e3269f78 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -224,7 +224,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* From e0f32749233cd8d2684e19a42c6ec40eab22629e Mon Sep 17 00:00:00 2001 From: nagsubhrajitt Date: Tue, 31 May 2022 19:37:51 -0400 Subject: [PATCH 69/70] feat(DATAGO-27002): Upgrade to 1.7.9 --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index e62b88997..a46a82868 100644 --- a/values.yaml +++ b/values.yaml @@ -216,7 +216,7 @@ server: image: repository: "vault" - tag: "1.7.3" + tag: "1.7.9" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From de39d8357e60d7c2640aa3611a57a7984e447322 Mon Sep 17 00:00:00 2001 From: nagsubhrajitt Date: Tue, 31 May 2022 20:34:53 -0400 Subject: [PATCH 70/70] chore(DATAGO-27002): Fix doc issue --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 03afc2b3a..8096d7f79 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,10 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm install vault hashicorp/vault ``` -Please see the many options supported in the `values.yaml` -file. These are also fully documented directly on the -[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). +Please see the many options supported in the `values.yaml` file. These are also +fully documented directly on the [Vault +website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more +detailed installation instructions. ## Customizations