Datago 30302/upgrading vault to 1.8.11

.circleci/config.yml

@@ -6,14 +6,36 @@ jobs:
   bats-unit-test:
     docker:
       # This image is built from test/docker/Test.dockerfile
-      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0
+      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
     steps:
       - checkout
       - run: bats ./test/unit -t
+
+  chart-verifier:
+    docker:
+      - image: docker.mirror.hashicorp.services/cimg/go:1.16
+    environment:
+      BATS_VERSION: "1.3.0"
+      CHART_VERIFIER_VERSION: "1.2.1"
+    steps:
+      - checkout
+      - run:
+          name: install chart-verifier
+          command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
+      - run:
+          name: install bats
+          command: |
+            curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz
+            tar -zxf /tmp/bats.tgz -C /tmp
+            sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local
+      - run:
+          name: run chart-verifier tests
+          command: bats ./test/chart -t
+
   acceptance:
     docker:
       # This image is build from test/docker/Test.dockerfile
-      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.1.0
+      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
 
     steps:
       - checkout
@@ -66,16 +88,17 @@ workflows:
   build_and_test:
     jobs:
       - bats-unit-test
+      - chart-verifier
       - acceptance:
           requires:
             - bats-unit-test
           filters:
             branches:
-              only: master
+              only: main
   update-helm-charts-index:
     jobs:
       - update-helm-charts-index:
-          context: helm-charts-trigger
+          context: helm-charts-trigger-vault
           filters:
             tags:
               only: /^v.*/

.gitignore

@@ -10,3 +10,4 @@ vaul-helm-dev-creds.json
 ./test/unit/vaul-helm-dev-creds.json
 ./test/acceptance/values.yaml
 ./test/acceptance/values.yml
+.idea

CHANGELOG.md

@@ -1,5 +1,112 @@
 ## Unreleased
 
+## 0.17.1 (October 25th, 2021)
+
+Improvements:
+  * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634)
+
+## 0.17.0 (October 21st, 2021)
+
+KNOWN ISSUES:
+* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set
+
+CHANGES:
+* Vault image default 1.8.4
+* Vault K8s image default 0.14.0
+
+Improvements:
+* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590)
+* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626)
+* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630)
+
+Bugs:
+* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628)
+
+## 0.16.1 (September 29th, 2021)
+
+CHANGES:
+* Vault image default 1.8.3
+* Vault K8s image default 0.13.1
+
+## 0.16.0 (September 16th, 2021)
+
+CHANGES:
+* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`.
+
+Improvements:
+ * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603)
+ * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607)
+
+## 0.15.0 (August 23rd, 2021)
+
+Improvements:
+* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572)
+* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584)
+
+## 0.14.0 (July 28th, 2021)
+
+Features:
+* Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)
+
+Improvements:
+* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565)
+* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576)
+
+
+## 0.13.0 (June 17th, 2021)
+
+Improvements:
+* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531)
+* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547)
+* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549)
+
+Bugs:
+* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537)
+* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535)
+* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545)
+
+## 0.12.0 (May 25th, 2021)
+
+Features:
+* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526)
+
+Improvements:
+* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510)
+* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513)
+* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521)
+* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437)
+
+Bugs:
+* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519)
+
+## 0.11.0 (April 14th, 2021)
+
+Features:
+* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
+* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471)
+* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489)
+* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493)
+* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460)
+* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488)
+
+Improvements:
+* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495)
+
+Bugs:
+* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
+
+## 0.10.0 (March 25th, 2021)
+
+Features:
+* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461)
+
+Improvements:
+* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456)
+
 ## 0.9.1 (February 2nd, 2021)
 
 Bugs:

CONTRIBUTING.md

@@ -26,7 +26,7 @@ quickly merge or address your contributions.
 
 * Make sure you test against the latest released version. It is possible
   we already fixed the bug you're experiencing. Even better is if you can test
-  against `master`, as bugs are fixed regularly but new versions are only
+  against `main`, as bugs are fixed regularly but new versions are only
   released every few months.
 
 * Provide steps to reproduce the issue, and if possible include the expected
@@ -62,7 +62,37 @@ The unit tests don't require any active Kubernetes cluster and complete
 very quickly. These should be used for fast feedback during development.
 The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
 
-### Prequisites
+### Test Using Docker Container
+
+The following are the instructions for running bats tests using a Docker container.
+
+#### Prerequisites
+
+* Docker installed
+* `vault-helm` checked out locally
+
+#### Test
+
+**Note:** the following commands should be run from the `vault-helm` directory.
+
+First, build the Docker image for running the tests:
+
+```shell
+docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test
+```
+Next, execute the tests with the following commands:
+```shell
+docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit
+```
+It's possible to only run specific bats tests using regular expressions. 
+For example, the following will run only tests with "injector" in the name:
+```shell
+docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector"
+```
+
+### Test Manually
+The following are the instructions for running bats tests on your workstation.
+#### Prerequisites
 * [Bats](https://github.com/bats-core/bats-core)
   ```bash
   brew install bats-core
@@ -76,7 +106,7 @@ The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
   brew install kubernetes-helm
   ```
 
-### Running The Tests
+#### Test
 
 To run the unit tests:
 
@@ -91,7 +121,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
 start from a clean slate.
 
 **Note:** There is a Terraform configuration in the
-[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/master/test/terraform) directory
+[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
 that can be used to quickly bring up a GKE cluster and configure
 `kubectl` and `helm` locally. This can be used to quickly spin up a test
 cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes

Chart.yaml

@@ -1,12 +1,14 @@
 apiVersion: v2
 name: vault
-version: 0.9.1
-appVersion: 1.6.2
-description: Official HashiCorp Vault Chart
+version: 0.17.1
+appVersion: 1.8.4
+kubeVersion: ">= 1.14.0-0"
+description: Install and configure Vault on Kubernetes.
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
 keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
 sources:
   - https://github.com/hashicorp/vault
   - https://github.com/hashicorp/vault-helm
   - https://github.com/hashicorp/vault-k8s
+  - https://github.com/hashicorp/vault-csi-provider

Makefile

@@ -4,11 +4,27 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
 ACCEPTANCE_TESTS?=acceptance
 
+# filter bats unit tests to run.
+UNIT_TESTS_FILTER?='.*'
+
+# set to 'true' to run acceptance tests locally in a kind cluster
+LOCAL_ACCEPTANCE_TESTS?=false
+
+# kind cluster name
+KIND_CLUSTER_NAME?=vault-helm
+
+# kind k8s version
+KIND_K8S_VERSION?=v1.20.2
+
+# Generate json schema for chart values. See test/README.md for more details.
+values-schema:
+	helm schema-gen values.yaml > values.schema.json
+
 test-image:
 	@docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
 
 test-unit:
-	@docker run -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats /helm-test/test/unit
+	@docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit
 
 test-bats: test-unit test-acceptance
 
@@ -17,14 +33,19 @@ test: test-image test-bats
 # run acceptance tests on GKE
 # set google project/credential vars above
 test-acceptance:
+ifeq ($(LOCAL_ACCEPTANCE_TESTS),true)
+	make setup-kind acceptance
+else
 	@docker run -it -v ${PWD}:/helm-test \
 	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
 	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
 	-e KUBECONFIG=/helm-test/.kube/config \
+	-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
 	-w /helm-test \
 	$(TEST_IMAGE) \
 	make acceptance
-
+endif
+
 # destroy GKE cluster using terraform
 test-destroy:
 	@docker run -it -v ${PWD}:/helm-test \
@@ -47,7 +68,9 @@ test-provision:
 # this target is for running the acceptance tests
 # it is run in the docker container above when the test-acceptance target is invoked
 acceptance:
+ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
 	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
+endif
 	bats test/${ACCEPTANCE_TESTS}
 
 # this target is for provisioning the GKE cluster
@@ -62,4 +85,17 @@ provision-cluster:
 destroy-cluster:
 	terraform destroy -auto-approve
 
-.PHONY: test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster
+# create a kind cluster for running the acceptance tests locally
+setup-kind:
+	kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \
+	kind create cluster \
+	--image kindest/node:${KIND_K8S_VERSION} \
+	--name ${KIND_CLUSTER_NAME}  \
+	--config $(CURDIR)/test/kind/config.yaml
+	kubectl config use-context kind-${KIND_CLUSTER_NAME}
+
+# delete the kind cluster
+delete-kind:
+	kind delete cluster --name ${KIND_CLUSTER_NAME} || :
+
+.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster

README.md

@@ -1,3 +1,8 @@
+# MaaS Vault
+
+This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes.
+This repository is used as a submodule in other repositories that install and setup Vault.
+
 # Vault Helm Chart
 
 > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If 
@@ -15,16 +20,16 @@ use Vault with Kubernetes, please see the
 ## Prerequisites
 
 To use the charts here, [Helm](https://helm.sh/) must be configured for your
-Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope of
+Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of
 this README. Please refer to the Kubernetes and Helm documentation.
 
 The versions required are:
 
   * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible
     it works with earlier versions but this chart is untested for those versions.
-  * **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested.
+  * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested.
     It is possible that this chart works with earlier versions but it is
-    untested. Other versions verified are Kubernetes 1.10, 1.11.
+    untested.
 
 ## Usage
 
@@ -38,7 +43,17 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 $ helm install vault hashicorp/vault
 ```
 
-Please see the many options supported in the `values.yaml` file. These are also
-fully documented directly on the [Vault
-website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more
-detailed installation instructions.
+Please see the many options supported in the `values.yaml`
+file. These are also fully documented directly on the
+[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html).
+
+
+## Customizations
+
+This Helm chart has been customized in the following ways:
+
+### Support LoadBalancerIP Field
+
+The Service spec in the **server-service.yaml** file now allows setting a
+specific IP address when the Service type is set to `LoadBalancer` and a
+**maas.lbAddress** value has been provided.