diff --git a/.circleci/config.yml b/.circleci/config.yml index 70c2453fb..7582bdc21 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 644875e26..2261ea63a 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -11,7 +11,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index bfb3af04f..7b7783a94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,25 @@ ## Unreleased +## 0.20.0 (May 16th, 2022) + +CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Vault default image to 1.10.3 +* CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 +* Earliest Kubernetes version tested is now 1.16 +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) + +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) + ## 0.19.0 (January 20th, 2022) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index 9f1440436..fc5527d10 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: vault -version: 0.19.0 -appVersion: 1.9.2 -kubeVersion: ">= 1.14.0-0" -description: Install and configure Vault on Kubernetes. +version: 0.20.0 +appVersion: 1.10.3 +kubeVersion: ">= 1.16.0-0" +description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] diff --git a/README.md b/README.md index 03afc2b3a..49ded6e8b 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index dd53fd5a6..a50fed899 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -31,6 +31,50 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. @@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} {{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} @@ -256,6 +301,37 @@ Sets the injector affinity for pod placement {{ end }} {{- end -}} +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} @@ -380,13 +456,13 @@ Sets extra injector service annotations Sets extra injector webhook annotations */}} {{- define "injector.webhookAnnotations" -}} - {{- if .Values.injector.webhookAnnotations }} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} annotations: - {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} {{- if eq $tp "string" }} - {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} {{- else }} - {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} {{- end }} {{- end }} {{- end -}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index a19e520f5..ec6a3d2b9 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index 63d69c7b1..d5b62a5f0 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index f0bf639f3..5c21752d6 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -8,6 +9,9 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: @@ -25,6 +29,9 @@ spec: labels: app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} {{ template "csi.pod.annotations" . }} spec: {{- if .Values.csi.priorityClassName }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index ee127481b..8d6fa5329 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,5 +9,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.serviceAccount.annotations" . }} {{- end }} diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 78363be55..e88685b5e 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,10 +1,14 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: name: vault-injector-certs + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 4ff25abe5..6a0d6be1a 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10,7 +11,7 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: + verbs: - "get" - "list" - "watch" diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 35d30b393..4c193f8a2 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index d58fc03fa..588efe400 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment @@ -30,6 +31,7 @@ spec: {{ template "injector.annotations" . }} spec: {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} {{ template "injector.tolerations" . }} {{ template "injector.nodeselector" . }} {{- if .Values.injector.priorityClassName }} @@ -142,41 +144,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 59c998551..b44fd7300 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.injector.podDisruptionBudget }} -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index de7dd5622..f873f61c9 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} @@ -14,10 +15,11 @@ metadata: {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} sideEffects: None - admissionReviewVersions: - - "v1beta1" - - "v1" + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc @@ -29,15 +31,12 @@ webhooks: apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] -{{- if .Values.injector.namespaceSelector }} +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} namespaceSelector: -{{ toYaml .Values.injector.namespaceSelector | indent 6}} +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} -{{- if .Values.injector.objectSelector }} +{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }} objectSelector: -{{ toYaml .Values.injector.objectSelector | indent 6}} -{{ end }} -{{- with .Values.injector.failurePolicy }} - failurePolicy: {{.}} +{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}} {{ end }} {{ end }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 7a399a538..68892d23b 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -19,3 +21,4 @@ spec: - port: 8080 protocol: TCP {{ end }} +{{ end }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 20c87bb2a..5d23c7556 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -15,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index d6d0d5e24..4f6b0a851 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index c024ac107..1eee2fcd0 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -41,3 +43,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index e7e383d16..08c8264cc 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,8 +1,11 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -23,3 +26,4 @@ rules: - "patch" - "delete" {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index aa8179420..ea0db11b9 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,8 +1,11 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -16,3 +19,4 @@ subjects: name: {{ template "vault.fullname" . }}-agent-injector namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 3138b7a5b..5e747d6f1 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index a28d38fab..ebc57b56f 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e5e0f5fec..e045b9ec3 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,3 +23,4 @@ subjects: name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} +{{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index b8093ad03..f40c69608 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} apiVersion: v1 kind: ConfigMap @@ -36,3 +37,4 @@ data: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4a39cec21..9ca23dd4c 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,3 +18,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} +{{ end }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 47526650b..6e22e4c2b 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -25,3 +26,4 @@ subjects: namespace: {{ .Release.Namespace }} {{ end }} {{ end }} +{{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3c45cc04e..d940fa4da 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,9 +1,10 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} @@ -22,3 +23,4 @@ spec: component: server {{- end -}} {{- end -}} +{{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index c2a4f0227..90761a468 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -22,7 +24,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} @@ -40,3 +42,4 @@ spec: vault-active: "true" {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index dbba9d653..03260ffaf 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -22,7 +24,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} @@ -39,4 +41,5 @@ spec: component: server vault-active: "false" {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index a37c63957..fffaaacbb 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service @@ -16,7 +17,7 @@ metadata: {{ template "vault.service.annotations" .}} spec: clusterIP: None - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 48c76a828..c81e5f5ce 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,9 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} @@ -72,3 +74,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index fd12e1eb3..b8eb897e5 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index b2a43c834..fded9fbc6 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 2d9426819..d210af351 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -45,3 +46,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 2e44ddf06..68207a2db 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service @@ -27,7 +28,7 @@ spec: {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 925b166bb..2d1a104bf 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,5 +1,5 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index cbcda967d..518a19336 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if ne .mode "" }} +{{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet @@ -36,6 +37,7 @@ spec: {{ template "vault.annotations" . }} spec: {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} {{ template "vault.tolerations" . }} {{ template "vault.nodeselector" . }} {{- if .Values.server.priorityClassName }} @@ -108,7 +110,11 @@ spec: fieldRef: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr }} + {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - name: VAULT_RAFT_NODE_ID valueFrom: @@ -206,3 +212,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} +{{ end }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index d983b9df6..56dbee78c 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index ea27de282..d45afdda4 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,7 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if eq (.Values.ui.enabled | toString) "true" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + apiVersion: v1 kind: Service metadata: @@ -34,4 +35,3 @@ spec: {{- include "service.loadBalancer" .Values.ui }} {{- end -}} {{- end }} -{{- end }} diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c7c6549e2..bf6f85b5e 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -18,7 +18,8 @@ check_skip_csi() { # Install Secrets Store CSI driver CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version="${CSI_DRIVER_VERSION}" --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 54a310f3a..5cc1a9b06 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5ba78c9fe..6deec78f9 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 68ea7ce78..2bed54136 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -29,5 +29,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index cff3a3699..ccd98c55a 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.roleRef.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } # ClusterRoleBinding service account name @@ -40,5 +40,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index dd88d829a..6893b06ac 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -27,7 +27,30 @@ load _helpers --set "global.enabled=false" \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] +} + +# priorityClassName + +@test "csi/daemonset: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.priorityClassName=armaggeddon' \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] } # priorityClassName @@ -61,7 +84,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } # Image @@ -318,6 +341,32 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# Extra Labels + +@test "csi/daemonset: specify csi.daemonSet.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + #-------------------------------------------------------------------- # volumes diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 22ba06df2..41c17349f 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } @test "csi/serviceAccount: specify annotations" { @@ -56,4 +56,19 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} + +# serviceAccount extraLabels + +@test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 6443ca495..f69a585b0 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -26,12 +26,22 @@ load _helpers local actual=$( (helm template \ --show-only templates/injector-deployment.yaml \ --set 'global.enabled=false' \ - --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "injector/deployment: enable with injector.enabled true and global.enabled false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.enabled=false' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ @@ -157,7 +167,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] + [ "${value}" = "release-name-vault-agent-injector-cfg" ] # helm template does uses current context namespace and ignores namespace flags, so # discover the targeted namespace so we can check the rendered value correctly. @@ -165,7 +175,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] + [ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: manual TLS adds volume mount" { @@ -452,6 +462,27 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "injector/deployment: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "injector/deployment: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.topologySpreadConstraints[0].foo=bar,injector.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # tolerations diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index a0cee27d7..4373d839f 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,16 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { cd `chart_dir` local actual=$(helm template \ @@ -21,12 +31,25 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + +@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.19.5 \ . | tee /dev/stderr | - yq '.spec.minAvailable == 2' | tee /dev/stderr) + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index b6fa4ae62..bbd482985 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -87,6 +87,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/certs-secret: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/role: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -127,6 +138,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/role: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/rolebinding: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -166,3 +188,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/rolebinding: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 1e6e150d0..ef9bf8321 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -53,103 +53,274 @@ load _helpers [ "${actual}" = "\"\"" ] } -@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" { +@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.webhook=null' \ + --set 'injector.failurePolicy=Fail' \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set objectSelector" { +@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.objectSelector.matchLabels.injector=true' \ + --set 'injector.webhook.failurePolicy=Fail' \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { +@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "\"Ignore\"" ] + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Exact\"" ] } -@test "injector/MutatingWebhookConfiguration: can set failurePolicy" { +@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.failurePolicy=Fail' \ + --set 'injector.webhook.matchPolicy=Equivalent' \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) - [ "${actual}" = "\"Fail\"" ] + [ "${actual}" = "\"Equivalent\"" ] +} + +@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "30" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.timeoutSeconds=50' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "50" ] } #-------------------------------------------------------------------- # annotations -@test "injector/MutatingWebhookConfiguration: default annotations" { +@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ . | tee /dev/stderr | yq -r '.metadata.annotations' | tee /dev/stderr) [ "${actual}" = "null" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations.foo=bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +@test "injector/MutatingWebhookConfiguration: default webhook.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations.foo=bar' \ + --set 'injector.webhookAnnotations.invalid=invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations=foo: bar' \ + --set 'injector.webhookAnnotations=invalid: invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# namespaceSelector + +@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# objectSelector + +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.objectSelector.matchLabels.injector=true' \ + --set 'injector.objectSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index c6dc522af..8e7acd7d5 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-Role: disable with global.enabled" { +@test "injector/PodSecurityPolicy-Role: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-role.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index f8a8255fb..88bfe7900 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" { +@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-rolebinding.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats index fa14b0f1e..a415358b2 100644 --- a/test/unit/injector-psp.bats +++ b/test/unit/injector-psp.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy: disable with global.enabled" { +@test "injector/PodSecurityPolicy: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp.yaml \ @@ -31,7 +31,7 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/PodSecurityPolicy: annotations are templated correctly by default" { diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index ad4800991..027eaa080 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -52,7 +52,7 @@ load _helpers --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/Service: generic annotations" { diff --git a/test/unit/schema.bats b/test/unit/schema.bats index a42614bf6..9a61d7d5a 100644 --- a/test/unit/schema.bats +++ b/test/unit/schema.bats @@ -7,9 +7,9 @@ load _helpers # schema, setting it as a string fails 'helm template'. @test "schema: csi enabled datatype" { cd `chart_dir` - run helm template . --set csi.enabled="nope" + run helm template . --set csi.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set csi.enabled=true [ "$status" -eq 0 ] @@ -17,9 +17,9 @@ load _helpers @test "schema: injector enabled datatype" { cd `chart_dir` - run helm template . --set injector.enabled="nope" + run helm template . --set injector.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set injector.enabled=true [ "$status" -eq 0 ] @@ -27,9 +27,9 @@ load _helpers @test "schema: server enabled datatype" { cd `chart_dir` - run helm template . --set server.enabled="nope" + run helm template . --set server.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set server.enabled=true [ "$status" -eq 0 ] @@ -37,9 +37,9 @@ load _helpers @test "schema: ui enabled datatype" { cd `chart_dir` - run helm template . --set ui.enabled="nope" + run helm template . --set ui.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set ui.enabled=true [ "$status" -eq 0 ] diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index a835c9d9c..80e26dd4e 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -197,3 +197,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-active-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 9271c019f..bd71ca241 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -97,3 +97,27 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.19.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 7dfd5d7fd..df0f9071e 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -208,3 +208,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-standby-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index cc77e7e39..342fa433d 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -417,7 +417,7 @@ load _helpers #-------------------------------------------------------------------- # VAULT_CLUSTER_ADDR renders -@test "server/ha-StatefulSet: cluster addr renders" { +@test "server/ha-StatefulSet: clusterAddr not set" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -428,7 +428,52 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to null" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=null' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=https://test.example.com:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://test.example.com:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url with environment variable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] } #-------------------------------------------------------------------- @@ -540,6 +585,32 @@ load _helpers [ "${actual}" = "1" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/ha-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/ha-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations + @test "server/ha-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats new file mode 100644 index 000000000..4e2d13537 --- /dev/null +++ b/test/unit/server-headless-service.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/headless-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 4132c16a7..aade5d57c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -165,7 +165,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -180,7 +180,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -194,7 +194,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { @@ -209,7 +209,7 @@ load _helpers --kube-version 1.18.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -224,7 +224,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 53e1e619b..1daea2684 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -99,7 +99,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -112,7 +112,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -125,7 +125,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -139,7 +139,45 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] +} + +@test "server/route: OpenShift - route termination mode set to default passthrough" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "passthrough" ] +} + +@test "server/route: OpenShift - route termination mode set to edge" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.termination=edge' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "edge" ] +} + +@test "server/route: OpenShift - route custom tls entry" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ + . | tee /dev/stderr | + yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) + [ "${actual}" = "Redirect" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 4695f2fff..5208f6e30 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -175,6 +175,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] } @test "server/Service: type empty by default" { diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 29e18b56f..fbc2b94bf 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,7 +26,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0a83ec6a1..a240e3dad 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -784,6 +784,29 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/standalone-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/standalone-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations @test "server/standalone-StatefulSet: tolerations not set by default" { cd `chart_dir` @@ -1640,7 +1663,7 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 5fd65d561..de82f84c3 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -66,14 +66,25 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/standalone-server-test-Pod: disable with global.enabled" { +@test "server/standalone-server-test-Pod: not disabled with global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ --set 'global.enabled=false' \ + --set 'server.enabled=true' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index f439aecfb..f73bbce3f 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -53,6 +53,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "ui/Service: 'disable with global, enable with ui.enabled'" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'global.enabled=false' \ + --set 'server.enabled=true' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "ui/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.openshift.yaml b/values.openshift.yaml index d24ac6e21..e59bb8677 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.2-ubi" + tag: "0.16.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.10.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.10.3-ubi" diff --git a/values.schema.json b/values.schema.json index 15440431a..87a02f803 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "kubeletRootDir": { "type": "string" }, @@ -40,7 +43,10 @@ "type": "boolean" }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "extraArgs": { "type": "array" @@ -88,6 +94,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "tolerations": { "type": [ "null", @@ -128,6 +137,9 @@ "object", "string" ] + }, + "extraLabels": { + "type": "object" } } }, @@ -257,7 +269,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalVaultAddr": { "type": "string" @@ -365,6 +380,39 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": "object" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "webhookAnnotations": { "type": [ "object", @@ -472,7 +520,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "enterpriseLicense": { "type": "object", @@ -522,7 +573,10 @@ ] }, "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "disruptionBudget": { "type": "object", @@ -545,7 +599,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": "boolean" @@ -740,6 +797,9 @@ "enabled": { "type": "boolean" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "externalTrafficPolicy": { "type": "string" }, @@ -775,7 +835,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": [ @@ -836,7 +899,10 @@ ] }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalPort": { "type": "integer" diff --git a/values.yaml b/values.yaml index 027a90053..fcb1be9f2 100644 --- a/values.yaml +++ b/values.yaml @@ -26,7 +26,8 @@ global: injector: # True if you want to enable vault agent injection. - enabled: true + # @default: global.enabled + enabled: "-" replicas: 1 @@ -49,7 +50,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.2" + tag: "0.16.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +58,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.6" + tag: "1.10.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -90,6 +91,61 @@ injector: # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -99,6 +155,8 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector @@ -109,13 +167,7 @@ injector: # vault-sidecar-injector: enabled objectSelector: {} - # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - + # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} @@ -166,6 +218,12 @@ injector: component: webhook topologyKey: kubernetes.io/hostname + # Topology settings for injector pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for injector pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. @@ -215,8 +273,9 @@ injector: # type: RollingUpdate server: - # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details - enabled: true + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" # [Enterprise Only] This value refers to a Kubernetes secret that you have # created that contains your enterprise license. If you are not using an @@ -236,7 +295,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.6" + tag: "1.10.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -454,6 +513,12 @@ server: component: server topologyKey: kubernetes.io/hostname + # Topology settings for server pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for server pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. @@ -505,6 +570,9 @@ server: # NodePort, or LoadBalancer. #type: ClusterIP + # Do not wait for pods to be ready + publishNotReadyAddresses: true + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. @@ -627,6 +695,11 @@ server: # If set to null, this will be set to the Pod IP Address apiAddr: null + # Set the cluster_addr confuguration for Vault HA + # See https://www.vaultproject.io/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where # Vault's persistence is external (such as Consul), enabling Raft mode will create # persistent volumes for Vault to store data according to the configuration under server.dataStorage. @@ -771,7 +844,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.4.0" + tag: "1.1.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -812,6 +885,9 @@ csi: providersDir: "/etc/kubernetes/secrets-store-csi-providers" # Kubelet host path kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} pod: # Extra annotations for the provider pods. This can either be YAML or a @@ -824,6 +900,11 @@ csi: # in a PodSpec. tolerations: [] + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + # Priority class for csi pods priorityClassName: "" @@ -833,6 +914,10 @@ csi: # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + # Used to configure readinessProbe for the pods. readinessProbe: # When a probe fails, Kubernetes will try failureThreshold times before giving up