From c47ff33551b967f99f66fbd0c088865afcdfe655 Mon Sep 17 00:00:00 2001 From: Kaito Ii Date: Sat, 6 Nov 2021 11:07:25 +0900 Subject: [PATCH 001/108] add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran --- CHANGELOG.md | 3 +++ templates/injector-deployment.yaml | 4 ++++ test/unit/injector-deployment.bats | 29 +++++++++++++++++++++++++++-- values.schema.json | 3 +++ values.yaml | 1 + 5 files changed, 38 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a20c68bd4..e9c2857c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) + ## 0.17.1 (October 25th, 2021) Improvements: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f4a796bf0..0cc13823b 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -109,6 +109,10 @@ spec: value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" + {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} + - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL + value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" + {{- end }} {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 0f475dfca..3bae2af76 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -168,7 +168,7 @@ load _helpers [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } -@test "injector/deployment: manual TLS adds volume mount" { +@test "injector/deployment: manual TLS adds volume mount" { cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -695,4 +695,29 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] -} \ No newline at end of file +} + +@test "injector/deployment: agent default template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "injector/deployment: can set agent template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.templateConfig.staticSecretRenderInterval=1m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "1m" ] +} diff --git a/values.schema.json b/values.schema.json index 4ddbedfaf..162c773e7 100644 --- a/values.schema.json +++ b/values.schema.json @@ -205,6 +205,9 @@ "properties": { "exitOnRetryFailure": { "type": "boolean" + }, + "staticSecretRenderInterval": { + "type": "string" } } } diff --git a/values.yaml b/values.yaml index 44869da78..425a082ce 100644 --- a/values.yaml +++ b/values.yaml @@ -85,6 +85,7 @@ injector: # Default values within Agent's template_config stanza. templateConfig: exitOnRetryFailure: true + staticSecretRenderInterval: "" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" From 21cc21f9cd5fffd4d68413daa5758a50c43a8c4c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Tue, 16 Nov 2021 22:50:16 +0000 Subject: [PATCH 002/108] Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters --- .github/workflows/jira.yaml | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index 0c8e5bf6e..eb369f335 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -13,21 +13,6 @@ jobs: runs-on: ubuntu-latest name: Jira sync steps: - - name: Check if community user - if: github.event.action == 'opened' - id: vault-team-role - run: | - TEAM=vault - ROLE="$(hub api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')" - if [[ -n ${ROLE} ]]; then - echo "Actor ${{ github.actor }} is a ${TEAM} team member, skipping ticket creation" - else - echo "Actor ${{ github.actor }} is not a ${TEAM} team member" - fi - echo "::set-output name=role::${ROLE}" - env: - GITHUB_TOKEN: ${{ secrets.JIRA_SYNC_GITHUB_TOKEN }} - - name: Login uses: atlassian/gajira-login@v2.0.0 env: @@ -46,7 +31,7 @@ jobs: fi - name: Create ticket - if: github.event.action == 'opened' && !steps.vault-team-role.outputs.role + if: github.event.action == 'opened' uses: tomhjp/gh-action-jira-create@v0.2.0 with: project: VAULT @@ -63,7 +48,7 @@ jobs: uses: tomhjp/gh-action-jira-search@v0.2.1 with: # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and issuetype = "GH Issue" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' + jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - name: Sync comment if: github.event.action == 'created' && steps.search.outputs.issue @@ -77,11 +62,11 @@ jobs: uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: Done + transition: Close - name: Reopen ticket if: github.event.action == 'reopened' && steps.search.outputs.issue uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: "To Do" + transition: "Pending Triage" From 0375b184b33393bb013431ff3717296e30bff713 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 17 Nov 2021 13:06:03 -0800 Subject: [PATCH 003/108] remove support for the leader-elector container (#649) --- CHANGELOG.md | 3 + templates/injector-deployment.yaml | 29 ----- templates/injector-leader-endpoint.yaml | 14 --- templates/injector-role.yaml | 2 +- test/acceptance/injector-leader-elector.bats | 11 +- test/unit/injector-leader-elector.bats | 105 ------------------- values.schema.json | 17 --- values.yaml | 10 -- 8 files changed, 6 insertions(+), 185 deletions(-) delete mode 100644 templates/injector-leader-endpoint.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index e9c2857c0..99df5a6fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +CHANGES: +* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) + Improvements: * Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 0cc13823b..aefbf0882 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -141,35 +141,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/templates/injector-leader-endpoint.yaml b/templates/injector-leader-endpoint.yaml deleted file mode 100644 index 42c4c0ae7..000000000 --- a/templates/injector-leader-endpoint.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true")}} -# This is created here so it can be cleaned up easily, since if -# the endpoint is left around the leader won't expire for about a minute. -apiVersion: v1 -kind: Endpoints -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader - annotations: - deprecated: "true" - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 446efaf59..e7e383d16 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} rules: - apiGroups: [""] - resources: ["secrets", "configmaps", "endpoints"] + resources: ["secrets", "configmaps"] verbs: - "create" - "get" diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 6f9f0b41f..0f91e02a3 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -12,8 +12,7 @@ load _helpers helm install "$(name_prefix)" \ --wait \ --timeout=5m \ - --set="injector.replicas=3" \ - --set="injector.leaderElector.useContainer=true" . + --set="injector.replicas=3" . kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) @@ -23,21 +22,15 @@ load _helpers tries=0 until [ $tries -ge 60 ] do - ## The new internal leader mechanism uses a ConfigMap owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name) leader=$(kubectl get pods $owner -o json | jq -r .metadata.name) [ -n "${leader}" ] && [ "${leader}" != "null" ] && break - - ## Also check the old leader-elector container - old_leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" - [ -n "${old_leader}" ] && break - ((++tries)) sleep .5 done # Check the leader name is valid - i.e. one of the 3 pods - [[ " ${pods[@]} " =~ " ${leader} " || " ${pods[@]} " =~ " ${old_leader} " ]] + [[ " ${pods[@]} " =~ " ${leader} " ]] } diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index 75ab2982c..b6fa4ae62 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -166,108 +166,3 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } - -#-------------------------------------------------------------------- -# Old leader-elector container support -# Note: deprecated and will be removed soon - -@test "injector/deployment: leader elector - sidecar is created only when enabled" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - -@test "injector/deployment: leader elector image name is configurable" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.image.repository=SomeOtherImage" \ - --set "injector.leaderElector.image.tag=SomeOtherTag" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:SomeOtherTag" ] -} - -@test "injector/deployment: leader elector TTL is configurable" { - cd `chart_dir` - # Default value 60s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=60s" ] - - # Configured to 30s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.ttl=30s" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=30s" ] -} - -@test "injector/leader-endpoint: created/skipped as appropriate" { - cd `chart_dir` - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "global.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/values.schema.json b/values.schema.json index 162c773e7..26f136748 100644 --- a/values.schema.json +++ b/values.schema.json @@ -290,23 +290,6 @@ "properties": { "enabled": { "type": "boolean" - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "ttl": { - "type": "string" - }, - "useContainer": { - "type": "boolean" } } }, diff --git a/values.yaml b/values.yaml index 425a082ce..60add2e35 100644 --- a/values.yaml +++ b/values.yaml @@ -37,16 +37,6 @@ injector: # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - # Note: The deployment of the leader-elector container will soon be removed - # from this chart since vault-k8s now uses an internal mechanism to - # determine leadership. - # To enable the deployment of the leader-elector container for use with - # vault-k8s 0.12.0 and earlier, set `useContainer=true` - useContainer: false - image: - repository: "gcr.io/google_containers/leader-elector" - tag: "0.4" - ttl: 60s # If true, will enable a node exporter metrics endpoint at /metrics. metrics: From 9fa25e97c806073c7dd3274a851181cbb3d67868 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 17 Nov 2021 15:46:28 -0800 Subject: [PATCH 004/108] vault-helm 0.18.0 release (#650) --- CHANGELOG.md | 8 ++++++-- Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 99df5a6fc..c596d5159 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,14 @@ ## Unreleased +## 0.18.0 (November 17th, 2021) + CHANGES: * Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) +* Vault image default 1.9.0 +* Vault K8s image default 0.14.1 Improvements: -* Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) +* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) ## 0.17.1 (October 25th, 2021) @@ -52,7 +56,7 @@ Improvements: ## 0.14.0 (July 28th, 2021) Features: -* Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) +* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) Improvements: * Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) diff --git a/Chart.yaml b/Chart.yaml index 7a4e86f59..91565e3b8 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.17.1 -appVersion: 1.8.4 +version: 0.18.0 +appVersion: 1.9.0 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index c9a5d1993..ee27518f0 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index b42bb50d0..c359c1c2b 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 4db41c2e2..afbe1f98a 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.0-ubi" + tag: "0.14.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.4-ubi" + tag: "1.9.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.4-ubi" + tag: "1.9.0-ubi" diff --git a/values.yaml b/values.yaml index 60add2e35..5ba57d41c 100644 --- a/values.yaml +++ b/values.yaml @@ -49,7 +49,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.0" + tag: "0.14.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.4" + tag: "1.9.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -221,7 +221,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.4" + tag: "1.9.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 48eebb0b0921a0c274fad532c97288dac2b6398e Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 10 Dec 2021 17:11:35 -0800 Subject: [PATCH 005/108] Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor --- .github/workflows/acceptance.yaml | 34 +++++++++++++++++++ .../workflows/setup-test-tools/action.yaml | 18 ++++++++++ .github/workflows/tests.yaml | 25 ++++++++++++++ test/acceptance/_helpers.bash | 32 +++++++++-------- test/acceptance/csi.bats | 17 ++++++++-- test/acceptance/server-ha-enterprise-dr.bats | 12 +++---- .../acceptance/server-ha-enterprise-perf.bats | 12 +++---- test/acceptance/server-ha-raft.bats | 8 +++-- test/acceptance/server-ha.bats | 11 +++--- test/acceptance/server.bats | 4 +-- test/kind/config.yaml | 13 +++++++ 11 files changed, 142 insertions(+), 44 deletions(-) create mode 100644 .github/workflows/acceptance.yaml create mode 100644 .github/workflows/setup-test-tools/action.yaml create mode 100644 .github/workflows/tests.yaml diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml new file mode 100644 index 000000000..644875e26 --- /dev/null +++ b/.github/workflows/acceptance.yaml @@ -0,0 +1,34 @@ +name: Acceptance Tests + +on: + push: + branches: + - main + workflow_dispatch: {} + +jobs: + kind: + strategy: + fail-fast: false + matrix: + kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Setup test tools + uses: ./.github/workflows/setup-test-tools + + - name: Create K8s Kind Cluster + uses: helm/kind-action@v1.2.0 + with: + config: test/kind/config.yaml + node_image: kindest/node:v${{ matrix.kind-k8s-version }} + + # Skip CSI tests if K8s version < 1.16.x + - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV + - if: ${{ env.K8S_MINOR < 16 }} + run: echo "SKIP_CSI=true" >> $GITHUB_ENV + + - run: bats ./test/acceptance -t + env: + VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml new file mode 100644 index 000000000..3fa285416 --- /dev/null +++ b/.github/workflows/setup-test-tools/action.yaml @@ -0,0 +1,18 @@ +name: Setup common testing tools +description: Install bats and python-yq + +runs: + using: "composite" + steps: + - uses: actions/setup-node@v2 + with: + node-version: '14' + - run: npm install -g bats@${BATS_VERSION} + shell: bash + env: + BATS_VERSION: '1.5.0' + - run: bats -v + shell: bash + - uses: actions/setup-python@v2 + - run: pip install yq + shell: bash diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml new file mode 100644 index 000000000..0aba6ee30 --- /dev/null +++ b/.github/workflows/tests.yaml @@ -0,0 +1,25 @@ +name: Tests + +on: [push, workflow_dispatch] + +jobs: + bats-unit-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: ./.github/workflows/setup-test-tools + - run: bats ./test/unit -t + + chart-verifier: + runs-on: ubuntu-latest + env: + CHART_VERIFIER_VERSION: '1.2.1' + steps: + - uses: actions/checkout@v2 + - name: Setup test tools + uses: ./.github/workflows/setup-test-tools + - uses: actions/setup-go@v2 + with: + go-version: '1.17.4' + - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: bats ./test/chart -t diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index 466a51738..db8b05145 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -40,35 +40,37 @@ helm_install_ha() { ${BATS_TEST_DIRNAME}/../.. } -# wait for consul to be running +# wait for consul to be ready wait_for_running_consul() { + kubectl wait --for=condition=Ready --timeout=5m pod -l app=consul,component=client +} + +wait_for_sealed_vault() { + POD_NAME=$1 + check() { - # This requests the pod and checks whether the status is running - # and the ready state is true. If so, it outputs the name. Otherwise - # it outputs empty. Therefore, to check for success, check for nonzero - # string length. - kubectl get pods -l component=client -o json | \ - jq -r '.items[0] | select( - .status.phase == "Running" and - ([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1 - ) | .metadata.name' + sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') + if [ "$sealed_status" == "true" ]; then + return 0 + fi + return 1 } for i in $(seq 60); do - if [ -n "$(check ${POD_NAME})" ]; then - echo "consul clients are ready." + if check ${POD_NAME}; then + echo "Vault on ${POD_NAME} is running." return fi - echo "Waiting for ${POD_NAME} to be ready..." + echo "Waiting for Vault on ${POD_NAME} to be running..." sleep 2 done - echo "consul clients never became ready." + echo "Vault on ${POD_NAME} never became running." return 1 } -# wait for a pod to be ready +# wait for a pod to be running wait_for_running() { POD_NAME=$1 diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index d222ca274..c7c6549e2 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,18 +2,27 @@ load _helpers +check_skip_csi() { + if [ ! -z ${SKIP_CSI} ]; then + skip "Skipping CSI tests" + fi +} + @test "csi: testing deployment" { + check_skip_csi + cd `chart_dir` kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=0.2.0 - helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/v${CSI_DRIVER_VERSION}/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + CSI_DRIVER_VERSION=1.0.0 + helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ - --set linux.image.pullPolicy="IfNotPresent" + --set linux.image.pullPolicy="IfNotPresent" \ + --set syncSecret.enabled=true # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ @@ -49,6 +58,8 @@ load _helpers # Clean up teardown() { + check_skip_csi + if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index ee27518f0..cdcfabef8 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -15,9 +15,7 @@ load _helpers wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-east-0 local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.initialized') @@ -50,7 +48,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] @@ -84,9 +82,7 @@ load _helpers wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-west-0 local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.initialized') @@ -119,7 +115,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index c359c1c2b..68830ca5b 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -15,9 +15,7 @@ load _helpers wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-east-0 local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.initialized') @@ -50,7 +48,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] @@ -84,9 +82,7 @@ load _helpers wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-west-0 local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.initialized') @@ -119,7 +115,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index 9f9f3decd..f06ca8701 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -11,9 +11,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') @@ -112,6 +110,10 @@ setup() { teardown() { if [[ ${CLEANUP:-true} == "true" ]] then + # If the test failed, print some debug output + if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then + kubectl logs -l app.kubernetes.io/name=vault + fi helm delete vault kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 3d6295988..4180f8c4a 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -10,9 +10,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') @@ -91,7 +89,7 @@ setup() { helm install consul \ https://github.com/hashicorp/consul-helm/archive/v0.28.0.tar.gz \ - --set 'ui.enabled=false' \ + --set 'ui.enabled=false' wait_for_running_consul } @@ -100,6 +98,11 @@ setup() { teardown() { if [[ ${CLEANUP:-true} == "true" ]] then + # If the test failed, print some debug output + if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then + kubectl logs -l app=consul + kubectl logs -l app.kubernetes.io/name=vault + fi helm delete vault helm delete consul kubectl delete --all pvc diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 84a4e7d99..1e944a04e 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -13,9 +13,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') diff --git a/test/kind/config.yaml b/test/kind/config.yaml index 250966401..8b18a3a5f 100644 --- a/test/kind/config.yaml +++ b/test/kind/config.yaml @@ -5,3 +5,16 @@ nodes: - role: worker - role: worker - role: worker +# These apiServer settings are included for running the CSI provider on K8s +# prior to 1.21 +kubeadmConfigPatches: + - | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: ClusterConfiguration + metadata: + name: config + apiServer: + extraArgs: + "service-account-issuer": "https://kubernetes.default.svc.cluster.local" + "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" + "service-account-api-audiences": "https://kubernetes.default.svc.cluster.local" From 609444d9d9d1c9c569f0edb6b2b3d8f8e60ef6dc Mon Sep 17 00:00:00 2001 From: Eric Miller Date: Tue, 14 Dec 2021 01:38:00 -0600 Subject: [PATCH 006/108] Configurable PodDisruptionBudget for Injector (#653) --- CHANGELOG.md | 3 +++ templates/injector-disruptionbudget.yaml | 20 +++++++++++++++ test/unit/injector-disruptionbudget.bats | 32 ++++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 6 +++++ 5 files changed, 64 insertions(+) create mode 100644 templates/injector-disruptionbudget.yaml create mode 100755 test/unit/injector-disruptionbudget.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index c596d5159..0aa14de9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) + ## 0.18.0 (November 17th, 2021) CHANGES: diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml new file mode 100644 index 000000000..59c998551 --- /dev/null +++ b/templates/injector-disruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if .Values.injector.podDisruptionBudget }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} +{{- end -}} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats new file mode 100755 index 000000000..a0cee27d7 --- /dev/null +++ b/test/unit/injector-disruptionbudget.bats @@ -0,0 +1,32 @@ +#!/usr/bin/env bats + +load _helpers + +@test "injector/DisruptionBudget: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.maxUnavailable=3' \ + . | tee /dev/stderr | + yq '.spec.maxUnavailable == 3' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.schema.json b/values.schema.json index 26f136748..8e4e0764b 100644 --- a/values.schema.json +++ b/values.schema.json @@ -320,6 +320,9 @@ "objectSelector": { "type": "object" }, + "podDisruptionBudget": { + "type": "object" + }, "port": { "type": "integer" }, diff --git a/values.yaml b/values.yaml index 5ba57d41c..d17ead257 100644 --- a/values.yaml +++ b/values.yaml @@ -199,6 +199,12 @@ injector: # Extra annotations to attach to the injector service annotations: {} + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + podDisruptionBudget: {} + # podDisruptionBudget: + # maxUnavailable: 1 + server: # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details enabled: true From b4a92492d096feb4d7cf48c39b23a1d1eba02b9c Mon Sep 17 00:00:00 2001 From: Eric Miller Date: Tue, 14 Dec 2021 01:39:39 -0600 Subject: [PATCH 007/108] Fix spelling error in server disruptionbudget test (#654) --- test/unit/server-ha-disruptionbudget.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 6cf21f200..9271c019f 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -16,7 +16,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-disruptionbudget.yaml \ - --set 'globa.enabled=false' \ + --set 'global.enabled=false' \ --set 'server.ha.enabled=false' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -96,4 +96,4 @@ load _helpers . | tee /dev/stderr | yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] -} \ No newline at end of file +} From 248397f663f5ceb1bf20ab287deb3fd246a3d593 Mon Sep 17 00:00:00 2001 From: Takumi Sue <23391543+mikutas@users.noreply.github.com> Date: Wed, 15 Dec 2021 11:15:11 +0900 Subject: [PATCH 008/108] Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod --- CHANGELOG.md | 1 + templates/server-statefulset.yaml | 2 +- test/unit/server-statefulset.bats | 21 +++++++++++++++++++++ values.schema.json | 24 ++++++++++++++++++------ values.yaml | 4 ++++ 5 files changed, 45 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0aa14de9c..889aeaaf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) +* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) ## 0.18.0 (November 17th, 2021) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 031b17905..cbcda967d 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -41,7 +41,7 @@ spec: {{- if .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }} {{- end }} - terminationGracePeriodSeconds: 10 + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} serviceAccountName: {{ template "vault.serviceAccount.name" . }} {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b93905188..65d6d9688 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1385,6 +1385,27 @@ load _helpers [[ "${actual}" = *"foobar"* ]] } +#-------------------------------------------------------------------- +# terminationGracePeriodSeconds +@test "server/standalone-StatefulSet: terminationGracePeriodSeconds default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr) + [[ "${actual}" = "10" ]] +} + +@test "server/standalone-StatefulSet: terminationGracePeriodSeconds 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.terminationGracePeriodSeconds=30' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr) + [[ "${actual}" = "30" ]] +} + #-------------------------------------------------------------------- # preStop @test "server/standalone-StatefulSet: preStop sleep duration default" { diff --git a/values.schema.json b/values.schema.json index 8e4e0764b..c3b2a2752 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,12 @@ "string" ] }, + "kubeletRootDir": { + "type": "string" + }, + "providersDir": { + "type": "string" + }, "updateStrategy": { "type": "object", "properties": { @@ -24,12 +30,6 @@ "type": "string" } } - }, - "providersDir": { - "type": "string" - }, - "kubeletRootDir": { - "type": "string" } } }, @@ -603,6 +603,9 @@ "labels": { "type": "object" }, + "pathType": { + "type": "string" + }, "tls": { "type": "array" } @@ -728,6 +731,9 @@ "enabled": { "type": "boolean" }, + "externalTrafficPolicy": { + "type": "string" + }, "port": { "type": "integer" }, @@ -781,6 +787,9 @@ } } }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, "tolerations": { "type": [ "null", @@ -823,6 +832,9 @@ "externalPort": { "type": "integer" }, + "externalTrafficPolicy": { + "type": "string" + }, "publishNotReadyAddresses": { "type": "boolean" }, diff --git a/values.yaml b/values.yaml index d17ead257..713b8588a 100644 --- a/values.yaml +++ b/values.yaml @@ -374,6 +374,10 @@ server: # Number of seconds after which the probe times out. timeoutSeconds: 3 + # Optional duration in seconds the pod needs to terminate gracefully. + # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 10 + # Used to set the sleep time during the preStop step preStopSleepSeconds: 5 From 0c0b6e34f423c1613c07282f9b8161881f2f7fdb Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 16 Dec 2021 11:21:36 -0800 Subject: [PATCH 009/108] injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock --- CHANGELOG.md | 1 + templates/_helpers.tpl | 15 +++++++++++++++ templates/injector-deployment.yaml | 1 + test/unit/injector-deployment.bats | 29 +++++++++++++++++++++++++++++ values.schema.json | 6 ++++++ values.yaml | 9 +++++++++ 6 files changed, 61 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 889aeaaf7..38cb066a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) * Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) +* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) ## 0.18.0 (November 17th, 2021) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 731119a91..12afeab91 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -308,6 +308,21 @@ Sets the injector node selector for pod placement {{- end }} {{- end -}} +{{/* +Sets the injector deployment update strategy +*/}} +{{- define "injector.strategy" -}} + {{- if .Values.injector.strategy }} + strategy: + {{- $tp := typeOf .Values.injector.strategy }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.strategy . | nindent 4 | trim }} + {{- else }} + {{- toYaml .Values.injector.strategy | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra pod annotations */}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index aefbf0882..95e2c2da8 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -17,6 +17,7 @@ spec: app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook + {{ template "injector.strategy" . }} template: metadata: labels: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 3bae2af76..740c17aae 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -721,3 +721,32 @@ load _helpers yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) [ "${value}" = "1m" ] } + +@test "injector/deployment: strategy default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.strategy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/deployment: strategy set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set="injector.strategy=testing" \ + . | tee /dev/stderr | + yq -r '.spec.strategy' | tee /dev/stderr) + [ "${actual}" = "testing" ] +} + +@test "injector/deployment: strategy can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.strategy.rollingUpdate.maxUnavailable=1' \ + . | tee /dev/stderr | + yq -r '.spec.strategy.rollingUpdate.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "1" ] +} diff --git a/values.schema.json b/values.schema.json index c3b2a2752..5ef61e7fd 100644 --- a/values.schema.json +++ b/values.schema.json @@ -349,6 +349,12 @@ } } }, + "strategy": { + "type": [ + "object", + "string" + ] + }, "tolerations": { "type": [ "null", diff --git a/values.yaml b/values.yaml index 713b8588a..6f88ff8f1 100644 --- a/values.yaml +++ b/values.yaml @@ -205,6 +205,15 @@ injector: # podDisruptionBudget: # maxUnavailable: 1 + # strategy for updating the deployment. This can be a multi-line string or a + # YAML map. + strategy: {} + # strategy: | + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + server: # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details enabled: true From 0043023c097b22462774e516c71e91ed308a8b46 Mon Sep 17 00:00:00 2001 From: Vadim Grek Date: Wed, 5 Jan 2022 00:10:56 +0200 Subject: [PATCH 010/108] csi: ability to set priorityClassName for csi daemonset pods (#670) --- CHANGELOG.md | 1 + templates/csi-daemonset.yaml | 3 +++ test/unit/csi-daemonset.bats | 23 +++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 5 files changed, 33 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 38cb066a3..a8fa03748 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) * Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) * Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) +* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) ## 0.18.0 (November 17th, 2021) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index a6461fbd2..f0bf639f3 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -27,6 +27,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} {{ template "csi.pod.annotations" . }} spec: + {{- if .Values.csi.priorityClassName }} + priorityClassName: {{ .Values.csi.priorityClassName }} + {{- end }} serviceAccountName: {{ template "vault.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} containers: diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 5cfd8a7e8..dd88d829a 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,29 @@ load _helpers [ "${actual}" = "false" ] } +# priorityClassName + +@test "csi/daemonset: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.priorityClassName=armaggeddon' \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + # serviceAccountName reference name @test "csi/daemonset: serviceAccountName reference name" { cd `chart_dir` diff --git a/values.schema.json b/values.schema.json index 5ef61e7fd..15440431a 100644 --- a/values.schema.json +++ b/values.schema.json @@ -33,6 +33,9 @@ } } }, + "priorityClassName": { + "type": "string" + }, "debug": { "type": "boolean" }, diff --git a/values.yaml b/values.yaml index 6f88ff8f1..a6704db01 100644 --- a/values.yaml +++ b/values.yaml @@ -812,6 +812,9 @@ csi: # in a PodSpec. tolerations: [] + # Priority class for csi pods + priorityClassName: "" + serviceAccount: # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the From c511d300435be9aa7c8b27fd6c54e85cf80947cf Mon Sep 17 00:00:00 2001 From: nikstur <61635709+nikstur@users.noreply.github.com> Date: Fri, 7 Jan 2022 23:37:51 +0100 Subject: [PATCH 011/108] Fixed a small typo (#672) --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index a6704db01..f4f5e9d0a 100644 --- a/values.yaml +++ b/values.yaml @@ -538,7 +538,7 @@ server: annotations: {} # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unseal, Vault must + # logs. Once Vault is deployed, initialized and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit # See https://www.vaultproject.io/docs/audit/index.html to know more From 0a1f8d1457d094d75008c3d364dd0c6304255452 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 11 Jan 2022 11:33:09 -0800 Subject: [PATCH 012/108] Disable unit and acceptance tests in CircleCI (#675) --- .circleci/config.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8de4c83c1..70c2453fb 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -85,16 +85,7 @@ jobs: workflows: version: 2 - build_and_test: - jobs: - - bats-unit-test - - chart-verifier - - acceptance: - requires: - - bats-unit-test - filters: - branches: - only: main + # Note: unit and acceptance tests are now being run in GitHub Actions update-helm-charts-index: jobs: - update-helm-charts-index: From d6e1cd08359651515d65fc2c506e1aafecd1e103 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 12 Jan 2022 10:12:19 -0800 Subject: [PATCH 013/108] update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. --- CONTRIBUTING.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f1c160000..ad31ac92d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -13,13 +13,14 @@ rules to get in the way of that. That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure that your contribution won't clash or be obviated by Vault's normal direction. A great way to do this -is via the [Vault Google Group][2]. Sometimes Vault devs are in `#vault-tool` -on Freenode, too. +is via the [Vault Discussion Forum][1]. This document will cover what we're looking for in terms of reporting issues. By addressing all the points we're looking for, it raises the chances we can quickly merge or address your contributions. +[1]: https://discuss.hashicorp.com/c/vault + ## Issues ### Reporting an Issue @@ -237,3 +238,10 @@ Here are some examples of common test patterns: ``` Here we are check the length of the command output to see if the anything is rendered. This style can easily be switched to check that a file is rendered instead. + +## Contributor License Agreement + +We require that all contributors sign our Contributor License Agreement ("CLA") +before we can accept the contribution. + +[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla) From a84a61fdb6299bc30729ab9ccbb68a26d09ffed6 Mon Sep 17 00:00:00 2001 From: Jacob Mammoliti Date: Fri, 14 Jan 2022 18:19:22 -0500 Subject: [PATCH 014/108] add namespace support for openshift route (#679) --- CHANGELOG.md | 3 +++ templates/server-route.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a8fa03748..47e5c28c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ Features: * Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) * csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) +Improvements: +* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) + ## 0.18.0 (November 17th, 2021) CHANGES: diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 63055db39..72b875299 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -9,6 +9,7 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} From e629dc9d65355a1329ae4535be423d03489317c4 Mon Sep 17 00:00:00 2001 From: "Ethan J. Brown" Date: Wed, 19 Jan 2022 18:55:56 -0800 Subject: [PATCH 015/108] Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 --- CHANGELOG.md | 1 + templates/tests/server-test.yaml | 15 +- test/unit/server-statefulset.bats | 2 +- test/unit/server-test.bats | 241 ++++++++++++++++++++++++++++++ 4 files changed, 256 insertions(+), 3 deletions(-) create mode 100644 test/unit/server-test.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index 47e5c28c3..90d4c3312 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Features: Improvements: * Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) +* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) ## 0.18.0 (November 17th, 2021) diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 66aa178f5..d983b9df6 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,4 +1,6 @@ -{{- if .Values.server.enabled }} +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} apiVersion: v1 kind: Pod metadata: @@ -15,6 +17,7 @@ spec: env: - name: VAULT_ADDR value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh - -c @@ -35,6 +38,14 @@ spec: fi exit 0 - + volumeMounts: + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 8}} + {{- end }} + volumes: + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 4}} + {{- end }} restartPolicy: Never {{- end }} +{{- end }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 65d6d9688..0a83ec6a1 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -537,7 +537,7 @@ load _helpers cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.stanadlone.enabled=true' \ + --set 'server.standalone.enabled=true' \ --set 'server.extraEnvironmentVars.FOO=bar' \ --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ . | tee /dev/stderr | diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats new file mode 100644 index 000000000..5fd65d561 --- /dev/null +++ b/test/unit/server-test.bats @@ -0,0 +1,241 @@ +#!/usr/bin/env bats + +load _helpers + +#-------------------------------------------------------------------- +# disable / enable server deployment + +@test "server/server-test-Pod: disabled server.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/server-test-Pod: disabled server.enabled random string" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=blabla' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/server-test-Pod: enabled server.enabled explicit true" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- + +@test "server/standalone-server-test-Pod: default server.standalone.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: enable with server.standalone.enabled true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-server-test-Pod: enable with server.ha.enabled true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-server-test-Pod: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-server-test-Pod: image defaults to server.image.repository:tag" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=1.2.3' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:1.2.3" ] + + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=1.2.3' \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:1.2.3" ] +} + +@test "server/standalone-server-test-Pod: image tag defaults to latest" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:latest" ] + + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=' \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:latest" ] +} + +@test "server/standalone-server-test-Pod: default imagePullPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "IfNotPresent" ] +} + +@test "server/standalone-server-test-Pod: Custom imagePullPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.pullPolicy=Always' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "Always" ] +} + +#-------------------------------------------------------------------- +# resources + +@test "server/standalone-server-test-Pod: default resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].resources' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +#-------------------------------------------------------------------- +# volumes + +@test "server/standalone-server-test-Pod: server.volumes adds volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.volumes[0].name=plugins' \ + --set 'server.volumes[0].emptyDir=\{\}' \ + . | tee /dev/stderr | + yq -r '.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.emptyDir' | tee /dev/stderr) + [ "${actual}" = "{}" ] +} + +#-------------------------------------------------------------------- +# volumeMounts + +@test "server/standalone-server-test-Pod: server.volumeMounts adds volumeMount" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.volumeMounts[0].name=plugins' \ + --set 'server.volumeMounts[0].mountPath=/usr/local/libexec/vault' \ + --set 'server.volumeMounts[0].readOnly=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/usr/local/libexec/vault" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# extraEnvironmentVars + +@test "server/standalone-server-test-Pod: set extraEnvironmentVars" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.extraEnvironmentVars.FOO=bar' \ + --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].env' | tee /dev/stderr) + + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] + + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] + + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.extraEnvironmentVars.FOO=bar' \ + --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].env' | tee /dev/stderr) + + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] + + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] +} From 92da5125777b87b7475f546e0a7127b9517fe735 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 20 Jan 2022 07:37:26 +0100 Subject: [PATCH 016/108] allow injection of TLS config for OpenShift routes (#686) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran --- CHANGELOG.md | 1 + templates/server-route.yaml | 2 +- test/unit/server-route.bats | 38 +++++++++++++++++++++++++++++++++++++ values.yaml | 7 ++++++- 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90d4c3312..d5288ec6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Features: Improvements: * Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) * Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) +* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686) ## 0.18.0 (November 17th, 2021) diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 72b875299..e122d936b 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -28,7 +28,7 @@ spec: port: targetPort: 8200 tls: - termination: passthrough + {{- toYaml .Values.server.route.tls | nindent 4 }} {{- end }} {{- end }} {{- end }} diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index d141fb635..53e1e619b 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -141,3 +141,41 @@ load _helpers yq -r '.spec.to.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } + +@test "server/route: OpenShift - route termination mode set to default passthrough" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "passthrough" ] +} + +@test "server/route: OpenShift - route termination mode set to edge" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.termination=edge' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "edge" ] +} + +@test "server/route: OpenShift - route custom tls entry" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ + . | tee /dev/stderr | + yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) + [ "${actual}" = "Redirect" ] +} diff --git a/values.yaml b/values.yaml index f4f5e9d0a..8169411fd 100644 --- a/values.yaml +++ b/values.yaml @@ -305,7 +305,7 @@ server: # - chart-example.local # OpenShift only - create a route to expose the service - # The created route will be of type passthrough + # By default the created route will be of type passthrough route: enabled: false @@ -316,6 +316,11 @@ server: labels: {} annotations: {} host: chart-example.local + # tls will be passed directly to the route's TLS config, which + # can be used to configure other termination methods that terminate + # TLS at the router + tls: + termination: passthrough # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth From b0528fce49c529f2c37953ea3a14f30ed651e0d6 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 20 Jan 2022 15:54:24 -0800 Subject: [PATCH 017/108] Release 0.19.0 (#687) --- CHANGELOG.md | 6 ++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 8 ++++---- 6 files changed, 19 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5288ec6f..ea6d36785 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +## 0.19.0 (January 20th, 2022) + +CHANGES: +* Vault image default 1.9.2 +* Vault K8s image default 0.14.2 + Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) * Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) diff --git a/Chart.yaml b/Chart.yaml index 91565e3b8..f2d013237 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.18.0 -appVersion: 1.9.0 +version: 0.19.0 +appVersion: 1.9.2 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index cdcfabef8..54a310f3a 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 68830ca5b..5ba78c9fe 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index afbe1f98a..d24ac6e21 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.1-ubi" + tag: "0.14.2-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.0-ubi" + tag: "1.9.2-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.0-ubi" + tag: "1.9.2-ubi" diff --git a/values.yaml b/values.yaml index 8169411fd..61af7b2dd 100644 --- a/values.yaml +++ b/values.yaml @@ -49,7 +49,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.1" + tag: "0.14.2" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.0" + tag: "1.9.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -236,7 +236,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.0" + tag: "1.9.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -764,7 +764,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.3.0" + tag: "0.4.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From a2d9a0144f2f616a48a71a5d011f92e77d7b8a9a Mon Sep 17 00:00:00 2001 From: Michael Schuett Date: Fri, 25 Feb 2022 05:18:45 -0700 Subject: [PATCH 018/108] Add extraLabels for CSI DaemonSet (#690) --- templates/csi-daemonset.yaml | 6 ++++++ templates/csi-serviceaccount.yaml | 3 +++ test/unit/csi-daemonset.bats | 26 ++++++++++++++++++++++++++ test/unit/csi-serviceaccount.bats | 17 ++++++++++++++++- values.schema.json | 9 +++++++++ values.yaml | 13 +++++++++++++ 6 files changed, 73 insertions(+), 1 deletion(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index f0bf639f3..430889061 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -8,6 +8,9 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: @@ -25,6 +28,9 @@ spec: labels: app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} {{ template "csi.pod.annotations" . }} spec: {{- if .Values.csi.priorityClassName }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index ee127481b..eb9a78404 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -8,5 +8,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.serviceAccount.annotations" . }} {{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index dd88d829a..ed8864352 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -318,6 +318,32 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# Extra Labels + +@test "csi/daemonset: specify csi.daemonSet.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + #-------------------------------------------------------------------- # volumes diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 22ba06df2..0d61bc3aa 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -56,4 +56,19 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} + +# serviceAccount extraLabels + +@test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + diff --git a/values.schema.json b/values.schema.json index 15440431a..b42e15218 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "kubeletRootDir": { "type": "string" }, @@ -88,6 +91,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "tolerations": { "type": [ "null", @@ -128,6 +134,9 @@ "object", "string" ] + }, + "extraLabels": { + "type": "object" } } }, diff --git a/values.yaml b/values.yaml index 61af7b2dd..22f97bb72 100644 --- a/values.yaml +++ b/values.yaml @@ -805,6 +805,9 @@ csi: providersDir: "/etc/kubernetes/secrets-store-csi-providers" # Kubelet host path kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} pod: # Extra annotations for the provider pods. This can either be YAML or a @@ -817,6 +820,12 @@ csi: # in a PodSpec. tolerations: [] + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + + # Priority class for csi pods priorityClassName: "" @@ -826,6 +835,10 @@ csi: # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + # Used to configure readinessProbe for the pods. readinessProbe: # When a probe fails, Kubernetes will try failureThreshold times before giving up From b447a92bd73d90e34f9a5a6caa69e355e86721cb Mon Sep 17 00:00:00 2001 From: Troy Fluegge Date: Fri, 25 Feb 2022 06:29:30 -0600 Subject: [PATCH 019/108] Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 22f97bb72..2dba91754 100644 --- a/values.yaml +++ b/values.yaml @@ -764,7 +764,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.4.0" + tag: "1.0.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 19b417cbaaf5bfd26b281d4976d542f7c2834b18 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 25 Feb 2022 19:01:04 +0000 Subject: [PATCH 020/108] Fix unit test assertions (#693) --- test/unit/csi-clusterrole.bats | 2 +- test/unit/csi-clusterrolebinding.bats | 4 ++-- test/unit/csi-daemonset.bats | 2 +- test/unit/csi-serviceaccount.bats | 2 +- test/unit/injector-deployment.bats | 4 ++-- test/unit/server-ha-statefulset.bats | 2 +- test/unit/server-ingress.bats | 10 +++++----- test/unit/server-route.bats | 8 ++++---- test/unit/server-serviceaccount.bats | 2 +- test/unit/server-statefulset.bats | 2 +- 10 files changed, 19 insertions(+), 19 deletions(-) diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 68ea7ce78..2bed54136 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -29,5 +29,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index cff3a3699..ccd98c55a 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.roleRef.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } # ClusterRoleBinding service account name @@ -40,5 +40,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index ed8864352..61ef1ef74 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -61,7 +61,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } # Image diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 0d61bc3aa..41c17349f 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } @test "csi/serviceAccount: specify annotations" { diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 740c17aae..93f8a0f81 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -157,7 +157,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] + [ "${value}" = "release-name-vault-agent-injector-cfg" ] # helm template does uses current context namespace and ignores namespace flags, so # discover the targeted namespace so we can check the rendered value correctly. @@ -165,7 +165,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] + [ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: manual TLS adds volume mount" { diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index cc77e7e39..6034cb541 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -428,7 +428,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 4132c16a7..aade5d57c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -165,7 +165,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -180,7 +180,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -194,7 +194,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { @@ -209,7 +209,7 @@ load _helpers --kube-version 1.18.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -224,7 +224,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 53e1e619b..51b1a3021 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -99,7 +99,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -112,7 +112,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -125,7 +125,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -139,7 +139,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 29e18b56f..fbc2b94bf 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,7 +26,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0a83ec6a1..6a8d4518e 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1640,7 +1640,7 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } From a7e56d8741a6d1dbeb416215d4677ecf3a8f2a2e Mon Sep 17 00:00:00 2001 From: lion24 Date: Wed, 2 Mar 2022 02:30:07 +0100 Subject: [PATCH 021/108] vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H --- CHANGELOG.md | 4 ++++ Chart.yaml | 2 +- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 4 ++-- values.yaml | 4 ++-- 6 files changed, 13 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea6d36785..26e2c2e15 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +CHANGES: +* Vault default image to 1.9.3 +* CSI provider default image to 1.0.0 + ## 0.19.0 (January 20th, 2022) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index f2d013237..20e05bcda 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault version: 0.19.0 -appVersion: 1.9.2 +appVersion: 1.9.3 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 54a310f3a..05873fe06 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5ba78c9fe..c7821cfa6 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index d24ac6e21..17861a416 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -10,9 +10,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.9.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.9.3-ubi" diff --git a/values.yaml b/values.yaml index 2dba91754..88b40af1a 100644 --- a/values.yaml +++ b/values.yaml @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.2" + tag: "1.9.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -236,7 +236,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.2" + tag: "1.9.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 4f5c01f50bb9213dd5c0dd0277e894785caaf971 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 2 Mar 2022 16:45:11 +0000 Subject: [PATCH 022/108] changelog++ (#699) --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26e2c2e15..db815eb60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ CHANGES: * Vault default image to 1.9.3 * CSI provider default image to 1.0.0 +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) + ## 0.19.0 (January 20th, 2022) CHANGES: From a81a992b1472d6cae316eec61553f7a38a08b45f Mon Sep 17 00:00:00 2001 From: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Date: Thu, 3 Mar 2022 13:10:42 -0500 Subject: [PATCH 023/108] change helm trigger branch from master to main (#700) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 70c2453fb..7582bdc21 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true From f59f3d4b1336b86724d7dd4d4b6bca57ee8ad36a Mon Sep 17 00:00:00 2001 From: Christian Date: Wed, 16 Mar 2022 23:31:59 +0100 Subject: [PATCH 024/108] Add namespace to injector-leader-elector role, rolebinding and secret (#683) --- CHANGELOG.md | 1 + templates/injector-certs-secret.yaml | 1 + templates/injector-role.yaml | 1 + templates/injector-rolebinding.yaml | 1 + test/unit/injector-leader-elector.bats | 33 ++++++++++++++++++++++++++ 5 files changed, 37 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index db815eb60..7b90f48aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ CHANGES: Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) ## 0.19.0 (January 20th, 2022) diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 78363be55..e0d96b2fd 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: vault-injector-certs + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index e7e383d16..c8ecfddd0 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index aa8179420..401873fb8 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index b6fa4ae62..bbd482985 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -87,6 +87,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/certs-secret: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/role: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -127,6 +138,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/role: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/rolebinding: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -166,3 +188,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/rolebinding: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} From 549d9b87b28c1dd193d3a93f993ab2008f704e9b Mon Sep 17 00:00:00 2001 From: Viacheslav Vasilyev Date: Thu, 17 Mar 2022 18:52:53 +0100 Subject: [PATCH 025/108] allow to configure publishNotReadyAddresses on server services (#694) --- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 2 +- templates/server-headless-service.yaml | 2 +- templates/server-service.yaml | 2 +- test/unit/server-ha-active-service.bats | 17 +++++++++++++++++ test/unit/server-ha-standby-service.bats | 17 +++++++++++++++++ test/unit/server-headless-service.bats | 19 +++++++++++++++++++ test/unit/server-service.bats | 7 +++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 10 files changed, 70 insertions(+), 4 deletions(-) create mode 100644 test/unit/server-headless-service.bats diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index c2a4f0227..88ad80608 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -22,7 +22,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index fef92a1b2..014d6b58b 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -22,7 +22,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index a37c63957..7e564c041 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -16,7 +16,7 @@ metadata: {{ template "vault.service.annotations" .}} spec: clusterIP: None - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 00996aa25..b1dc3c34e 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -24,7 +24,7 @@ spec: {{- include "service.externalTrafficPolicy" .Values.server.service }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index a835c9d9c..80e26dd4e 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -197,3 +197,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-active-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 7dfd5d7fd..df0f9071e 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -208,3 +208,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-standby-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats new file mode 100644 index 000000000..4e2d13537 --- /dev/null +++ b/test/unit/server-headless-service.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/headless-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 4695f2fff..5208f6e30 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -175,6 +175,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] } @test "server/Service: type empty by default" { diff --git a/values.schema.json b/values.schema.json index b42e15218..40e3dd8ec 100644 --- a/values.schema.json +++ b/values.schema.json @@ -749,6 +749,9 @@ "enabled": { "type": "boolean" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "externalTrafficPolicy": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 88b40af1a..db7c4844c 100644 --- a/values.yaml +++ b/values.yaml @@ -506,6 +506,9 @@ server: # or NodePort. #type: ClusterIP + # Do not wait for pods to be ready + publishNotReadyAddresses: true + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. From 56a253ba97369ee96cf4da4a20fe8fb6342e27f6 Mon Sep 17 00:00:00 2001 From: Remco Buddelmeijer Date: Fri, 18 Mar 2022 15:15:43 +0100 Subject: [PATCH 026/108] Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 --- templates/_helpers.tpl | 8 +- templates/injector-mutating-webhook.yaml | 18 +- test/unit/injector-mutating-webhook.bats | 223 ++++++++++++++++++++--- values.schema.json | 26 +++ values.yaml | 65 ++++++- 5 files changed, 293 insertions(+), 47 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 12afeab91..945269897 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -372,13 +372,13 @@ Sets extra injector service annotations Sets extra injector webhook annotations */}} {{- define "injector.webhookAnnotations" -}} - {{- if .Values.injector.webhookAnnotations }} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} annotations: - {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} {{- if eq $tp "string" }} - {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} {{- else }} - {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} {{- end }} {{- end }} {{- end -}} diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index de7dd5622..b0a6ac07b 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -14,10 +14,11 @@ metadata: {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} sideEffects: None - admissionReviewVersions: - - "v1beta1" - - "v1" + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc @@ -29,15 +30,12 @@ webhooks: apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] -{{- if .Values.injector.namespaceSelector }} +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} namespaceSelector: -{{ toYaml .Values.injector.namespaceSelector | indent 6}} +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} -{{- if .Values.injector.objectSelector }} +{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }} objectSelector: -{{ toYaml .Values.injector.objectSelector | indent 6}} -{{ end }} -{{- with .Values.injector.failurePolicy }} - failurePolicy: {{.}} +{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}} {{ end }} {{ end }} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 1e6e150d0..ef9bf8321 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -53,103 +53,274 @@ load _helpers [ "${actual}" = "\"\"" ] } -@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" { +@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.webhook=null' \ + --set 'injector.failurePolicy=Fail' \ . | tee /dev/stderr | - yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Ignore\"" ] } -@test "injector/MutatingWebhookConfiguration: can set objectSelector" { +@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.objectSelector.matchLabels.injector=true' \ + --set 'injector.webhook.failurePolicy=Fail' \ + --set 'injector.failurePolicy=Invalid' \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "\"Fail\"" ] } -@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { +@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "\"Ignore\"" ] + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Exact\"" ] } -@test "injector/MutatingWebhookConfiguration: can set failurePolicy" { +@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.failurePolicy=Fail' \ + --set 'injector.webhook.matchPolicy=Equivalent' \ . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) - [ "${actual}" = "\"Fail\"" ] + [ "${actual}" = "\"Equivalent\"" ] +} + +@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "30" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.timeoutSeconds=50' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "50" ] } #-------------------------------------------------------------------- # annotations -@test "injector/MutatingWebhookConfiguration: default annotations" { +@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ . | tee /dev/stderr | yq -r '.metadata.annotations' | tee /dev/stderr) [ "${actual}" = "null" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations.foo=bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } -@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" { +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --set 'injector.webhookAnnotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +@test "injector/MutatingWebhookConfiguration: default webhook.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations.foo=bar' \ + --set 'injector.webhookAnnotations.invalid=invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations=foo: bar' \ + --set 'injector.webhookAnnotations=invalid: invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# namespaceSelector + +@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# objectSelector + +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.objectSelector.matchLabels.injector=true' \ + --set 'injector.objectSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index 40e3dd8ec..981bb7c23 100644 --- a/values.schema.json +++ b/values.schema.json @@ -374,6 +374,32 @@ "string" ] }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": "object" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "webhookAnnotations": { "type": [ "object", diff --git a/values.yaml b/values.yaml index db7c4844c..20d85d59b 100644 --- a/values.yaml +++ b/values.yaml @@ -90,6 +90,61 @@ injector: # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -99,6 +154,8 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector @@ -109,13 +166,7 @@ injector: # vault-sidecar-injector: enabled objectSelector: {} - # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - + # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} From 710915952e78ab7fb6a1a9ce7b1e96f6d29c7934 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Mon, 21 Mar 2022 09:50:23 -0700 Subject: [PATCH 027/108] VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran --- CHANGELOG.md | 2 + templates/_helpers.tpl | 47 ++++++++++++++++++++- templates/csi-clusterrole.yaml | 3 +- templates/csi-clusterrolebinding.yaml | 3 +- templates/csi-daemonset.yaml | 3 +- templates/csi-serviceaccount.yaml | 3 +- templates/injector-certs-secret.yaml | 5 ++- templates/injector-clusterrole.yaml | 5 ++- templates/injector-clusterrolebinding.yaml | 3 +- templates/injector-deployment.yaml | 3 +- templates/injector-mutating-webhook.yaml | 3 +- templates/injector-network-policy.yaml | 5 ++- templates/injector-psp-role.yaml | 5 ++- templates/injector-psp-rolebinding.yaml | 5 ++- templates/injector-psp.yaml | 5 ++- templates/injector-role.yaml | 5 ++- templates/injector-rolebinding.yaml | 5 ++- templates/injector-service.yaml | 3 +- templates/injector-serviceaccount.yaml | 3 +- templates/server-clusterrolebinding.yaml | 5 ++- templates/server-config-configmap.yaml | 5 ++- templates/server-discovery-role.yaml | 5 ++- templates/server-discovery-rolebinding.yaml | 5 ++- templates/server-disruptionbudget.yaml | 5 ++- templates/server-ha-active-service.yaml | 5 ++- templates/server-ha-standby-service.yaml | 5 ++- templates/server-headless-service.yaml | 3 +- templates/server-ingress.yaml | 5 ++- templates/server-psp-role.yaml | 5 ++- templates/server-psp-rolebinding.yaml | 5 ++- templates/server-psp.yaml | 5 ++- templates/server-service.yaml | 3 +- templates/server-serviceaccount.yaml | 3 +- templates/server-statefulset.yaml | 5 ++- templates/tests/server-test.yaml | 3 +- templates/ui-service.yaml | 6 +-- test/unit/csi-daemonset.bats | 2 +- test/unit/injector-deployment.bats | 12 +++++- test/unit/injector-psp-role.bats | 4 +- test/unit/injector-psp-rolebinding.bats | 4 +- test/unit/injector-psp.bats | 4 +- test/unit/injector-service.bats | 2 +- test/unit/schema.bats | 16 +++---- test/unit/server-test.bats | 13 +++++- test/unit/ui-service.bats | 12 ++++++ values.schema.json | 20 +++++++-- values.yaml | 10 +++-- 47 files changed, 229 insertions(+), 64 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b90f48aa..ffa45d8e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ ## Unreleased CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Vault default image to 1.9.3 * CSI provider default image to 1.0.0 diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 945269897..144008e1e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -31,6 +31,50 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. @@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} {{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index a19e520f5..ec6a3d2b9 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index 63d69c7b1..d5b62a5f0 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 430889061..5c21752d6 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index eb9a78404..8d6fa5329 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index e0d96b2fd..e88685b5e 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: @@ -9,3 +11,4 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 4ff25abe5..6a0d6be1a 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10,7 +11,7 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: + verbs: - "get" - "list" - "watch" diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 35d30b393..4c193f8a2 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 95e2c2da8..9a50c7db9 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index b0a6ac07b..f873f61c9 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 7a399a538..68892d23b 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -19,3 +21,4 @@ spec: - port: 8080 protocol: TCP {{ end }} +{{ end }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 20c87bb2a..5d23c7556 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -15,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index d6d0d5e24..4f6b0a851 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index c024ac107..1eee2fcd0 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -41,3 +43,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index c8ecfddd0..08c8264cc 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -24,3 +26,4 @@ rules: - "patch" - "delete" {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index 401873fb8..ea0db11b9 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +19,4 @@ subjects: name: {{ template "vault.fullname" . }}-agent-injector namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 3138b7a5b..5e747d6f1 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index a28d38fab..ebc57b56f 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e5e0f5fec..2db23a519 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,3 +24,4 @@ subjects: name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} +{{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index b8093ad03..969dcf38e 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} apiVersion: v1 kind: ConfigMap @@ -36,3 +38,4 @@ data: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4a39cec21..3e8544c77 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,3 +19,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 47526650b..8ceb48274 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -25,3 +27,4 @@ subjects: namespace: {{ .Release.Namespace }} {{ end }} {{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3c45cc04e..60fc8446b 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. apiVersion: policy/v1beta1 @@ -22,3 +24,4 @@ spec: component: server {{- end -}} {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 88ad80608..525fc8c9c 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -40,3 +42,4 @@ spec: vault-active: "true" {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 014d6b58b..03260ffaf 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -40,3 +42,4 @@ spec: vault-active: "false" {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index 7e564c041..fffaaacbb 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 48c76a828..c81e5f5ce 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,9 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} @@ -72,3 +74,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index fd12e1eb3..608624b5b 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16,3 +18,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index b2a43c834..f6255ebdf 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +19,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 2d9426819..cca688373 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -45,3 +47,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-service.yaml b/templates/server-service.yaml index b1dc3c34e..3a9b0e7e5 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 925b166bb..4ff73a687 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index cbcda967d..7deea5ed6 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if ne .mode "" }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet @@ -206,3 +208,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index d983b9df6..ef1aae848 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index ea27de282..d45afdda4 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,7 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if eq (.Values.ui.enabled | toString) "true" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + apiVersion: v1 kind: Service metadata: @@ -34,4 +35,3 @@ spec: {{- include "service.loadBalancer" .Values.ui }} {{- end -}} {{- end }} -{{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 61ef1ef74..23b43cc1f 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -27,7 +27,7 @@ load _helpers --set "global.enabled=false" \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } # priorityClassName diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 93f8a0f81..bfbd3eb5e 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -26,12 +26,22 @@ load _helpers local actual=$( (helm template \ --show-only templates/injector-deployment.yaml \ --set 'global.enabled=false' \ - --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "injector/deployment: enable with injector.enabled true and global.enabled false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.enabled=false' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index c6dc522af..8e7acd7d5 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-Role: disable with global.enabled" { +@test "injector/PodSecurityPolicy-Role: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-role.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index f8a8255fb..88bfe7900 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" { +@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-rolebinding.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats index fa14b0f1e..a415358b2 100644 --- a/test/unit/injector-psp.bats +++ b/test/unit/injector-psp.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy: disable with global.enabled" { +@test "injector/PodSecurityPolicy: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp.yaml \ @@ -31,7 +31,7 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/PodSecurityPolicy: annotations are templated correctly by default" { diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index ad4800991..027eaa080 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -52,7 +52,7 @@ load _helpers --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/Service: generic annotations" { diff --git a/test/unit/schema.bats b/test/unit/schema.bats index a42614bf6..9a61d7d5a 100644 --- a/test/unit/schema.bats +++ b/test/unit/schema.bats @@ -7,9 +7,9 @@ load _helpers # schema, setting it as a string fails 'helm template'. @test "schema: csi enabled datatype" { cd `chart_dir` - run helm template . --set csi.enabled="nope" + run helm template . --set csi.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set csi.enabled=true [ "$status" -eq 0 ] @@ -17,9 +17,9 @@ load _helpers @test "schema: injector enabled datatype" { cd `chart_dir` - run helm template . --set injector.enabled="nope" + run helm template . --set injector.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set injector.enabled=true [ "$status" -eq 0 ] @@ -27,9 +27,9 @@ load _helpers @test "schema: server enabled datatype" { cd `chart_dir` - run helm template . --set server.enabled="nope" + run helm template . --set server.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set server.enabled=true [ "$status" -eq 0 ] @@ -37,9 +37,9 @@ load _helpers @test "schema: ui enabled datatype" { cd `chart_dir` - run helm template . --set ui.enabled="nope" + run helm template . --set ui.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set ui.enabled=true [ "$status" -eq 0 ] diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 5fd65d561..de82f84c3 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -66,14 +66,25 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/standalone-server-test-Pod: disable with global.enabled" { +@test "server/standalone-server-test-Pod: not disabled with global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ --set 'global.enabled=false' \ + --set 'server.enabled=true' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 0603303cd..384098f89 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -53,6 +53,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "ui/Service: 'disable with global, enable with ui.enabled'" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'global.enabled=false' \ + --set 'server.enabled=true' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "ui/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.schema.json b/values.schema.json index 981bb7c23..523784825 100644 --- a/values.schema.json +++ b/values.schema.json @@ -43,7 +43,10 @@ "type": "boolean" }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "extraArgs": { "type": "array" @@ -266,7 +269,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalVaultAddr": { "type": "string" @@ -507,7 +513,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "enterpriseLicense": { "type": "object", @@ -874,7 +883,10 @@ ] }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalPort": { "type": "integer" diff --git a/values.yaml b/values.yaml index 20d85d59b..4d967f886 100644 --- a/values.yaml +++ b/values.yaml @@ -26,7 +26,8 @@ global: injector: # True if you want to enable vault agent injection. - enabled: true + # @default: global.enabled + enabled: "-" replicas: 1 @@ -266,8 +267,9 @@ injector: # type: RollingUpdate server: - # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details - enabled: true + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" # [Enterprise Only] This value refers to a Kubernetes secret that you have # created that contains your enterprise license. If you are not using an @@ -878,7 +880,7 @@ csi: # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} - + # Priority class for csi pods priorityClassName: "" From 460b5e1b65404f82e2d1200d34e4772716cac03f Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 21 Mar 2022 10:29:03 -0700 Subject: [PATCH 028/108] Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 --- .github/workflows/acceptance.yaml | 2 +- CHANGELOG.md | 1 + Chart.yaml | 2 +- README.md | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 644875e26..2261ea63a 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -11,7 +11,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index ffa45d8e0..1a93fac1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ CHANGES: * Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Vault default image to 1.9.3 * CSI provider default image to 1.0.0 +* Earliest Kubernetes version tested is now 1.16 Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) diff --git a/Chart.yaml b/Chart.yaml index 20e05bcda..34fdd4daa 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: vault version: 0.19.0 appVersion: 1.9.3 -kubeVersion: ">= 1.14.0-0" +kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/README.md b/README.md index f95b26fc3..637f68b63 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. From 4da0638f3efa5e72ba518d49273bced134bda99e Mon Sep 17 00:00:00 2001 From: gw0 Date: Mon, 28 Mar 2022 13:20:36 +0200 Subject: [PATCH 029/108] Fix values schema to support config in YAML (#684) --- values.schema.json | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/values.schema.json b/values.schema.json index 523784825..39d07657d 100644 --- a/values.schema.json +++ b/values.schema.json @@ -566,7 +566,10 @@ ] }, "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "disruptionBudget": { "type": "object", @@ -589,7 +592,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": "boolean" @@ -822,7 +828,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": [ From 12444bffb6c9a5fb5651530306a637f675e86066 Mon Sep 17 00:00:00 2001 From: Stephen Herd Date: Mon, 4 Apr 2022 22:26:16 -0700 Subject: [PATCH 030/108] Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 --- CHANGELOG.md | 1 + templates/injector-disruptionbudget.yaml | 2 +- templates/server-disruptionbudget.yaml | 2 +- test/unit/injector-disruptionbudget.bats | 26 +++++++++++++++++++++-- test/unit/server-ha-disruptionbudget.bats | 24 +++++++++++++++++++++ 5 files changed, 51 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a93fac1c..f02bb837c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ CHANGES: Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) * Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) ## 0.19.0 (January 20th, 2022) diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 59c998551..b44fd7300 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.injector.podDisruptionBudget }} -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 60fc8446b..fd94ada45 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -5,7 +5,7 @@ {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index a0cee27d7..2f8f50aea 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,16 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { cd `chart_dir` local actual=$(helm template \ @@ -21,12 +31,24 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { +@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.19.5 \ . | tee /dev/stderr | - yq '.spec.minAvailable == 2' | tee /dev/stderr) + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 9271c019f..c98bc660d 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -97,3 +97,27 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.19.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file From 4ae52c8bd3d3f4d303196ecb455ae07d9a943ba8 Mon Sep 17 00:00:00 2001 From: "Ethan J. Brown" Date: Tue, 12 Apr 2022 22:54:54 -0700 Subject: [PATCH 031/108] Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those --- templates/server-clusterrolebinding.yaml | 1 - templates/server-config-configmap.yaml | 3 +-- templates/server-discovery-role.yaml | 3 +-- templates/server-discovery-rolebinding.yaml | 3 +-- templates/server-disruptionbudget.yaml | 3 +-- templates/server-ha-active-service.yaml | 2 +- templates/server-psp-role.yaml | 3 +-- templates/server-psp-rolebinding.yaml | 3 +-- templates/server-psp.yaml | 3 +-- templates/server-serviceaccount.yaml | 1 - templates/server-statefulset.yaml | 3 +-- templates/tests/server-test.yaml | 1 - 12 files changed, 9 insertions(+), 20 deletions(-) diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 2db23a519..e045b9ec3 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 969dcf38e..f40c69608 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} @@ -38,4 +37,4 @@ data: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 3e8544c77..9ca23dd4c 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} apiVersion: rbac.authorization.k8s.io/v1 @@ -19,4 +18,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 8ceb48274..6e22e4c2b 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} @@ -27,4 +26,4 @@ subjects: namespace: {{ .Release.Namespace }} {{ end }} {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index fd94ada45..d940fa4da 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through @@ -24,4 +23,4 @@ spec: component: server {{- end -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 525fc8c9c..90761a468 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -42,4 +42,4 @@ spec: vault-active: "true" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index 608624b5b..b8eb897e5 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 @@ -18,4 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index f6255ebdf..fded9fbc6 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 @@ -19,4 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index cca688373..d210af351 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 @@ -47,4 +46,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 4ff73a687..2d1a104bf 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 7deea5ed6..5cf159787 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,7 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 @@ -208,4 +207,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index ef1aae848..56dbee78c 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} apiVersion: v1 kind: Pod From 87e456754b7ee5578c17d04ed0622b586182357c Mon Sep 17 00:00:00 2001 From: Stephen Herd Date: Thu, 14 Apr 2022 15:16:39 -0700 Subject: [PATCH 032/108] =?UTF-8?q?Issue=20629:=20updated=20to=20allow=20c?= =?UTF-8?q?ustomization=20of=20the=20CLUSTER=5FADDR=20the=20same=E2=80=A6?= =?UTF-8?q?=20(#709)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran --- CHANGELOG.md | 1 + templates/server-statefulset.yaml | 4 +++ test/unit/server-ha-statefulset.bats | 47 +++++++++++++++++++++++++++- values.yaml | 5 +++ 4 files changed, 56 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f02bb837c..8454d28f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) * Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) * Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) ## 0.19.0 (January 20th, 2022) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 5cf159787..2cae84fe4 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -109,7 +109,11 @@ spec: fieldRef: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr }} + {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - name: VAULT_RAFT_NODE_ID valueFrom: diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 6034cb541..0722c2689 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -417,7 +417,7 @@ load _helpers #-------------------------------------------------------------------- # VAULT_CLUSTER_ADDR renders -@test "server/ha-StatefulSet: cluster addr renders" { +@test "server/ha-StatefulSet: clusterAddr not set" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -431,6 +431,51 @@ load _helpers [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] } +@test "server/ha-StatefulSet: clusterAddr set to null" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=null' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=https://test.example.com:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://test.example.com:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url with environment variable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] +} + #-------------------------------------------------------------------- # VAULT_RAFT_NODE_ID renders diff --git a/values.yaml b/values.yaml index 4d967f886..ed4f80f71 100644 --- a/values.yaml +++ b/values.yaml @@ -680,6 +680,11 @@ server: # If set to null, this will be set to the Pod IP Address apiAddr: null + # Set the cluster_addr confuguration for Vault HA + # See https://www.vaultproject.io/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where # Vault's persistence is external (such as Consul), enabling Raft mode will create # persistent volumes for Vault to store data according to the configuration under server.dataStorage. From 230bba4706eaf5b4b305392e6eb7f87a948a0cf2 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Wed, 27 Apr 2022 09:22:50 -0700 Subject: [PATCH 033/108] VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran --- CHANGELOG.md | 2 +- test/acceptance/csi.bats | 2 +- values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8454d28f6..52cab2770 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ CHANGES: * `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Vault default image to 1.9.3 -* CSI provider default image to 1.0.0 +* CSI provider default image to 1.1.0 * Earliest Kubernetes version tested is now 1.16 Improvements: diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c7c6549e2..57b50706f 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -17,7 +17,7 @@ check_skip_csi() { kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.0.0 + CSI_DRIVER_VERSION=1.1.2 helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ diff --git a/values.yaml b/values.yaml index ed4f80f71..891129ee8 100644 --- a/values.yaml +++ b/values.yaml @@ -825,7 +825,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.0.0" + tag: "1.1.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 9b43054901c47f2523eaf5dab574c7c7218d1793 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Wed, 27 Apr 2022 09:58:56 -0700 Subject: [PATCH 034/108] VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade --- test/acceptance/csi.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 57b50706f..c7c6549e2 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -17,7 +17,7 @@ check_skip_csi() { kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.1.2 + CSI_DRIVER_VERSION=1.0.0 helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ From 4005767e87c29ca676103c24f44d20f4d8a54117 Mon Sep 17 00:00:00 2001 From: Eric Miller Date: Thu, 28 Apr 2022 12:47:40 -0500 Subject: [PATCH 035/108] Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson --- templates/_helpers.tpl | 31 ++++++++++++++++++++++++++++ templates/injector-deployment.yaml | 1 + templates/server-statefulset.yaml | 1 + test/unit/injector-deployment.bats | 21 +++++++++++++++++++ test/unit/server-ha-statefulset.bats | 26 +++++++++++++++++++++++ test/unit/server-statefulset.bats | 23 +++++++++++++++++++++ values.schema.json | 7 +++++++ values.yaml | 12 +++++++++++ 8 files changed, 122 insertions(+) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 144008e1e..846bfc3df 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -293,6 +293,37 @@ Sets the injector affinity for pod placement {{ end }} {{- end -}} +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 9a50c7db9..d46cefc5b 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -31,6 +31,7 @@ spec: {{ template "injector.annotations" . }} spec: {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} {{ template "injector.tolerations" . }} {{ template "injector.nodeselector" . }} {{- if .Values.injector.priorityClassName }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 2cae84fe4..518a19336 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -37,6 +37,7 @@ spec: {{ template "vault.annotations" . }} spec: {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} {{ template "vault.tolerations" . }} {{ template "vault.nodeselector" . }} {{- if .Values.server.priorityClassName }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index bfbd3eb5e..94d01cda7 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -462,6 +462,27 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "injector/deployment: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "injector/deployment: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set "injector.topologySpreadConstraints[0].foo=bar,injector.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # tolerations diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 0722c2689..342fa433d 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -585,6 +585,32 @@ load _helpers [ "${actual}" = "1" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/ha-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/ha-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations + @test "server/ha-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 6a8d4518e..a240e3dad 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -784,6 +784,29 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# topologySpreadConstraints + +@test "server/standalone-StatefulSet: topologySpreadConstraints is null by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .topologySpreadConstraints? == null' | tee /dev/stderr) +} + +@test "server/standalone-StatefulSet: topologySpreadConstraints can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set "server.topologySpreadConstraints[0].foo=bar,server.topologySpreadConstraints[1].baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.topologySpreadConstraints == [{"foo": "bar"}, {"baz": "qux"}]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations @test "server/standalone-StatefulSet: tolerations not set by default" { cd `chart_dir` diff --git a/values.schema.json b/values.schema.json index 39d07657d..87a02f803 100644 --- a/values.schema.json +++ b/values.schema.json @@ -380,6 +380,13 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, "webhook": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index 891129ee8..a693ee001 100644 --- a/values.yaml +++ b/values.yaml @@ -218,6 +218,12 @@ injector: component: webhook topologyKey: kubernetes.io/hostname + # Topology settings for injector pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for injector pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. @@ -508,6 +514,12 @@ server: component: server topologyKey: kubernetes.io/hostname + # Topology settings for server pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + # Toleration Settings for server pods # This should be either a multi-line string or YAML matching the Toleration array # in a PodSpec. From eba754814a873c822dae2c7ced53963815c6b71e Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 28 Apr 2022 12:05:31 -0700 Subject: [PATCH 036/108] Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 52cab2770..46c243178 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ CHANGES: * Vault default image to 1.9.3 * CSI provider default image to 1.1.0 * Earliest Kubernetes version tested is now 1.16 +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) From 6ca2f72f34bb7e354da82a673a89b186b009510e Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 16 May 2022 17:28:31 +0100 Subject: [PATCH 037/108] Prepare v0.20.0 release (#727) --- CHANGELOG.md | 8 +++++++- Chart.yaml | 4 ++-- test/acceptance/csi.bats | 3 ++- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 7 files changed, 21 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 46c243178..b891e27ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,18 +1,24 @@ ## Unreleased +## 0.20.0 (May 16th, 2022) + CHANGES: * `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) -* Vault default image to 1.9.3 +* Vault default image to 1.10.3 * CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 * Earliest Kubernetes version tested is now 1.16 * Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) * Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) * Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) * Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) ## 0.19.0 (January 20th, 2022) diff --git a/Chart.yaml b/Chart.yaml index 34fdd4daa..fc5527d10 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.19.0 -appVersion: 1.9.3 +version: 0.20.0 +appVersion: 1.10.3 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c7c6549e2..bf6f85b5e 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -18,7 +18,8 @@ check_skip_csi() { # Install Secrets Store CSI driver CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version="${CSI_DRIVER_VERSION}" --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 05873fe06..5cc1a9b06 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.3-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.3-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index c7821cfa6..6deec78f9 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.3-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.3-ent' \ + --set='server.image.tag=1.10.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 17861a416..e59bb8677 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.2-ubi" + tag: "0.16.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.3-ubi" + tag: "1.10.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.3-ubi" + tag: "1.10.3-ubi" diff --git a/values.yaml b/values.yaml index a693ee001..88b2a503e 100644 --- a/values.yaml +++ b/values.yaml @@ -50,7 +50,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.2" + tag: "0.16.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -58,7 +58,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.3" + tag: "1.10.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -295,7 +295,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.3" + tag: "1.10.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 86b30098aefff39775337795aacabc13cc238533 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 16 May 2022 18:19:15 +0100 Subject: [PATCH 038/108] Fix CSI acceptance tests (#728) --- test/acceptance/csi.bats | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index bf6f85b5e..c7c6549e2 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -18,8 +18,7 @@ check_skip_csi() { # Install Secrets Store CSI driver CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ - --version="${CSI_DRIVER_VERSION}" + helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ From 3dcc3fd61252433d7cbed1c196cae04945bb5568 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 19 May 2022 23:23:09 -0700 Subject: [PATCH 039/108] Update minimum required helm version in readme (#730) Co-authored-by: Tom Proctor --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 637f68b63..c9971ff41 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,7 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: - * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible - it works with earlier versions but this chart is untested for those versions. + * **Helm 3.6+** * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. From 830761a293148b3149f8a497fb2e55bae5288160 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Tue, 24 May 2022 08:27:17 -0700 Subject: [PATCH 040/108] Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault --- CHANGELOG.md | 3 +++ templates/_helpers.tpl | 26 ++++++++++++++++++++++++ templates/server-clusterrolebinding.yaml | 8 +++----- templates/server-serviceaccount.yaml | 6 ++---- test/unit/server-clusterrolebinding.bats | 1 + 5 files changed, 35 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b891e27ec..004076ad5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +CHANGES: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 + ## 0.20.0 (May 16th, 2022) CHANGES: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 846bfc3df..8c66a370a 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -58,6 +58,32 @@ Compute if the server is enabled. (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} {{- end -}} +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverServiceAccountEnabled" -}} +{{- $_ := set . "serverServiceAccountEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true" ) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverAuthDelegator" -}} +{{- $_ := set . "serverAuthDelegator" + (and + (eq (.Values.server.authDelegator.enabled | toString) "true" ) + (or (eq (.Values.server.serviceAccount.create | toString) "true") + (not (eq .Values.server.serviceAccount.name ""))) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute if the server service is enabled. */}} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e045b9ec3..8cdd61143 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,6 +1,5 @@ -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{ template "vault.serverAuthDelegator" . }} +{{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,5 +21,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} -{{ end }} -{{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 2d1a104bf..c0d32d190 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,6 +1,5 @@ -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} +{{ template "vault.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -13,4 +12,3 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "vault.serviceAccount.annotations" . }} {{ end }} -{{ end }} diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index bf0a4d858..9d05aeaf1 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -65,6 +65,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-clusterrolebinding.yaml \ + --set 'server.enabled=false' \ --set 'injector.externalVaultAddr=http://vault-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) From daa2b3b2360658a5f0661bbdb27dcac61443ddae Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Tue, 24 May 2022 09:48:01 -0700 Subject: [PATCH 041/108] Set default object selector for webhooks to exclude injector itself (#736) Set default object selector for webhooks to exclude injector itself If `injector.failurePolicy` is set to `Fail`, there is a race condition where if the mutating webhook config is setup before the injector, then the injector can fail to start because it tries to inject itself. We can work around this by ignoring the injector pod in in the webhook by default. Thanks to @joeyslalom for the object selector to exclude the pod. Fixes https://github.com/hashicorp/vault-k8s/issues/258 --- CHANGELOG.md | 3 ++- templates/_helpers.tpl | 16 ++++++++++++++++ templates/injector-mutating-webhook.yaml | 5 +---- test/unit/injector-mutating-webhook.bats | 6 +++--- values.schema.json | 10 ++++++++-- values.yaml | 13 +++++++++---- 6 files changed, 39 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 004076ad5..ad5912284 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ ## Unreleased CHANGES: -* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) +* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) ## 0.20.0 (May 16th, 2022) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8c66a370a..8f3aa65ab 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -485,6 +485,22 @@ Sets extra injector webhook annotations {{- end }} {{- end -}} +{{/* +Set's the injector webhook objectSelector +*/}} +{{- define "injector.objectSelector" -}} + {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}} + {{ if $v }} + objectSelector: + {{- $tp := typeOf $v -}} + {{ if eq $tp "string" }} + {{ tpl $v . | indent 6 | trim }} + {{ else }} + {{ toYaml $v | indent 6 | trim }} + {{ end }} + {{ end }} +{{ end }} + {{/* Sets extra ui service annotations */}} diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index f873f61c9..3d3fd3678 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -35,8 +35,5 @@ webhooks: namespaceSelector: {{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} -{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }} - objectSelector: -{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}} -{{ end }} +{{- template "injector.objectSelector" . -}} {{ end }} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index ef9bf8321..0a8be0a3c 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -301,15 +301,15 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: webhook.objectSelector not empty by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ --namespace foo \ . | tee /dev/stderr | - yq '.webhooks[0].objectSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq -r '.webhooks[0].objectSelector.matchExpressions[0].key' | tee /dev/stderr) + [ "${actual}" = "app.kubernetes.io/name" ] } @test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" { diff --git a/values.schema.json b/values.schema.json index 87a02f803..ab0c602db 100644 --- a/values.schema.json +++ b/values.schema.json @@ -336,7 +336,10 @@ ] }, "objectSelector": { - "type": "object" + "type": [ + "object", + "string" + ] }, "podDisruptionBudget": { "type": "object" @@ -406,7 +409,10 @@ "type": "object" }, "objectSelector": { - "type": "object" + "type": [ + "object", + "string" + ] }, "timeoutSeconds": { "type": "integer" diff --git a/values.yaml b/values.yaml index 88b2a503e..1d20e8113 100644 --- a/values.yaml +++ b/values.yaml @@ -91,7 +91,7 @@ injector: # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false - webhook: + webhook: # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the # API Version of the WebHook. # To block pod creation while webhook is unavailable, set the policy to `Fail` below. @@ -99,7 +99,7 @@ injector: # failurePolicy: Ignore - # matchPolicy specifies the approach to accepting changes based on the rules of + # matchPolicy specifies the approach to accepting changes based on the rules of # the MutatingWebhookConfiguration. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy # for more details. @@ -113,7 +113,7 @@ injector: # for more details. # timeoutSeconds: 30 - + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -132,7 +132,12 @@ injector: # objectSelector: # matchLabels: # vault-sidecar-injector: enabled - objectSelector: {} + objectSelector: | + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - {{ template "vault.name" . }}-agent-injector # Extra annotations to attach to the webhook annotations: {} From 45897a67fb48d8c809ea473ad5e1c0db35a5c23c Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 26 May 2022 09:13:32 -0700 Subject: [PATCH 042/108] Prepare for release 0.20.1 (#739) Prepare for release 0.20.1 Improvements: * `vault-k8s` updated to 0.16.1 CHANGES: * `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) Co-authored-by: Theron Voran --- CHANGELOG.md | 8 +++++++- Chart.yaml | 2 +- values.openshift.yaml | 2 +- values.yaml | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad5912284..bf72ad84a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,15 @@ ## Unreleased +## 0.20.1 (May 25th, 2022) CHANGES: -* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) +* `vault-k8s` updated to 0.16.1 + +Improvements: * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) +Bugs: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) + ## 0.20.0 (May 16th, 2022) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index fc5527d10..63b01ff0e 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.20.0 +version: 0.20.1 appVersion: 1.10.3 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart diff --git a/values.openshift.yaml b/values.openshift.yaml index e59bb8677..092e5ba43 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,7 +6,7 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.16.0-ubi" + tag: "0.16.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" diff --git a/values.yaml b/values.yaml index 1d20e8113..fc85695e6 100644 --- a/values.yaml +++ b/values.yaml @@ -50,7 +50,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.16.0" + tag: "0.16.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent From 80560f5564e45b99d0c45b8db1427495957444f1 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 1 Jun 2022 10:25:19 -0700 Subject: [PATCH 043/108] Mention minimum helm version in changelog (#742) Also add a features section to 0.20.0 --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf72ad84a..1f525f2be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,8 +19,10 @@ CHANGES: * CSI provider default image to 1.1.0 * Vault K8s default image to 0.16.0 * Earliest Kubernetes version tested is now 1.16 +* Helm 3.6+ now required + +Features: * Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) -* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) @@ -29,6 +31,7 @@ Improvements: * Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) * server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) * server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) ## 0.19.0 (January 20th, 2022) From 48f4ab8aa48d76ef88fd9e60feb405ae999beabf Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 2 Jun 2022 09:07:45 -0700 Subject: [PATCH 044/108] Start testing against Kubernetes 1.24 (#744) Start testing against Kubernetes 1.24 Update .github/workflows/acceptance.yaml Remove skip csi Co-authored-by: Theron Voran --- .github/workflows/acceptance.yaml | 8 ++------ CHANGELOG.md | 3 +++ Makefile | 2 +- test/acceptance/csi.bats | 12 +----------- 4 files changed, 7 insertions(+), 18 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 2261ea63a..2cb2843c8 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -11,7 +11,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.12, 1.22.9, 1.23.6, 1.24.1] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -23,11 +23,7 @@ jobs: with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - - # Skip CSI tests if K8s version < 1.16.x - - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV - - if: ${{ env.K8S_MINOR < 16 }} - run: echo "SKIP_CSI=true" >> $GITHUB_ENV + version: v0.14.0 - run: bats ./test/acceptance -t env: diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f525f2be..c17d588dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +CHANGES: +* Start testing against Kubernetes 1.24 + ## 0.20.1 (May 25th, 2022) CHANGES: * `vault-k8s` updated to 0.16.1 diff --git a/Makefile b/Makefile index 0ac685013..49799e919 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.20.2 +KIND_K8S_VERSION?=v1.24.1 # Generate json schema for chart values. See test/README.md for more details. values-schema: diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c7c6549e2..ea164f7dd 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,17 +2,9 @@ load _helpers -check_skip_csi() { - if [ ! -z ${SKIP_CSI} ]; then - skip "Skipping CSI tests" - fi -} - @test "csi: testing deployment" { - check_skip_csi - cd `chart_dir` - + kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance @@ -58,8 +50,6 @@ check_skip_csi() { # Clean up teardown() { - check_skip_csi - if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" From d78a292f476e69fcde4319a81199a3baab96b91d Mon Sep 17 00:00:00 2001 From: Aleksey Date: Thu, 2 Jun 2022 23:25:52 +0200 Subject: [PATCH 045/108] Update .helmignore (#732) Review .helmignore file, ignore CI in chart --- .helmignore | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/.helmignore b/.helmignore index d1180d2fb..4007e2435 100644 --- a/.helmignore +++ b/.helmignore @@ -1,4 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs .git/ +.gitignore .terraform/ -bin/ +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# CI and test +.circleci/ +.github/ +.gitlab-ci.yml test/ From 44a07b8970dc4763686b844731a51a5e1270e3c4 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Tue, 7 Jun 2022 10:16:37 +0100 Subject: [PATCH 046/108] Set VAULT_ADDR env var for CSI Provider pods (#745) --- CHANGELOG.md | 6 ++++-- templates/_helpers.tpl | 2 +- templates/csi-daemonset.yaml | 7 +++++++ templates/injector-deployment.yaml | 4 +++- test/unit/csi-daemonset.bats | 29 +++++++++++++++++++++++++++++ test/unit/injector-deployment.bats | 27 +++++++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 13 +++++++++++-- 8 files changed, 85 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c17d588dd..6f953e1fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,13 @@ ## Unreleased CHANGES: -* Start testing against Kubernetes 1.24 +* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) +* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) ## 0.20.1 (May 25th, 2022) CHANGES: -* `vault-k8s` updated to 0.16.1 +* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) Improvements: * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8f3aa65ab..9dc0dcbee 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -122,7 +122,7 @@ template logic. */}} {{- define "vault.mode" -}} {{- template "vault.serverEnabled" . -}} - {{- if .Values.injector.externalVaultAddr -}} + {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 5c21752d6..fa72b3661 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -50,6 +50,13 @@ spec: {{- if .Values.csi.extraArgs }} {{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- end }} + env: + - name: VAULT_ADDR + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- end }} volumeMounts: - name: providervol mountPath: "/provider" diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index d46cefc5b..d65525b8b 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -60,7 +60,9 @@ spec: - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR - {{- if .Values.injector.externalVaultAddr }} + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 23b43cc1f..69e2673ca 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -563,3 +563,32 @@ load _helpers yq -r '.timeoutSeconds' | tee /dev/stderr) [ "${actual}" = "14" ] } + +@test "csi/daemonset: with only injector.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --release-name not-external-test \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://not-external-test-vault.default.svc:8200" ] +} + +@test "csi/daemonset: with global.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://vault-outside" ] +} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 94d01cda7..fc276eeab 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -209,6 +209,33 @@ load _helpers [ "${value}" = "http://vault-outside" ] } +@test "injector/deployment: with global.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://vault-outside" ] +} + +@test "injector/deployment: global.externalVaultAddr takes precendence over injector.externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.externalVaultAddr=http://global-vault-outside' \ + --set 'injector.externalVaultAddr=http://injector-vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "http://global-vault-outside" ] +} + @test "injector/deployment: without externalVaultAddr" { cd `chart_dir` local object=$(helm template \ diff --git a/values.schema.json b/values.schema.json index ab0c602db..ca4fdaa6c 100644 --- a/values.schema.json +++ b/values.schema.json @@ -185,6 +185,9 @@ }, "tlsDisable": { "type": "boolean" + }, + "externalVaultAddr": { + "type": "string" } } }, diff --git a/values.yaml b/values.yaml index fc85695e6..eb85183cb 100644 --- a/values.yaml +++ b/values.yaml @@ -4,15 +4,23 @@ global: # enabled is the master enabled switch. Setting this to true or false # will enable or disable all the components within this chart by default. enabled: true + # Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] # imagePullSecrets: # - name: image-pull-secret + # TLS for end-to-end encrypted transport tlsDisable: true + + # External vault server address for the injector and CSI provider to use. + # Setting this will disable deployment of a vault server. + externalVaultAddr: "" + # If deploying to OpenShift openshift: false + # Create PodSecurityPolicy for pods psp: enable: false @@ -43,8 +51,7 @@ injector: metrics: enabled: false - # External vault server address for the injector to use. Setting this will - # disable deployment of a vault server along with the injector. + # Deprecated: Please use global.externalVaultAddr instead. externalVaultAddr: "" # image sets the repo and tag of the vault-k8s image to use for the injector. @@ -946,4 +953,6 @@ csi: debug: false # Pass arbitrary additional arguments to vault-csi-provider. + # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # for the available command line flags. extraArgs: [] From 6c14d9d656173e81301e5a4311584dbc5e0f5fb1 Mon Sep 17 00:00:00 2001 From: Bruno Padilha <1850071+brunopadz@users.noreply.github.com> Date: Mon, 11 Jul 2022 13:11:30 -0300 Subject: [PATCH 047/108] Support to add annotations in injector serviceaccount (#753) --- templates/_helpers.tpl | 15 +++++++++++++++ templates/injector-serviceaccount.yaml | 1 + test/unit/injector-serviceaccount.bats | 10 ++++++++++ values.schema.json | 11 +++++++++++ values.yaml | 5 +++++ 5 files changed, 42 insertions(+) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9dc0dcbee..2e443441f 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -470,6 +470,21 @@ Sets extra injector service annotations {{- end }} {{- end -}} +{{/* +Sets extra injector service account annotations +*/}} +{{- define "injector.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra injector webhook annotations */}} diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index ebc57b56f..d1919b936 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -9,4 +9,5 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.serviceAccount.annotations" . }} {{ end }} diff --git a/test/unit/injector-serviceaccount.bats b/test/unit/injector-serviceaccount.bats index 1055d906c..bf178a3ac 100755 --- a/test/unit/injector-serviceaccount.bats +++ b/test/unit/injector-serviceaccount.bats @@ -20,3 +20,13 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ServiceAccount: generic annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --set 'injector.serviceAccount.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.schema.json b/values.schema.json index ca4fdaa6c..3b364411f 100644 --- a/values.schema.json +++ b/values.schema.json @@ -373,6 +373,17 @@ } } }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, "strategy": { "type": [ "object", diff --git a/values.yaml b/values.yaml index eb85183cb..468d64161 100644 --- a/values.yaml +++ b/values.yaml @@ -269,6 +269,11 @@ injector: # Extra annotations to attach to the injector service annotations: {} + # Injector serviceAccount specific config + serviceAccount: + # Extra annotations to attach to the injector serviceAccount + annotations: {} + # A disruption budget limits the number of pods of a replicated application # that are down simultaneously from voluntary disruptions podDisruptionBudget: {} From 324d68956ae70e00903a3dd6e22bc28e2992dbcb Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 18 Jul 2022 14:52:16 -0700 Subject: [PATCH 048/108] changelog++ (#757) --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f953e1fd..93e798f7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ CHANGES: * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +Features: +* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) + ## 0.20.1 (May 25th, 2022) CHANGES: * `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) From 999b0b7ec35e262c5a036ec85f1c147a0f44e643 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 19 Jul 2022 09:26:50 -0700 Subject: [PATCH 049/108] jira-sync: transition to "Closed" not "Close" (#758) --- .github/workflows/jira.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index eb369f335..3cf2bcdaa 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -62,7 +62,7 @@ jobs: uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: Close + transition: Closed - name: Reopen ticket if: github.event.action == 'reopened' && steps.search.outputs.issue From 553af862eae94857654166be9b2b1482a1680b9f Mon Sep 17 00:00:00 2001 From: Jack Halford Date: Mon, 1 Aug 2022 22:16:51 +0200 Subject: [PATCH 050/108] Add support for nodePort for active and standby services (#610) --- templates/server-ha-active-service.yaml | 4 ++-- templates/server-ha-standby-service.yaml | 4 ++-- test/unit/server-ha-active-service.bats | 4 ++-- test/unit/server-ha-standby-service.bats | 4 ++-- values.yaml | 10 ++++++++++ 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 90761a468..e15d40ab0 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -29,8 +29,8 @@ spec: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} + {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.activeNodePort }} {{- end }} - name: https-internal port: 8201 diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 03260ffaf..e6d66af84 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -29,8 +29,8 @@ spec: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} + {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.standbyNodePort }} {{- end }} - name: https-internal port: 8201 diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index 80e26dd4e..d74e74913 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -119,7 +119,7 @@ load _helpers --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.type=NodePort' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.activeNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "30009" ] @@ -130,7 +130,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.activeNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "null" ] diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index df0f9071e..045560ce9 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -130,7 +130,7 @@ load _helpers --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.type=NodePort' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.standbyNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "30009" ] @@ -141,7 +141,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.standbyNodePort=30009' \ . | tee /dev/stderr | yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "null" ] diff --git a/values.yaml b/values.yaml index 468d64161..3b42bff44 100644 --- a/values.yaml +++ b/values.yaml @@ -601,6 +601,16 @@ server: # will be random if left blank. #nodePort: 30000 + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #activeNodePort: 30001 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #standbyNodePort: 30002 + # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to From eb95ac5d2022c65f8f33eae75a6c56b3f5509ee1 Mon Sep 17 00:00:00 2001 From: ChrisFraun Date: Tue, 2 Aug 2022 08:00:29 +0200 Subject: [PATCH 051/108] Feat/adding pod and container security context (#750) Allow the injector's pod- and container-level securityContext to be fully specified by the user, via new options `injector.securityContext.pod` and `injector.securityContext.container` with more complete defaults. Deprecates `injector.uid` and `injector.gid`. If `injector.uid` or `injector.gid` are set by the user, the old pod securityContext settings will be used. Otherwise the new defaults and settings are used. Co-authored-by: Theron Voran --- templates/_helpers.tpl | 25 +++++++ templates/injector-deployment.yaml | 8 +- test/unit/injector-deployment.bats | 116 +++++++++++++++++++++++++++++ values.yaml | 13 ++++ 4 files changed, 156 insertions(+), 6 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 2e443441f..23baf8882 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -470,6 +470,31 @@ Sets extra injector service annotations {{- end }} {{- end -}} +{{/* +securityContext for the injector pod level. +*/}} +{{- define "injector.securityContext.pod" -}} + {{- if or (.Values.injector.uid) (.Values.injector.gid) }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.injector.gid | default 1000 }} + runAsUser: {{ .Values.injector.uid | default 100 }} + {{- else if .Values.injector.securityContext.pod }} + securityContext: + {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector container level. +*/}} +{{- define "injector.securityContext.container" -}} + {{- if .Values.injector.securityContext.container}} + securityContext: + {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- end }} +{{- end -}} + {{/* Sets extra injector service account annotations */}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index d65525b8b..ccc5b922e 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -40,10 +40,7 @@ spec: serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.injector.gid | default 1000 }} - runAsUser: {{ .Values.injector.uid | default 100 }} + {{ template "injector.securityContext.pod" . -}} {{- end }} containers: - name: sidecar-injector @@ -51,8 +48,7 @@ spec: image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" {{- if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false + {{ template "injector.securityContext.container" . -}} {{- end }} env: - name: AGENT_INJECT_LISTEN diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index fc276eeab..477f78366 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -363,6 +363,122 @@ load _helpers [ "${value}" = "false" ] } +#-------------------------------------------------------------------- +# securityContext or pod and container + +# for backward compatibility +@test "injector/deployment: backward pod securityContext" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.uid=200' \ + --set 'injector.gid=4000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + + local value=$(echo $actual | yq -r .runAsUser | tee /dev/stderr) + [ "${value}" = "200" ] + + local value=$(echo $actual | yq -r .runAsGroup | tee /dev/stderr) + [ "${value}" = "4000" ] +} + +@test "injector/deployment: default pod securityContext" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + [ "${actual}" != "null" ] + + local value=$(echo $actual | yq -r .fsGroup | tee /dev/stderr) + [ "${value}" = "1000" ] + + local value=$(echo $actual | yq -r .runAsGroup | tee /dev/stderr) + [ "${value}" = "1000" ] + + local value=$(echo $actual | yq -r .runAsNonRoot | tee /dev/stderr) + [ "${value}" = "true" ] + + local value=$(echo $actual | yq -r .runAsUser | tee /dev/stderr) + [ "${value}" = "100" ] +} + +@test "injector/deployment: custom pod securityContext" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsNonRoot=true' \ + --set 'injector.securityContext.pod.runAsGroup=1001' \ + --set 'injector.securityContext.pod.runAsUser=1001' \ + --set 'injector.securityContext.pod.fsGroup=1000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr) + [ "${actual}" = "1001" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsNonRoot=false' \ + --set 'injector.securityContext.pod.runAsGroup=1000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.runAsNonRoot' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsUser=1001' \ + --set 'injector.securityContext.pod.fsGroup=1000' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr) + [ "${actual}" = "1001" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.pod.runAsNonRoot=true' \ + --set 'injector.securityContext.pod.fsGroup=1001' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) + [ "${actual}" = "1001" ] +} + +@test "injector/deployment: default container securityContext sidecar-injector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr) + [ "${actual}" != "null" ] + + local value=$(echo $actual | yq -r .allowPrivilegeEscalation | tee /dev/stderr) + [ "${value}" = "false" ] + + local value=$(echo $actual | yq -r .capabilities.drop[0] | tee /dev/stderr) + [ "${value}" = "ALL" ] +} + +@test "injector/deployment: custom container securityContext sidecar-injector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.container.privileged=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.privileged' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.securityContext.container.readOnlyRootFilesystem=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + #-------------------------------------------------------------------- # extraEnvironmentVars diff --git a/values.yaml b/values.yaml index 3b42bff44..3ae7fa85b 100644 --- a/values.yaml +++ b/values.yaml @@ -202,6 +202,19 @@ injector: certName: tls.crt keyName: tls.key + # Default pod and container security context for vault-injector + securityContext: + pod: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + container: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + resources: {} # resources: # requests: From 69317204549fc212fc08399a1169ad9da6e80112 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Tue, 2 Aug 2022 11:06:31 -0700 Subject: [PATCH 052/108] Changelog and schema update for active/standby node port (#761) * Changelog and schema update for active/standby node port Follow-up to https://github.com/hashicorp/vault-helm/pull/610 --- CHANGELOG.md | 1 + values.schema.json | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93e798f7d..2dbcf4dfb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ CHANGES: * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: +* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) ## 0.20.1 (May 25th, 2022) diff --git a/values.schema.json b/values.schema.json index 3b364411f..27e3d7bc6 100644 --- a/values.schema.json +++ b/values.schema.json @@ -828,6 +828,15 @@ }, "targetPort": { "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "activeNodePort": { + "type": "integer" + }, + "standbyNodePort": { + "type": "integer" } } }, From 91b6c64f1fd8e23bb2fd1af6c897f6dd340a331e Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 3 Aug 2022 11:25:33 -0700 Subject: [PATCH 053/108] changelog++ and json schema update (#762) Changelog updates for #750, and json schema update. --- CHANGELOG.md | 2 ++ values.schema.json | 45 ++++++++++++++++++++++++++++++++++++--------- 2 files changed, 38 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2dbcf4dfb..3aea8800e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,12 @@ CHANGES: * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +* Deprecated `injector.uid` and `injector.gid`. Replaced with `injector.securityContext.pod`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) Features: * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) +* injector: Support setting both pod and container securityContext [GH-750](https://github.com/hashicorp/vault-helm/pull/750) ## 0.20.1 (May 25th, 2022) CHANGES: diff --git a/values.schema.json b/values.schema.json index 27e3d7bc6..96deb9a4f 100644 --- a/values.schema.json +++ b/values.schema.json @@ -36,9 +36,6 @@ } } }, - "priorityClassName": { - "type": "string" - }, "debug": { "type": "boolean" }, @@ -106,6 +103,9 @@ } } }, + "priorityClassName": { + "type": "string" + }, "readinessProbe": { "type": "object", "properties": { @@ -163,6 +163,9 @@ "enabled": { "type": "boolean" }, + "externalVaultAddr": { + "type": "string" + }, "imagePullSecrets": { "type": "array" }, @@ -185,9 +188,6 @@ }, "tlsDisable": { "type": "boolean" - }, - "externalVaultAddr": { - "type": "string" } } }, @@ -362,6 +362,17 @@ "revokeOnShutdown": { "type": "boolean" }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": "object" + }, + "pod": { + "type": "object" + } + } + }, "service": { "type": "object", "properties": { @@ -592,6 +603,12 @@ "string" ] }, + "clusterAddr": { + "type": [ + "null", + "string" + ] + }, "config": { "type": [ "string", @@ -802,6 +819,9 @@ }, "labels": { "type": "object" + }, + "tls": { + "type": "object" } } }, @@ -817,15 +837,15 @@ "enabled": { "type": "boolean" }, - "publishNotReadyAddresses": { - "type": "boolean" - }, "externalTrafficPolicy": { "type": "string" }, "port": { "type": "integer" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "targetPort": { "type": "integer" }, @@ -898,6 +918,13 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, "updateStrategyType": { "type": "string" }, From 8bc160489ff9f327fffebe29280ee22bff31e43f Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Fri, 5 Aug 2022 19:12:21 -0400 Subject: [PATCH 054/108] Update jira sync (#768) --- .github/workflows/jira.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index 3cf2bcdaa..fc03b2188 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -40,7 +40,7 @@ jobs: description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" # customfield_10089 is Issue Link custom field # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "runtime"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' + extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - name: Search if: github.event.action != 'opened' From 9efd98a30f9d13ff003b91dd445339f9d99c424a Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Mon, 8 Aug 2022 12:48:28 -0700 Subject: [PATCH 055/108] csi/server.statefulset: custom security context (#767) csi/server.statefulset: custom security context This adds flexibility to have custom pod template and container `securityContext` and preserves current default values and behavior. Fixes https://github.com/hashicorp/vault-helm/issues/663. This also is a way to address https://github.com/hashicorp/vault-helm/pull/599 so that people can specify, for example, the CSI to run in a privileged container for OpenShift. This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750 and builds on the same principles. Side note: I am not able to run `helm schema-gen` since it is unmaintained and does not work with M1 Macs. --- CHANGELOG.md | 5 +- templates/_helpers.tpl | 100 +++++++++++++++++++++++++++-- templates/csi-daemonset.yaml | 2 + templates/injector-deployment.yaml | 6 +- templates/server-statefulset.yaml | 13 +--- test/unit/csi-daemonset.bats | 56 ++++++++++++++++ test/unit/injector-deployment.bats | 45 ++++++++++++- test/unit/server-statefulset.bats | 61 ++++++++++++++++++ values.schema.json | 44 ++++++++++++- values.yaml | 46 +++++++++---- 10 files changed, 341 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3aea8800e..2060ec326 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,13 @@ CHANGES: * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) -* Deprecated `injector.uid` and `injector.gid`. Replaced with `injector.securityContext.pod`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) Features: +* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) -* injector: Support setting both pod and container securityContext [GH-750](https://github.com/hashicorp/vault-helm/pull/750) ## 0.20.1 (May 25th, 2022) CHANGES: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 23baf8882..38973910a 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -474,14 +474,20 @@ Sets extra injector service annotations securityContext for the injector pod level. */}} {{- define "injector.securityContext.pod" -}} - {{- if or (.Values.injector.uid) (.Values.injector.gid) }} + {{- if .Values.injector.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.injector.gid | default 1000 }} runAsUser: {{ .Values.injector.uid | default 100 }} - {{- else if .Values.injector.securityContext.pod }} - securityContext: - {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + fsGroup: {{ .Values.injector.gid | default 1000 }} {{- end }} {{- end -}} @@ -491,9 +497,60 @@ securityContext for the injector container level. {{- define "injector.securityContext.container" -}} {{- if .Values.injector.securityContext.container}} securityContext: - {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- $tp := typeOf .Values.injector.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL {{- end }} -{{- end -}} +{{- end -}} + +{{/* +securityContext for the statefulset pod template. +*/}} +{{- define "server.statefulSet.securityContext.pod" -}} + {{- if .Values.server.statefulSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.server.gid | default 1000 }} + runAsUser: {{ .Values.server.uid | default 100 }} + fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset vault container +*/}} +{{- define "server.statefulSet.securityContext.container" -}} + {{- if .Values.server.statefulSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + {{- end }} +{{- end -}} + {{/* Sets extra injector service account annotations @@ -731,6 +788,37 @@ Sets extra CSI daemonset annotations {{- end }} {{- end -}} +{{/* +Sets CSI daemonset securityContext for pod template +*/}} +{{- define "csi.daemonSet.securityContext.pod" -}} + {{- if .Values.csi.daemonSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for container +*/}} +{{- define "csi.daemonSet.securityContext.container" -}} + {{- if .Values.csi.daemonSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }} + {{- end }} + {{- end }} +{{- end -}} + + {{/* Sets the injector toleration for pod placement */}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index fa72b3661..d131aac5f 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -34,6 +34,7 @@ spec: {{- end -}} {{ template "csi.pod.annotations" . }} spec: + {{ template "csi.daemonSet.securityContext.pod" . }} {{- if .Values.csi.priorityClassName }} priorityClassName: {{ .Values.csi.priorityClassName }} {{- end }} @@ -42,6 +43,7 @@ spec: containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} + {{ template "csi.daemonSet.securityContext.container" . }} image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" imagePullPolicy: {{ .Values.csi.image.pullPolicy }} args: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index ccc5b922e..f0605599e 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -38,18 +38,16 @@ spec: priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} - {{ template "injector.securityContext.pod" . -}} {{- end }} containers: - name: sidecar-injector {{ template "injector.resources" . }} image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" - {{- if not .Values.global.openshift }} - {{ template "injector.securityContext.container" . -}} - {{- end }} + {{- template "injector.securityContext.container" . }} env: - name: AGENT_INJECT_LISTEN value: {{ printf ":%v" .Values.injector.port }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 518a19336..afc48d695 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -48,13 +48,7 @@ spec: {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} - {{- if not .Values.global.openshift }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.server.gid | default 1000 }} - runAsUser: {{ .Values.server.uid | default 100 }} - fsGroup: {{ .Values.server.gid | default 1000 }} - {{- end }} + {{- template "server.statefulSet.securityContext.pod" . }} volumes: {{ template "vault.volumes" . }} - name: home @@ -72,10 +66,7 @@ spec: - "/bin/sh" - "-ec" args: {{ template "vault.args" . }} - {{- if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false - {{- end }} + {{- template "server.statefulSet.securityContext.container" . }} env: - name: HOST_IP valueFrom: diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 69e2673ca..0da308b67 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -592,3 +592,59 @@ load _helpers yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) [ "${value}" = "http://vault-outside" ] } + +#-------------------------------------------------------------------- +# securityContext + +@test "csi/daemonset: default csi.daemonSet.securityContext.pod" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: default csi.daemonSet.securityContext.container" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: specify csi.daemonSet.securityContext.pod yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.securityContext.pod.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.daemonSet.securityContext.container yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.securityContext.container.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.daemonSet.securityContext.container yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.securityContext.container=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 477f78366..9d2271c46 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -364,7 +364,7 @@ load _helpers } #-------------------------------------------------------------------- -# securityContext or pod and container +# securityContext for pod and container # for backward compatibility @test "injector/deployment: backward pod securityContext" { @@ -445,6 +445,49 @@ load _helpers [ "${actual}" = "1001" ] } +@test "injector/deployment: custom pod securityContext from string" { + cd `chart_dir` + local multi=$(cat < Date: Wed, 10 Aug 2022 14:54:49 -0700 Subject: [PATCH 056/108] Prepare for 0.21.0 release (#771) Prepare for 0.21.0 release CHANGES: * `vault-k8s` updated to 0.17.0. (this) * `vault-csi-provider` updated to 1.2.0 (this) * `vault` updated to 1.11.2 (this) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: * server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) --- CHANGELOG.md | 5 +++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 8 ++++---- 6 files changed, 18 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2060ec326..45d7168d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ ## Unreleased +## 0.21.0 (August 10th, 2022) + CHANGES: +* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) diff --git a/Chart.yaml b/Chart.yaml index 63b01ff0e..d19e390ff 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.20.1 -appVersion: 1.10.3 +version: 0.21.0 +appVersion: 1.11.2 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 5cc1a9b06..05bb646d5 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.2-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 6deec78f9..1d92909f0 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.10.3-ent' \ + --set='server.image.tag=1.11.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 092e5ba43..a1c48f02f 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.16.1-ubi" + tag: "0.17.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.10.3-ubi" + tag: "1.11.2-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.10.3-ubi" + tag: "1.11.2-ubi" diff --git a/values.yaml b/values.yaml index 1477a4518..66b5723d9 100644 --- a/values.yaml +++ b/values.yaml @@ -57,7 +57,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.16.1" + tag: "0.17.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -65,7 +65,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.10.3" + tag: "1.11.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -327,7 +327,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.10.3" + tag: "1.11.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -897,7 +897,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.1.0" + tag: "1.2.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 9fa4c6c3222a5783579bc1af383b4ade527e71a6 Mon Sep 17 00:00:00 2001 From: Alex Khaerov Date: Wed, 17 Aug 2022 03:39:59 +0800 Subject: [PATCH 057/108] DOC: Minor typos fixes (#669) Co-authored-by: Tom Proctor --- values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/values.yaml b/values.yaml index 66b5723d9..190fe1f87 100644 --- a/values.yaml +++ b/values.yaml @@ -101,7 +101,7 @@ injector: webhook: # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy # failurePolicy: Ignore @@ -192,7 +192,7 @@ injector: # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA # that signed the TLS certificate that the webhook serves. This must be set - # if secretName is non-null, unless an external service like cert-manager is + # if secretName is non-null unless an external service like cert-manager is # keeping the caBundle updated. caBundle: "" @@ -232,7 +232,7 @@ injector: # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods - # This can either be multi-line string or YAML matching the PodSpec's affinity field. + # This can either be a multi-line string or YAML matching the PodSpec's affinity field. # Commenting out or setting as empty the affinity variable, will allow # deployment of multiple replicas to single node services such as Minikube. affinity: | @@ -442,7 +442,7 @@ server: extraContainers: null # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation + # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation shareProcessNamespace: false # extraArgs is a string containing additional Vault server arguments. @@ -592,10 +592,10 @@ server: service: enabled: true # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default the Vault service will + # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled # Kubernetes will create a "headless" service. Headless services can be - # used to communicate with pods directly through DNS instead of a round robin + # used to communicate with pods directly through DNS instead of a round-robin # load balancer. # clusterIP: None @@ -653,7 +653,7 @@ server: annotations: {} # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unsealed, Vault must + # logs. Once Vault is deployed, initialized, and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit # See https://www.vaultproject.io/docs/audit/index.html to know more @@ -720,7 +720,7 @@ server: # crypto_key = "vault-helm-unseal-key" #} - # Run Vault in "HA" mode. There are no storage requirements unless audit log + # Run Vault in "HA" mode. There are no storage requirements unless the audit log # persistence is required. In HA mode Vault will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul # Helm project by default. It is possible to manually configure Vault to use a From 85562b47c475eddfd568d72e033aa074f8e77e43 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 26 Aug 2022 10:05:44 -0700 Subject: [PATCH 058/108] update values comments for server.securityContext (#778) Since container is empty for openshift. --- values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/values.yaml b/values.yaml index 190fe1f87..8cde5e458 100644 --- a/values.yaml +++ b/values.yaml @@ -839,12 +839,12 @@ server: # runAsGroup: {{ .Values.server.gid | default 1000 }} # runAsUser: {{ .Values.server.uid | default 100 }} # fsGroup: {{ .Values.server.gid | default 1000 }} - # container: {} + # container: + # allowPrivilegeEscalation: false # # If not set, these will default to, and for OpenShift: # pod: {} - # container: - # allowPrivilegeEscalation: false + # container: {} securityContext: pod: {} container: {} From 8a6872e36d981a26256102ff089a0acd2fae7e13 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Thu, 1 Sep 2022 12:39:38 -0600 Subject: [PATCH 059/108] CI: run acceptance tests on push to any (#781) --- .github/workflows/acceptance.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 2cb2843c8..d4768b4b9 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -1,10 +1,6 @@ name: Acceptance Tests -on: - push: - branches: - - main - workflow_dispatch: {} +on: [push, workflow_dispatch] jobs: kind: From 04074311f71fd3a9b39f983553b693363f4a4f22 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Thu, 1 Sep 2022 13:07:49 -0600 Subject: [PATCH 060/108] Add support for the Prometheus Operator (#772) support collecting Vault server metrics by deploying PrometheusOperator CustomResources. Co-authored-by: Sam Weston Co-authored-by: Theron Voran --- .github/workflows/acceptance.yaml | 2 +- .github/workflows/tests.yaml | 4 +- CHANGELOG.md | 2 + Makefile | 2 +- templates/prometheus-prometheusrules.yaml | 26 +++++ templates/prometheus-servicemonitor.yaml | 44 ++++++++ templates/server-ha-active-service.yaml | 1 + templates/server-headless-service.yaml | 1 + test/acceptance/server-telemetry.bats | 90 +++++++++++++++ test/acceptance/server-test/telemetry.yaml | 28 +++++ test/unit/prometheus-prometheusrules.bats | 68 +++++++++++ test/unit/prometheus-servicemonitor.bats | 125 +++++++++++++++++++++ values.yaml | 109 ++++++++++++++++++ 13 files changed, 498 insertions(+), 4 deletions(-) create mode 100644 templates/prometheus-prometheusrules.yaml create mode 100644 templates/prometheus-servicemonitor.yaml create mode 100644 test/acceptance/server-telemetry.bats create mode 100644 test/acceptance/server-test/telemetry.yaml create mode 100755 test/unit/prometheus-prometheusrules.bats create mode 100755 test/unit/prometheus-servicemonitor.bats diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index d4768b4b9..da644d169 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -21,6 +21,6 @@ jobs: node_image: kindest/node:v${{ matrix.kind-k8s-version }} version: v0.14.0 - - run: bats ./test/acceptance -t + - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 0aba6ee30..53a1f039e 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -8,7 +8,7 @@ jobs: steps: - uses: actions/checkout@v2 - uses: ./.github/workflows/setup-test-tools - - run: bats ./test/unit -t + - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest @@ -22,4 +22,4 @@ jobs: with: go-version: '1.17.4' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - - run: bats ./test/chart -t + - run: bats --tap --timing ./test/chart diff --git a/CHANGELOG.md b/CHANGELOG.md index 45d7168d5..c8954f081 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ## Unreleased +Features: +* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) ## 0.21.0 (August 10th, 2022) diff --git a/Makefile b/Makefile index 49799e919..2dbf6a7a8 100644 --- a/Makefile +++ b/Makefile @@ -71,7 +71,7 @@ acceptance: ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} endif - bats test/${ACCEPTANCE_TESTS} + bats --tap --timing test/${ACCEPTANCE_TESTS} # this target is for provisioning the GKE cluster # it is run in the docker container above when the test-provision target is invoked diff --git a/templates/prometheus-prometheusrules.yaml b/templates/prometheus-prometheusrules.yaml new file mode 100644 index 000000000..572f1a05a --- /dev/null +++ b/templates/prometheus-prometheusrules.yaml @@ -0,0 +1,26 @@ +{{ if and (.Values.serverTelemetry.prometheusRules.rules) + (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) +}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + groups: + - name: {{ include "vault.fullname" . }} + rules: + {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} +{{- end }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml new file mode 100644 index 000000000..323e51fb9 --- /dev/null +++ b/templates/prometheus-servicemonitor.yaml @@ -0,0 +1,44 @@ +{{ template "vault.mode" . }} +{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if eq .mode "ha" }} + vault-active: "true" + {{- else }} + vault-internal: "true" + {{- end }} + endpoints: + - port: {{ include "vault.scheme" . }} + interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + scheme: {{ include "vault.scheme" . | lower }} + path: /v1/sys/metrics + params: + format: + - prometheus + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{ end }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index e15d40ab0..ef212376d 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -14,6 +14,7 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-active: "true" annotations: {{ template "vault.service.annotations" .}} spec: diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index fffaaacbb..b03f491e3 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -13,6 +13,7 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-internal: "true" annotations: {{ template "vault.service.annotations" .}} spec: diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats new file mode 100644 index 000000000..a7c4e0dd7 --- /dev/null +++ b/test/acceptance/server-telemetry.bats @@ -0,0 +1,90 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/telemetry: prometheusOperator" { + cd `chart_dir` + helm --namespace acceptance uninstall $(name_prefix) || : + helm --namespace acceptance uninstall prometheus || : + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance + + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo update + helm install \ + --wait \ + --version 39.6.0 \ + prometheus prometheus-community/kube-prometheus-stack + + helm install \ + --wait \ + --values ./test/acceptance/server-test/telemetry.yaml \ + "$(name_prefix)" . + + wait_for_running $(name_prefix)-0 + + # Sealed, not initialized + wait_for_sealed_vault $(name_prefix)-0 + + # Vault Init + local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ + vault operator init -format=json -n 1 -t 1 | \ + jq -r '.unseal_keys_b64[0]') + [ "${token}" != "" ] + + # Vault Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + kubectl exec -ti ${pod} -- vault operator unseal ${token} + done + + wait_for_ready "$(name_prefix)-0" + + # Unsealed, initialized + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] + + local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] + + # unfortunately it can take up to 2 minutes for the vault prometheus job to appear + # TODO: investigate how reduce this. + local job_labels + local tries=0 + until [ $tries -ge 240 ] + do + job_labels=$( (kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ + -c prometheus \ + -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr ) + + # Ensure the expected job label was picked up by Prometheus + [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break + + ((++tries)) + sleep .5 + done + + + # Ensure the expected job is "up" + local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ + -c prometheus \ + -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \ + tee /dev/stderr ) + [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ] +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm uninstall $(name_prefix) + helm uninstall prometheus + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml new file mode 100644 index 000000000..2925bc8f7 --- /dev/null +++ b/test/acceptance/server-test/telemetry.yaml @@ -0,0 +1,28 @@ +server: + standalone: + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + telemetry { + unauthenticated_metrics_access = "true" + } + } + + storage "file" { + path = "/vault/data" + } + + telemetry { + prometheus_retention_time = "30s", + disable_hostname = true + } + +serverTelemetry: + serviceMonitor: + enabled: true + interval: 15s diff --git a/test/unit/prometheus-prometheusrules.bats b/test/unit/prometheus-prometheusrules.bats new file mode 100755 index 000000000..87736cfcb --- /dev/null +++ b/test/unit/prometheus-prometheusrules.bats @@ -0,0 +1,68 @@ +#!/usr/bin/env bats + +load _helpers + +@test "prometheus/PrometheusRules-server: assertDisabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "prometheus/PrometheusRules-server: assertDisabled with rules-defined=false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "prometheus/PrometheusRules-server: assertEnabled with rules-defined=true" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules.baz=qux' \ + .) | tee /dev/stderr ) + + [ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ] + [ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-vault" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules.foo')" = "bar" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules.baz')" = "qux" ] +} + +@test "prometheus/PrometheusRules-server: assertSelectors default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] + [ "$(echo "$output" | yq -r '.metadata.labels.release')" = "prometheus" ] +} + +@test "prometheus/PrometheusRules-server: assertSelectors overrides" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-prometheusrules.yaml \ + --set 'serverTelemetry.prometheusRules.enabled=true' \ + --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.selectors.baz=qux' \ + --set 'serverTelemetry.prometheusRules.selectors.bar=foo' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "6" ] + [ "$(echo "$output" | yq -r '.metadata.labels | has("app")')" = "false" ] + [ "$(echo "$output" | yq -r '.metadata.labels | has("kube-prometheus-stack")')" = "false" ] + [ "$(echo "$output" | yq -r '.metadata.labels.baz')" = "qux" ] + [ "$(echo "$output" | yq -r '.metadata.labels.bar')" = "foo" ] +} diff --git a/test/unit/prometheus-servicemonitor.bats b/test/unit/prometheus-servicemonitor.bats new file mode 100755 index 000000000..5d92c89d2 --- /dev/null +++ b/test/unit/prometheus-servicemonitor.bats @@ -0,0 +1,125 @@ +#!/usr/bin/env bats + +load _helpers + +@test "prometheus/ServiceMonitor-server: assertDisabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "prometheus/ServiceMonitor-server: assertEnabled global" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=false' \ + --set 'global.serverTelemetry.prometheusOperator=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "prometheus/ServiceMonitor-server: assertEnabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "prometheus/ServiceMonitor-server: assertScrapeTimeout default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr | + yq -r '.spec.endpoints[0].scrapeTimeout' | tee /dev/stderr) + [ "${actual}" = "10s" ] +} + +@test "prometheus/ServiceMonitor-server: assertScrapeTimeout update" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.scrapeTimeout=60s' \ + . ) | tee /dev/stderr | + yq -r '.spec.endpoints[0].scrapeTimeout' | tee /dev/stderr) + [ "${actual}" = "60s" ] +} + +@test "prometheus/ServiceMonitor-server: assertInterval default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr | + yq -r '.spec.endpoints[0].interval' | tee /dev/stderr) + [ "${actual}" = "30s" ] +} + +@test "prometheus/ServiceMonitor-server: assertInterval update" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.interval=60s' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints[0].interval')" = "60s" ] +} + +@test "prometheus/ServiceMonitor-server: assertSelectors default" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] + [ "$(echo "$output" | yq -r '.metadata.labels.release')" = "prometheus" ] +} + +@test "prometheus/ServiceMonitor-server: assertSelectors override" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + --set 'serverTelemetry.serviceMonitor.selectors.baz=qux' \ + --set 'serverTelemetry.serviceMonitor.selectors.bar=foo' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "6" ] + [ "$(echo "$output" | yq -r '.metadata.labels | has("app")')" = "false" ] + [ "$(echo "$output" | yq -r '.metadata.labels.baz')" = "qux" ] + [ "$(echo "$output" | yq -r '.metadata.labels.bar')" = "foo" ] +} + +@test "prometheus/ServiceMonitor-server: assertEndpoints noTLS" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'global.tlsDisable=true' \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] + [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "http" ] +} + +@test "prometheus/ServiceMonitor-server: assertEndpoints TLS" { + cd `chart_dir` + local output=$( (helm template \ + --show-only templates/prometheus-servicemonitor.yaml \ + --set 'global.tlsDisable=false' \ + --set 'serverTelemetry.serviceMonitor.enabled=true' \ + . ) | tee /dev/stderr) + + [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] + [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ] +} diff --git a/values.yaml b/values.yaml index 8cde5e458..da3fff3cd 100644 --- a/values.yaml +++ b/values.yaml @@ -32,6 +32,11 @@ global: seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + serverTelemetry: + # Enable integration with the Prometheus Operator + # See the top level serverTelemetry section below before enabling this feature. + prometheusOperator: false + injector: # True if you want to enable vault agent injection. # @default: global.enabled @@ -705,6 +710,10 @@ server: tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} } storage "file" { path = "/vault/data" @@ -720,6 +729,12 @@ server: # crypto_key = "vault-helm-unseal-key" #} + # Example configuration for enabling Prometheus metrics in your config. + #telemetry { + # prometheus_retention_time = "30s", + # disable_hostname = true + #} + # Run Vault in "HA" mode. There are no storage requirements unless the audit log # persistence is required. In HA mode Vault will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul @@ -761,6 +776,10 @@ server: tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} } storage "raft" { @@ -802,6 +821,14 @@ server: # crypto_key = "vault-helm-unseal-key" #} + # Example configuration for enabling Prometheus metrics. + # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. + # You may wish to enable unauthenticated metrics in the listener block above. + #telemetry { + # prometheus_retention_time = "30s", + # disable_hostname = true + #} + # A disruption budget limits the number of pods of a replicated application # that are down simultaneously from voluntary disruptions disruptionBudget: @@ -1008,3 +1035,85 @@ csi: # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: [] + +# Vault is able to collect and publish various runtime metrics. +# Enabling this feature requires setting adding `telemetry{}` stanza to +# the Vault configuration. There are a few examples included in the `config` sections above. +# +# For more information see: +# https://www.vaultproject.io/docs/configuration/telemetry +# https://www.vaultproject.io/docs/internals/telemetry +serverTelemetry: + # Enable support for the Prometheus Operator. Currently, this chart does not support + # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # in the `listener "tcp"{}` stanza + # telemetry { + # unauthenticated_metrics_access = "true" + # } + # + # See the `standalone.config` for a more complete example of this. + # + # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # + # example: + # telemetry { + # prometheus_retention_time = "30s", + # disable_hostname = true + # } + # + # Configuration for monitoring the Vault server. + serviceMonitor: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + # + # Instructions on how to install the Helm chart can be found here: + # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack + # More information can be found here: + # https://github.com/prometheus-operator/prometheus-operator + # https://github.com/prometheus-operator/kube-prometheus + + # Enable deployment of the Vault Server ServiceMonitor CustomResource. + enabled: false + + # Selector labels to add to the ServiceMonitor. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Interval at which Prometheus scrapes metrics + interval: 30s + + # Timeout for Prometheus scrapes + scrapeTimeout: 10s + + prometheusRules: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false + + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Some example rules. + rules: {} + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical From 99d745ca0ce9eae8cf2bd7c71c1e0841d6da165f Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Wed, 7 Sep 2022 17:21:47 -0700 Subject: [PATCH 061/108] Update vault-k8s to 1.0.0 (#784) Update vault-k8s to 1.0.0 Also update Kubernetes versions tested against, including adding 1.25 Update consul in tests for Kubernetes 1.25 support --- .github/workflows/acceptance.yaml | 2 +- CHANGELOG.md | 5 +++++ Makefile | 2 +- test/acceptance/server-ha.bats | 14 ++++++++++++-- values.openshift.yaml | 2 +- values.yaml | 2 +- 6 files changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index da644d169..042bfd1d5 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,7 +7,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.12, 1.22.9, 1.23.6, 1.24.1] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.13, 1.23.10, 1.24.4, 1.25.0] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index c8954f081..8ab05de1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,12 @@ ## Unreleased + Features: * Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) +Changes: +* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) + ## 0.21.0 (August 10th, 2022) CHANGES: diff --git a/Makefile b/Makefile index 2dbf6a7a8..e423f3529 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.24.1 +KIND_K8S_VERSION?=v1.25.0 # Generate json schema for chart values. See test/README.md for more details. values-schema: diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 4180f8c4a..6876e0f5b 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -87,8 +87,18 @@ setup() { kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - helm install consul \ - https://github.com/hashicorp/consul-helm/archive/v0.28.0.tar.gz \ + helm repo add hashicorp https://helm.releases.hashicorp.com + helm repo update + + CONSUL_HELM_VERSION=v0.48.0 + + K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major) + K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor) + if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then + CONSUL_HELM_VERSION=v0.32.1 + fi + helm install consul hashicorp/consul \ + --version $CONSUL_HELM_VERSION \ --set 'ui.enabled=false' wait_for_running_consul diff --git a/values.openshift.yaml b/values.openshift.yaml index a1c48f02f..ce3b6f001 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,7 +6,7 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.17.0-ubi" + tag: "1.0.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" diff --git a/values.yaml b/values.yaml index da3fff3cd..f117ce094 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.17.0" + tag: "1.0.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent From c15d83e397495c7bbf585e5472d5ccef992031a7 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 8 Sep 2022 11:59:17 -0700 Subject: [PATCH 062/108] Prepare for 0.22.0 release (#785) Prepare for 0.21.1 release * Update Vault to 1.11.3 --- CHANGELOG.md | 3 +++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 4 ++-- values.yaml | 4 ++-- 6 files changed, 13 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ab05de1e..bdc728be4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,14 @@ ## Unreleased +## 0.22.0 (September 8th, 2022) + Features: * Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) Changes: * `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) * Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785) ## 0.21.0 (August 10th, 2022) diff --git a/Chart.yaml b/Chart.yaml index d19e390ff..4289e6c7d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.21.0 -appVersion: 1.11.2 +version: 0.22.0 +appVersion: 1.11.3 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 05bb646d5..f09bbb1fc 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 1d92909f0..8b5c1be30 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index ce3b6f001..c932a6897 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -10,9 +10,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.2-ubi" + tag: "1.11.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.2-ubi" + tag: "1.11.3-ubi" diff --git a/values.yaml b/values.yaml index f117ce094..c4ac1ea19 100644 --- a/values.yaml +++ b/values.yaml @@ -70,7 +70,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.11.2" + tag: "1.11.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -332,7 +332,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.11.2" + tag: "1.11.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 7e21a09ebd9fb7890c5dfe90c4716b50d1662637 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 12 Sep 2022 15:17:24 +0100 Subject: [PATCH 063/108] Add server.hostNetwork option (#775) --- templates/server-statefulset.yaml | 4 ++++ test/unit/server-statefulset.bats | 24 +++++++++++++++++++++++- values.schema.json | 3 +++ values.yaml | 2 ++ 4 files changed, 32 insertions(+), 1 deletion(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index afc48d695..fb3cbfab7 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -49,6 +49,10 @@ spec: shareProcessNamespace: true {{ end }} {{- template "server.statefulSet.securityContext.pod" . }} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- end }} + volumes: {{ template "vault.volumes" . }} - name: home diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 847661105..6206e115e 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1783,4 +1783,26 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} + +#-------------------------------------------------------------------- +# hostNetwork + +@test "server/StatefulSet: server.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: server.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.schema.json b/values.schema.json index aad7ee7fc..676efb7c9 100644 --- a/values.schema.json +++ b/values.schema.json @@ -979,6 +979,9 @@ "null", "array" ] + }, + "hostNetwork": { + "type": "boolean" } } }, diff --git a/values.yaml b/values.yaml index c4ac1ea19..892d2a4a7 100644 --- a/values.yaml +++ b/values.yaml @@ -876,6 +876,8 @@ server: pod: {} container: {} + # Should the server pods run on the host network + hostNetwork: false # Vault UI ui: From a3bbaea599223e1c06ce307a739bc6f78cc6da8e Mon Sep 17 00:00:00 2001 From: "hashicorp-copywrite[bot]" <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Date: Wed, 12 Oct 2022 14:55:30 -0700 Subject: [PATCH 064/108] [COMPLIANCE] Add MPL 2.0 LICENSE (#800) Co-authored-by: hashicorp-copywrite[bot] --- LICENSE.md => LICENSE | 2 ++ 1 file changed, 2 insertions(+) rename LICENSE.md => LICENSE (99%) diff --git a/LICENSE.md b/LICENSE similarity index 99% rename from LICENSE.md rename to LICENSE index 82b4de97c..74f38c010 100644 --- a/LICENSE.md +++ b/LICENSE @@ -1,3 +1,5 @@ +Copyright (c) 2018 HashiCorp, Inc. + Mozilla Public License, version 2.0 1. Definitions From 5d7014c7bbaba9efe87dbd747b4461fec889d77b Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 26 Oct 2022 20:32:46 +0100 Subject: [PATCH 065/108] Prepare to release to 0.22.1 (#803) * Prepare to release to 0.22.1 * Revert chart verifier update for now * Remove unused jobs from CircleCI config --- .circleci/config.yml | 54 +------------------ .github/workflows/acceptance.yaml | 8 +-- .../workflows/setup-test-tools/action.yaml | 8 +-- .github/workflows/tests.yaml | 8 +-- CHANGELOG.md | 6 +++ Chart.yaml | 4 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- values.openshift.yaml | 6 +-- values.yaml | 6 +-- 10 files changed, 32 insertions(+), 76 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7582bdc21..2fc6a195a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -3,61 +3,9 @@ orbs: slack: circleci/slack@3.4.2 jobs: - bats-unit-test: - docker: - # This image is built from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 - steps: - - checkout - - run: bats ./test/unit -t - - chart-verifier: - docker: - - image: docker.mirror.hashicorp.services/cimg/go:1.16 - environment: - BATS_VERSION: "1.3.0" - CHART_VERIFIER_VERSION: "1.2.1" - steps: - - checkout - - run: - name: install chart-verifier - command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - - run: - name: install bats - command: | - curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz - tar -zxf /tmp/bats.tgz -C /tmp - sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local - - run: - name: run chart-verifier tests - command: bats ./test/chart -t - - acceptance: - docker: - # This image is build from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 - - steps: - - checkout - - run: - name: terraform init & apply - command: | - echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json - export GOOGLE_CREDENTIALS=vault-helm-test.json - make provision-cluster - - run: - name: Run acceptance tests - command: bats ./test/acceptance -t - - - run: - name: terraform destroy - command: | - export GOOGLE_CREDENTIALS=vault-helm-test.json - make destroy-cluster - when: always update-helm-charts-index: docker: - - image: docker.mirror.hashicorp.services/circleci/golang:1.15.3 + - image: docker.mirror.hashicorp.services/circleci/golang:1.19.2 steps: - checkout - run: diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 042bfd1d5..648616b35 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,19 +7,19 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.13, 1.23.10, 1.24.4, 1.25.0] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.2.0 + uses: helm/kind-action@v1.4.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.14.0 + version: v0.16.0 - run: bats --tap --timing ./test/acceptance env: diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml index 3fa285416..8c69e3db8 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/workflows/setup-test-tools/action.yaml @@ -6,13 +6,15 @@ runs: steps: - uses: actions/setup-node@v2 with: - node-version: '14' + node-version: '16' - run: npm install -g bats@${BATS_VERSION} shell: bash env: - BATS_VERSION: '1.5.0' + BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 + with: + python-version: '3.10' - run: pip install yq shell: bash diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 53a1f039e..bcabd1d64 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -6,7 +6,7 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit @@ -15,11 +15,11 @@ jobs: env: CHART_VERIFIER_VERSION: '1.2.1' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: - go-version: '1.17.4' + go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - run: bats --tap --timing ./test/chart diff --git a/CHANGELOG.md b/CHANGELOG.md index bdc728be4..df958007b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +## 0.22.1 (October 26th, 2022) + +Changes: +* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) +* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) + ## 0.22.0 (September 8th, 2022) Features: diff --git a/Chart.yaml b/Chart.yaml index 4289e6c7d..9eb3f1faa 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.22.0 -appVersion: 1.11.3 +version: 0.22.1 +appVersion: 1.12.0 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index f09bbb1fc..2a675a774 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.0-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 8b5c1be30..be9d55a20 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index c932a6897..ee0056376 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.0.0-ubi" + tag: "1.0.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.3-ubi" + tag: "1.12.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.3-ubi" + tag: "1.12.0-ubi" diff --git a/values.yaml b/values.yaml index 892d2a4a7..3d319303f 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.0.0" + tag: "1.0.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -70,7 +70,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.11.3" + tag: "1.12.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -332,7 +332,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.11.3" + tag: "1.12.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 46e6fb5ad19f847ec70d137e1f609b50504cb6a3 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 27 Oct 2022 11:37:38 +0100 Subject: [PATCH 066/108] Fix CircleCI config (#804) * Fix CircleCI config * Add manual trigger option --- .circleci/config.yml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2fc6a195a..ca48a33d4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,14 +5,17 @@ orbs: jobs: update-helm-charts-index: docker: - - image: docker.mirror.hashicorp.services/circleci/golang:1.19.2 + - image: docker.mirror.hashicorp.services/cimg/go:1.19.2 steps: - checkout - run: name: verify Chart version matches tag version + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | - GO111MODULE=on go get github.com/mikefarah/yq/v2 - git_tag=$(echo "${CIRCLE_TAG#v}") + go install github.com/mikefarah/yq/v2@latest + export TAG=${RELEASE_TAG:-$CIRCLE_TAG} + git_tag=$(echo "${TAG#v}") chart_tag=$(yq r Chart.yaml version) if [ "${git_tag}" != "${chart_tag}" ]; then echo "chart version (${chart_tag}) did not match git version (${git_tag})" @@ -20,17 +23,25 @@ jobs: fi - run: name: update helm-charts index + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" +parameters: + release-tag: + type: string + default: "" + description: "The tag to release, including v, e.g. v0.22.1" + workflows: version: 2 # Note: unit and acceptance tests are now being run in GitHub Actions @@ -43,3 +54,8 @@ workflows: only: /^v.*/ branches: ignore: /.*/ + manual-trigger-update-helm-charts-index: + when: << pipeline.parameters.release-tag >> + jobs: + - update-helm-charts-index: + context: helm-charts-trigger-vault From ab5b471c270aa4bad3811cd0a7f979a7de343397 Mon Sep 17 00:00:00 2001 From: Aleksandr Titov <26012167+AleksandrTitov@users.noreply.github.com> Date: Thu, 3 Nov 2022 04:01:35 +0300 Subject: [PATCH 067/108] Add extraLabels for Vault server serviceAccount (#806) --- CHANGELOG.md | 3 +++ templates/server-serviceaccount.yaml | 3 +++ test/unit/server-serviceaccount.bats | 10 ++++++++++ values.yaml | 3 +++ 4 files changed, 19 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index df958007b..9282dd0c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) + ## 0.22.1 (October 26th, 2022) Changes: diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index c0d32d190..580a95375 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -10,5 +10,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "vault.serviceAccount.annotations" . }} {{ end }} diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index fbc2b94bf..2c826032e 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -117,3 +117,13 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/serviceAccount: specify server.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 3d319303f..a8a036c90 100644 --- a/values.yaml +++ b/values.yaml @@ -851,6 +851,9 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} # Settings for the statefulSet used to run Vault. statefulSet: From 0110f977b2a26a7163a2d04249dfe7b029730f6d Mon Sep 17 00:00:00 2001 From: Steven Kriegler <61625851+justusbunsi@users.noreply.github.com> Date: Wed, 9 Nov 2022 23:19:38 +0100 Subject: [PATCH 068/108] Quote `.server.ha.clusterAddr` value (#810) --- CHANGELOG.md | 3 +++ templates/server-statefulset.yaml | 2 +- test/unit/server-ha-statefulset.bats | 16 ++++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9282dd0c4..d2862b7ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + ## 0.22.1 (October 26th, 2022) Changes: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index fb3cbfab7..8d556e827 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -106,7 +106,7 @@ spec: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR {{- if .Values.server.ha.clusterAddr }} - value: {{ .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" {{- end }} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 342fa433d..06a0ca0a0 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -476,6 +476,22 @@ load _helpers [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] } +@test "server/ha-StatefulSet: clusterAddr gets quoted" { + cd `chart_dir` + local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' + local rendered=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set "server.ha.clusterAddr=${customUrl}" \ + . | tee /dev/stderr | \ + grep -F "${customUrl}" | tee /dev/stderr) + +local value=$(echo $rendered | + yq -Y '.' | tee /dev/stderr) + [ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] +} + #-------------------------------------------------------------------- # VAULT_RAFT_NODE_ID renders From 21ce5245a35f25919e8db5b87145145dc79bdb20 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Nov 2022 14:10:21 +0000 Subject: [PATCH 069/108] Support selectively disabling active/standby services and service discovery role (#811) --- CHANGELOG.md | 2 + templates/server-discovery-role.yaml | 2 +- templates/server-discovery-rolebinding.yaml | 2 +- templates/server-ha-active-service.yaml | 2 + templates/server-ha-standby-service.yaml | 4 +- templates/server-statefulset.yaml | 1 - test/unit/server-discovery-role.bats | 41 +++++++++++++++++++++ test/unit/server-discovery-rolebinding.bats | 41 +++++++++++++++++++++ test/unit/server-ha-active-service.bats | 12 ++++++ test/unit/server-ha-standby-service.bats | 12 ++++++ values.schema.json | 27 ++++++++++++++ values.yaml | 13 +++++++ 12 files changed, 155 insertions(+), 4 deletions(-) create mode 100755 test/unit/server-discovery-role.bats create mode 100755 test/unit/server-discovery-rolebinding.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index d2862b7ab..96937b57a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 9ca23dd4c..4dba09df1 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 6e22e4c2b..280ec6ca2 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index ef212376d..849c867b7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -44,3 +45,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e6d66af84..e0750aa64 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -42,4 +43,5 @@ spec: vault-active: "false" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 8d556e827..a4ec05a28 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -52,7 +52,6 @@ spec: {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} - volumes: {{ template "vault.volumes" . }} - name: home diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats new file mode 100755 index 000000000..11473a081 --- /dev/null +++ b/test/unit/server-discovery-role.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRole: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRole: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRole: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats new file mode 100755 index 000000000..568c24072 --- /dev/null +++ b/test/unit/server-discovery-rolebinding.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRoleBinding: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d74e74913..6a2e34946 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -35,6 +35,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: disable with server.service.active.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.active.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 045560ce9..3a9a39f33 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -46,6 +46,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: disable with server.service.standby.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.standby.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.schema.json b/values.schema.json index 676efb7c9..2ba9ab84d 100644 --- a/values.schema.json +++ b/values.schema.json @@ -851,6 +851,14 @@ "service": { "type": "object", "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "annotations": { "type": [ "object", @@ -869,6 +877,14 @@ "publishNotReadyAddresses": { "type": "boolean" }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "targetPort": { "type": "integer" }, @@ -895,8 +911,19 @@ "create": { "type": "boolean" }, + "extraLabels": { + "type": "object" + }, "name": { "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, diff --git a/values.yaml b/values.yaml index a8a036c90..0045066c5 100644 --- a/values.yaml +++ b/values.yaml @@ -596,6 +596,14 @@ server: # Enables a headless service to be used by the Vault Statefulset service: enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labelled themselves as the cluster leader with `vault-active: "true"` + active: + enabled: true + # Enable or disable the vault-standby service, which selects Vault pods that + # have labelled themselves as a cluster follower with `vault-active: "false"` + standby: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled @@ -854,6 +862,11 @@ server: # Extra labels to attach to the serviceAccount # This should be a YAML map of the labels to apply to the serviceAccount extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true # Settings for the statefulSet used to run Vault. statefulSet: From c13151a6ac18765f42a05524362946fae16e8a3f Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 17 Nov 2022 19:54:18 +0000 Subject: [PATCH 070/108] server: Allow disabling the instance selector for services (#813) --- CHANGELOG.md | 1 + templates/server-ha-active-service.yaml | 2 ++ templates/server-ha-standby-service.yaml | 2 ++ templates/server-service.yaml | 2 ++ test/unit/server-ha-active-service.bats | 18 ++++++++++++++++++ test/unit/server-ha-standby-service.bats | 18 ++++++++++++++++++ test/unit/server-headless-service.bats | 18 ++++++++++++++++++ test/unit/server-service.bats | 17 +++++++++++++++++ values.schema.json | 8 ++++++++ values.yaml | 5 +++++ 10 files changed, 91 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96937b57a..3bf7e67ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) * server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 849c867b7..7def2a0e8 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -39,7 +39,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "true" {{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e0750aa64..50fca4bc1 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -38,7 +38,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "false" {{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 3a9b0e7e5..913b56930 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -38,7 +38,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server {{- end }} {{- end }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index 6a2e34946..d78f5d457 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -226,3 +226,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-active-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 3a9a39f33..669831411 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -237,3 +237,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-standby-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 4e2d13537..0794d0e49 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -17,3 +17,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/headless-Service: instance selector cannot be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 5208f6e30..70a544598 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -431,3 +431,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/values.schema.json b/values.schema.json index 2ba9ab84d..c18395700 100644 --- a/values.schema.json +++ b/values.schema.json @@ -871,6 +871,14 @@ "externalTrafficPolicy": { "type": "string" }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" }, diff --git a/values.yaml b/values.yaml index 0045066c5..965f5a881 100644 --- a/values.yaml +++ b/values.yaml @@ -604,6 +604,11 @@ server: # have labelled themselves as a cluster follower with `vault-active: "false"` standby: enabled: true + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled From 2d7fd5d5652d9f3f09dd686e3318aa7dc8f661eb Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 28 Nov 2022 23:33:08 +0000 Subject: [PATCH 071/108] Prepare for 0.23.0 release (#814) --- CHANGELOG.md | 7 +++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 8 ++++---- 6 files changed, 20 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3bf7e67ff..9a647c2a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ ## Unreleased +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) diff --git a/Chart.yaml b/Chart.yaml index 9eb3f1faa..f42a831e4 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.22.1 -appVersion: 1.12.0 +version: 0.23.0 +appVersion: 1.12.1 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 2a675a774..11effe99c 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index be9d55a20..7eaf0ccf0 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.0-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index ee0056376..02985ed39 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.0.1-ubi" + tag: "1.1.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.0-ubi" + tag: "1.12.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.0-ubi" + tag: "1.12.1-ubi" diff --git a/values.yaml b/values.yaml index 965f5a881..2c3d9e261 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.0.1" + tag: "1.1.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -70,7 +70,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.12.0" + tag: "1.12.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -332,7 +332,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.12.0" + tag: "1.12.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -947,7 +947,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.0" + tag: "1.2.1" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 72914d873c938730757b5af0c5b513839feb95d2 Mon Sep 17 00:00:00 2001 From: Douglas Thomson <36892985+dtrts@users.noreply.github.com> Date: Thu, 12 Jan 2023 17:38:29 +0000 Subject: [PATCH 072/108] Amending docs (#828) --- templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 38973910a..ca79b69d6 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -59,7 +59,7 @@ Compute if the server is enabled. {{- end -}} {{/* -Compute if the server auth delegator serviceaccount is enabled. +Compute if the server serviceaccount is enabled. */}} {{- define "vault.serverServiceAccountEnabled" -}} {{- $_ := set . "serverServiceAccountEnabled" From a4e076b132d32d374096bf62c5a2c1e6d551ae64 Mon Sep 17 00:00:00 2001 From: claire labry Date: Fri, 3 Feb 2023 17:41:49 -0600 Subject: [PATCH 073/108] swap helm charts call to GHA (#840) * swap helm charts call to GHA * fix path for gh utility --- .circleci/config.yml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ca48a33d4..588db5ef6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -21,17 +21,24 @@ jobs: echo "chart version (${chart_tag}) did not match git version (${git_tag})" exit 1 fi + - run: + name: install gh tool + command: | + version="2.22.1" + curl --show-error --silent --location --output "gh.tar.gz" "https://github.com/cli/cli/releases/download/v${version}/gh_${version}_linux_amd64.tar.gz" + tar -xvzf gh.tar.gz && mkdir -p bin && mv "gh_${version}_linux_amd64/bin/gh" bin/ + - run: name: update helm-charts index environment: RELEASE_TAG: << pipeline.parameters.release-tag >> command: | - curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ - -X POST \ - -H 'Content-Type: application/json' \ - -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ - "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" + export GITHUB_TOKEN="${HELM_CHARTS_GITHUB_TOKEN}" + ./bin/gh workflow run .github/workflows/publish-charts.yml \ + --repo hashicorp/helm-charts \ + --ref main \ + -f SOURCE_TAG="${CIRCLE_TAG}" \ + -f SOURCE_REPO="${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}" - slack/status: fail_only: true failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" From c5c28cb385ba928591a6c1d69967bc7ced883b60 Mon Sep 17 00:00:00 2001 From: Mariano Asselborn Date: Mon, 13 Feb 2023 10:58:13 -0500 Subject: [PATCH 074/108] Call helm publish workflow by file name without path (#843) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 588db5ef6..ecc3c60c7 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -34,7 +34,7 @@ jobs: RELEASE_TAG: << pipeline.parameters.release-tag >> command: | export GITHUB_TOKEN="${HELM_CHARTS_GITHUB_TOKEN}" - ./bin/gh workflow run .github/workflows/publish-charts.yml \ + ./bin/gh workflow run publish-charts.yml \ --repo hashicorp/helm-charts \ --ref main \ -f SOURCE_TAG="${CIRCLE_TAG}" \ From 742ddb1c52934e657ed7d4832fcf80324806adfb Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 13 Feb 2023 08:48:20 -0800 Subject: [PATCH 075/108] adding SPDX copyright headers (#844) --- .circleci/config.yml | 3 +++ .github/ISSUE_TEMPLATE/config.yml | 3 +++ Chart.yaml | 3 +++ templates/_helpers.tpl | 5 +++++ templates/csi-clusterrole.yaml | 5 +++++ templates/csi-clusterrolebinding.yaml | 5 +++++ templates/csi-daemonset.yaml | 5 +++++ templates/csi-serviceaccount.yaml | 5 +++++ templates/injector-certs-secret.yaml | 5 +++++ templates/injector-clusterrole.yaml | 5 +++++ templates/injector-clusterrolebinding.yaml | 5 +++++ templates/injector-deployment.yaml | 5 +++++ templates/injector-disruptionbudget.yaml | 5 +++++ templates/injector-mutating-webhook.yaml | 5 +++++ templates/injector-network-policy.yaml | 5 +++++ templates/injector-psp-role.yaml | 5 +++++ templates/injector-psp-rolebinding.yaml | 5 +++++ templates/injector-psp.yaml | 5 +++++ templates/injector-role.yaml | 5 +++++ templates/injector-rolebinding.yaml | 5 +++++ templates/injector-service.yaml | 5 +++++ templates/injector-serviceaccount.yaml | 5 +++++ templates/prometheus-prometheusrules.yaml | 5 +++++ templates/prometheus-servicemonitor.yaml | 5 +++++ templates/server-clusterrolebinding.yaml | 5 +++++ templates/server-config-configmap.yaml | 5 +++++ templates/server-discovery-role.yaml | 5 +++++ templates/server-discovery-rolebinding.yaml | 5 +++++ templates/server-disruptionbudget.yaml | 5 +++++ templates/server-ha-active-service.yaml | 5 +++++ templates/server-ha-standby-service.yaml | 5 +++++ templates/server-headless-service.yaml | 5 +++++ templates/server-ingress.yaml | 5 +++++ templates/server-network-policy.yaml | 5 +++++ templates/server-psp-role.yaml | 5 +++++ templates/server-psp-rolebinding.yaml | 5 +++++ templates/server-psp.yaml | 5 +++++ templates/server-route.yaml | 5 +++++ templates/server-service.yaml | 5 +++++ templates/server-serviceaccount.yaml | 5 +++++ templates/server-statefulset.yaml | 5 +++++ templates/tests/server-test.yaml | 5 +++++ templates/ui-service.yaml | 5 +++++ test/acceptance/_helpers.bash | 3 +++ test/acceptance/csi-test/nginx.yaml | 3 +++ test/acceptance/csi-test/vault-kv-secretproviderclass.yaml | 3 +++ test/acceptance/csi-test/vault-policy.hcl | 3 +++ test/acceptance/injector-test/bootstrap.sh | 3 +++ test/acceptance/injector-test/job.yaml | 3 +++ test/acceptance/injector-test/pg-deployment.yaml | 3 +++ test/acceptance/injector-test/pgdump-policy.hcl | 3 +++ test/acceptance/server-test/annotations-overrides.yaml | 3 +++ test/acceptance/server-test/telemetry.yaml | 3 +++ test/chart/_helpers.bash | 3 +++ test/docker/Test.dockerfile | 3 +++ test/kind/config.yaml | 3 +++ test/terraform/main.tf | 3 +++ test/terraform/outputs.tf | 3 +++ test/terraform/variables.tf | 3 +++ test/unit/_helpers.bash | 3 +++ values.openshift.yaml | 3 +++ values.yaml | 3 +++ 62 files changed, 266 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index ecc3c60c7..f4344171d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + version: 2.1 orbs: slack: circleci/slack@3.4.2 diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index b24b36b2c..746c03c5f 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + contact_links: - name: Ask a question url: https://discuss.hashicorp.com/c/vault diff --git a/Chart.yaml b/Chart.yaml index f42a831e4..55ebcf4bb 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + apiVersion: v2 name: vault version: 0.23.0 diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ca79b69d6..dcfcbb8b8 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index ec6a3d2b9..6d979ea40 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index d5b62a5f0..d5a934688 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index d131aac5f..e38cc47d5 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: apps/v1 diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index 8d6fa5329..25e123ee9 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: v1 diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index e88685b5e..3e5ddb7b9 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 6a0d6be1a..d5682dd76 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 4c193f8a2..9253e4f0a 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f0605599e..9c16ed8dc 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} # Deployment for the injector diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index b44fd7300..5862977ec 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.injector.podDisruptionBudget }} apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index 3d3fd3678..d03cd136d 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 68892d23b..4c3b08782 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.openshift | toString) "true" }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 5d23c7556..65d8e9ba9 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index 4f6b0a851..48a3a26a2 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index 1eee2fcd0..0eca9a87c 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 08c8264cc..df7b0ed74 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index ea0db11b9..0848e43d8 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 5e747d6f1..5b2069286 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index d1919b936..9b5c2f6ed 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 diff --git a/templates/prometheus-prometheusrules.yaml b/templates/prometheus-prometheusrules.yaml index 572f1a05a..7e58a0e52 100644 --- a/templates/prometheus-prometheusrules.yaml +++ b/templates/prometheus-prometheusrules.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ if and (.Values.serverTelemetry.prometheusRules.rules) (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 323e51fb9..60f2729a0 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} --- diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 8cdd61143..b694129b5 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.serverAuthDelegator" . }} {{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index f40c69608..5d29e98d6 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4dba09df1..adae42a2b 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 280ec6ca2..853ee870c 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index d940fa4da..c823a4206 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" -}} {{- if .serverEnabled -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 7def2a0e8..58d540fd5 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 50fca4bc1..b9f643586 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index b03f491e3..c4eca7af7 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index c81e5f5ce..e77569072 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if not .Values.global.openshift }} {{ template "vault.mode" . }} {{- if ne .mode "external" }} diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml index 5f4c21a4b..62d4ae1ac 100644 --- a/templates/server-network-policy.yaml +++ b/templates/server-network-policy.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index b8eb897e5..0c8c983ea 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index fded9fbc6..9b975d556 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index d210af351..567e66245 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml index e122d936b..3f35aefe2 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.global.openshift }} {{- if ne .mode "external" }} {{- if .Values.server.route.enabled -}} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 913b56930..8e34c88c5 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.serverServiceEnabled" . -}} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 580a95375..e154f8dc2 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.serverServiceAccountEnabled" . }} {{- if .serverServiceAccountEnabled -}} apiVersion: v1 diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index a4ec05a28..4defbb524 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 56dbee78c..59b150109 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index d45afdda4..4b2e8f7e4 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- template "vault.uiEnabled" . -}} diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index db8b05145..490cdeb29 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # name_prefix returns the prefix of the resources within Kubernetes. name_prefix() { printf "vault" diff --git a/test/acceptance/csi-test/nginx.yaml b/test/acceptance/csi-test/nginx.yaml index fed1137f7..2fd86032a 100644 --- a/test/acceptance/csi-test/nginx.yaml +++ b/test/acceptance/csi-test/nginx.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml index e793bde64..b9470fe29 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # The "Hello World" Vault SecretProviderClass apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 kind: SecretProviderClass diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/vault-policy.hcl index 48b670ea7..07bb74972 100644 --- a/test/acceptance/csi-test/vault-policy.hcl +++ b/test/acceptance/csi-test/vault-policy.hcl @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + path "secret/data/kv1" { capabilities = ["read"] } \ No newline at end of file diff --git a/test/acceptance/injector-test/bootstrap.sh b/test/acceptance/injector-test/bootstrap.sh index d738fd28d..96f161710 100755 --- a/test/acceptance/injector-test/bootstrap.sh +++ b/test/acceptance/injector-test/bootstrap.sh @@ -1,4 +1,7 @@ #!/bin/sh +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + OUTPUT=/tmp/output.txt diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index d665383c7..50a3b5f89 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: ServiceAccount diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index caf8605d2..cacc99411 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + --- apiVersion: v1 kind: Service diff --git a/test/acceptance/injector-test/pgdump-policy.hcl b/test/acceptance/injector-test/pgdump-policy.hcl index 88a6cd66a..60da677b1 100644 --- a/test/acceptance/injector-test/pgdump-policy.hcl +++ b/test/acceptance/injector-test/pgdump-policy.hcl @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + path "database/creds/db-backup" { capabilities = ["read"] } diff --git a/test/acceptance/server-test/annotations-overrides.yaml b/test/acceptance/server-test/annotations-overrides.yaml index 459576a97..5aba0f9f0 100644 --- a/test/acceptance/server-test/annotations-overrides.yaml +++ b/test/acceptance/server-test/annotations-overrides.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: annotations: | environment: production diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 2925bc8f7..7380df2d3 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + server: standalone: config: | diff --git a/test/chart/_helpers.bash b/test/chart/_helpers.bash index fb9db31da..4d2465750 100644 --- a/test/chart/_helpers.bash +++ b/test/chart/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # chart_dir returns the directory for the chart chart_dir() { echo ${BATS_TEST_DIRNAME}/../.. diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 98afeace2..472a97acd 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # This Dockerfile installs all the dependencies necessary to run the unit and # acceptance tests. This image also contains gcloud so you can run tests # against a GKE cluster easily. diff --git a/test/kind/config.yaml b/test/kind/config.yaml index 8b18a3a5f..5fef18a8c 100644 --- a/test/kind/config.yaml +++ b/test/kind/config.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: diff --git a/test/terraform/main.tf b/test/terraform/main.tf index 5c3570f27..d1de1a2e0 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + provider "google" { project = "${var.project}" } diff --git a/test/terraform/outputs.tf b/test/terraform/outputs.tf index 6435d2b78..3793987a3 100644 --- a/test/terraform/outputs.tf +++ b/test/terraform/outputs.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + output "cluster_id" { value = "${google_container_cluster.cluster.id}" } diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf index 971af4e59..df4832b66 100644 --- a/test/terraform/variables.tf +++ b/test/terraform/variables.tf @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + variable "project" { default = "vault-helm-dev-246514" diff --git a/test/unit/_helpers.bash b/test/unit/_helpers.bash index 530b66e8c..5f8a94dfc 100644 --- a/test/unit/_helpers.bash +++ b/test/unit/_helpers.bash @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # chart_dir returns the directory for the chart chart_dir() { echo ${BATS_TEST_DIRNAME}/../.. diff --git a/values.openshift.yaml b/values.openshift.yaml index 02985ed39..13a7463b2 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # These overrides are appropriate defaults for deploying this chart on OpenShift global: diff --git a/values.yaml b/values.yaml index 2c3d9e261..2f88ab304 100644 --- a/values.yaml +++ b/values.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # Available parameters and their default values for the Vault chart. global: From 34d8650ccac77dcedca4c20c478cd52c04b9fce3 Mon Sep 17 00:00:00 2001 From: jordanfelle Date: Thu, 16 Feb 2023 12:07:41 -0500 Subject: [PATCH 076/108] Fix typo in telemetry example (#846) Also in the telemetry test --- test/acceptance/server-test/telemetry.yaml | 2 +- values.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 7380df2d3..557008425 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -21,7 +21,7 @@ server: } telemetry { - prometheus_retention_time = "30s", + prometheus_retention_time = "30s" disable_hostname = true } diff --git a/values.yaml b/values.yaml index 2f88ab304..f007e12a0 100644 --- a/values.yaml +++ b/values.yaml @@ -747,7 +747,7 @@ server: # Example configuration for enabling Prometheus metrics in your config. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} @@ -841,7 +841,7 @@ server: # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. # You may wish to enable unauthenticated metrics in the listener block above. #telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true #} @@ -1083,7 +1083,7 @@ serverTelemetry: # # example: # telemetry { - # prometheus_retention_time = "30s", + # prometheus_retention_time = "30s" # disable_hostname = true # } # From e31e70ea0b36717a5e3b38e99aeec32b22c0043c Mon Sep 17 00:00:00 2001 From: Dimitar Zafirov <45163383+mitashkistz@users.noreply.github.com> Date: Thu, 16 Feb 2023 20:49:07 +0200 Subject: [PATCH 077/108] Add extraPorts property (#841) --- CHANGELOG.md | 3 +++ templates/server-statefulset.yaml | 3 +++ test/unit/server-statefulset.bats | 23 +++++++++++++++++++++++ values.schema.json | 6 ++++++ values.yaml | 6 ++++++ 5 files changed, 41 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a647c2a8..063fd0925 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) + ## 0.23.0 (November 28th, 2022) Changes: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 4defbb524..d7a34acb6 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -148,6 +148,9 @@ spec: name: https-internal - containerPort: 8202 name: {{ include "vault.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} {{- if .Values.server.readinessProbe.enabled }} readinessProbe: {{- if .Values.server.readinessProbe.path }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 6206e115e..e56ce8449 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1806,3 +1806,26 @@ load _helpers yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# extraPorts + +@test "server/standalone-StatefulSet: adds extra ports" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.extraPorts[0].containerPort=1111' \ + --set 'server.extraPorts[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.containerPort' | tee /dev/stderr) + [ "${actual}" = "1111" ] + + local actual=$(echo $object | + yq -r '.name' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} diff --git a/values.schema.json b/values.schema.json index c18395700..c52c20088 100644 --- a/values.schema.json +++ b/values.schema.json @@ -593,6 +593,12 @@ "extraArgs": { "type": "string" }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, "extraContainers": { "type": [ "null", diff --git a/values.yaml b/values.yaml index f007e12a0..08e9f21f0 100644 --- a/values.yaml +++ b/values.yaml @@ -456,6 +456,12 @@ server: # extraArgs is a string containing additional Vault server arguments. extraArgs: "" + # extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: null + # - containerPort: 8300 + # name: http-monitoring + # Used to define custom readinessProbe settings readinessProbe: enabled: true From f4f05aaa747cc49cddfb41c0dcd9fe24b3a0ed50 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Mon, 27 Feb 2023 12:04:17 -0800 Subject: [PATCH 078/108] fix: remove k8s 1.16 from acceptance testing (#848) * remove 1.16 from the versions tested in .github/workflows/acceptance.yaml as kind no longer supports creating a k8s 1.16 cluster * update vault-helm's minimum support k8s version to 1.20 in README and Chart.yaml * refactor server-ingress's templating and unit tests applied to k8s versions < 1.20 --- .github/workflows/acceptance.yaml | 2 +- CHANGELOG.md | 3 +++ Chart.yaml | 2 +- README.md | 2 +- templates/server-ingress.yaml | 7 ------- test/unit/injector-disruptionbudget.bats | 2 +- test/unit/server-ha-disruptionbudget.bats | 2 +- test/unit/server-ingress.bats | 23 +++++------------------ 8 files changed, 13 insertions(+), 30 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 648616b35..395a0de30 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,7 +7,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] + kind-k8s-version: [1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/CHANGELOG.md b/CHANGELOG.md index 063fd0925..56b99a6e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Changes: +* Earliest Kubernetes version tested is now 1.20 + Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) diff --git a/Chart.yaml b/Chart.yaml index 55ebcf4bb..456b1a961 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -5,7 +5,7 @@ apiVersion: v2 name: vault version: 0.23.0 appVersion: 1.12.1 -kubeVersion: ">= 1.16.0-0" +kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/README.md b/README.md index c9971ff41..3d649447f 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: * **Helm 3.6+** - * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.20+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index e77569072..662815308 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -61,19 +61,12 @@ spec: {{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} pathType: {{ $pathType }} - {{ end }} backend: - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} service: name: {{ $serviceName }} port: number: {{ $servicePort }} - {{ else }} - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{ end }} {{- end }} {{- end }} {{- end }} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 2f8f50aea..03fc738c0 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -36,7 +36,7 @@ load _helpers local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.19.5 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index c98bc660d..05b1f34d7 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -104,7 +104,7 @@ load _helpers --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=1' \ - --kube-version 1.19.5 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index aade5d57c..588d01a12 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -197,7 +197,7 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { +@test "server/ingress: k8s 1.20.15 uses correct service format when not ha - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -206,9 +206,9 @@ load _helpers --set 'server.dev.enabled=false' \ --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ - --kube-version 1.18.3 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault" ] } @@ -227,32 +227,19 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { +@test "server/ingress: pathType is added to Kubernetes version == 1.20.15" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.19.0 \ + --kube-version 1.20.15 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "ImplementationSpecific" ] } -@test "server/ingress: pathType is not added to Kubernetes versions < 1.19" { - cd `chart_dir` - - local actual=$(helm template \ - --show-only templates/server-ingress.yaml \ - --set 'server.ingress.enabled=true' \ - --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.18.3 \ - . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - @test "server/ingress: pathType is added to Kubernetes versions > 1.19" { cd `chart_dir` From 932891778f8e6c3a3d8ba495993e93540901aec5 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Thu, 16 Mar 2023 12:03:27 -0700 Subject: [PATCH 079/108] feat: make injector livenessProbe and readinessProbe configurable and add configurable startupProbe (#852) --- CHANGELOG.md | 1 + templates/injector-deployment.yaml | 30 ++++--- test/unit/injector-deployment.bats | 129 +++++++++++++++++++++++++++++ values.yaml | 37 +++++++++ 4 files changed, 187 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56b99a6e8..ef4ab5a08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ Changes: Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) ## 0.23.0 (November 28th, 2022) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 9c16ed8dc..7e0101a41 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -130,21 +130,31 @@ spec: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} readinessProbe: httpGet: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 9d2271c46..3cfe7772e 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -275,6 +275,135 @@ load _helpers [ "${value}" = "auth/k8s" ] } +@test "injector/deployment: default livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set livenessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.livenessProbe.failureThreshold=100' \ + --set 'injector.livenessProbe.initialDelaySeconds=100' \ + --set 'injector.livenessProbe.periodSeconds=100' \ + --set 'injector.livenessProbe.successThreshold=100' \ + --set 'injector.livenessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "2" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set readinessProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.readinessProbe.failureThreshold=100' \ + --set 'injector.readinessProbe.initialDelaySeconds=100' \ + --set 'injector.readinessProbe.periodSeconds=100' \ + --set 'injector.readinessProbe.successThreshold=100' \ + --set 'injector.readinessProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + +@test "injector/deployment: default startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "12" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "1" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "5" ] +} + +@test "injector/deployment: can set startupProbe settings" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.startupProbe.failureThreshold=100' \ + --set 'injector.startupProbe.initialDelaySeconds=100' \ + --set 'injector.startupProbe.periodSeconds=100' \ + --set 'injector.startupProbe.successThreshold=100' \ + --set 'injector.startupProbe.timeoutSeconds=100' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].startupProbe' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.failureThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.initialDelaySeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.periodSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.successThreshold' | tee /dev/stderr) + [ "${actual}" = "100" ] + local actual=$(echo "$object" | yq '.timeoutSeconds' | tee /dev/stderr) + [ "${actual}" = "100" ] +} + @test "injector/deployment: default logLevel" { cd `chart_dir` local object=$(helm template \ diff --git a/values.yaml b/values.yaml index 08e9f21f0..ac82a3170 100644 --- a/values.yaml +++ b/values.yaml @@ -93,6 +93,43 @@ injector: exitOnRetryFailure: true staticSecretRenderInterval: "" + # Used to define custom livenessProbe settings + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" From 2c4cd3a3c3ab9ef62a817e9c1a36daaedb446e9b Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 3 Apr 2023 16:44:13 -0700 Subject: [PATCH 080/108] Updating GHA and default Vault version (#863) Test with latest kind k8s versions 1.22-1.26. Remove support for old disruptionbudget and ingress APIs (pre 1.22). Pin all actions to SHAs, and use the common jira sync. Update the default Vault version to v1.13.1. Update chart-verifier used in tests to 1.10.1, also add an openshift name annotation to Chart.yaml (one of the required checks). --- .github/workflows/acceptance.yaml | 8 +-- .github/workflows/jira.yaml | 71 +++---------------- .../workflows/setup-test-tools/action.yaml | 4 +- .github/workflows/tests.yaml | 8 +-- CHANGELOG.md | 3 +- Chart.yaml | 6 +- Makefile | 2 +- README.md | 2 +- templates/injector-disruptionbudget.yaml | 2 +- templates/server-disruptionbudget.yaml | 2 +- templates/server-ingress.yaml | 8 +-- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/chart/verifier.bats | 17 +++-- test/unit/injector-disruptionbudget.bats | 15 +--- test/unit/server-ha-disruptionbudget.bats | 16 +---- test/unit/server-ingress.bats | 10 +-- values.openshift.yaml | 4 +- values.yaml | 4 +- 19 files changed, 59 insertions(+), 131 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 395a0de30..e3c28e3f7 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,19 +7,19 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] + kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.4.0 + uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.16.0 + version: v0.17.0 - run: bats --tap --timing ./test/acceptance env: diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index fc03b2188..ad6237c51 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -1,3 +1,4 @@ +name: Jira Sync on: issues: types: [opened, closed, deleted, reopened] @@ -5,68 +6,12 @@ on: types: [opened, closed, reopened] issue_comment: # Also triggers when commenting on a PR from the conversation view types: [created] - -name: Jira Sync - jobs: sync: - runs-on: ubuntu-latest - name: Jira sync - steps: - - name: Login - uses: atlassian/gajira-login@v2.0.0 - env: - JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - - - name: Preprocess - if: github.event.action == 'opened' || github.event.action == 'created' - id: preprocess - run: | - if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then - echo "::set-output name=type::PR" - else - echo "::set-output name=type::ISS" - fi - - - name: Create ticket - if: github.event.action == 'opened' - uses: tomhjp/gh-action-jira-create@v0.2.0 - with: - project: VAULT - issuetype: "GH Issue" - summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}" - description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" - # customfield_10089 is Issue Link custom field - # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - - - name: Search - if: github.event.action != 'opened' - id: search - uses: tomhjp/gh-action-jira-search@v0.2.1 - with: - # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - - - name: Sync comment - if: github.event.action == 'created' && steps.search.outputs.issue - uses: tomhjp/gh-action-jira-comment@v0.2.0 - with: - issue: ${{ steps.search.outputs.issue }} - comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}" - - - name: Close ticket - if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: Closed - - - name: Reopen ticket - if: github.event.action == 'reopened' && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: "Pending Triage" + uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main + secrets: + JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} + JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} + JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} + with: + teams-array: '["ecosystem", "foundations"]' diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml index 8c69e3db8..7683deb7d 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/workflows/setup-test-tools/action.yaml @@ -4,7 +4,7 @@ description: Install bats and python-yq runs: using: "composite" steps: - - uses: actions/setup-node@v2 + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: '16' - run: npm install -g bats@${BATS_VERSION} @@ -13,7 +13,7 @@ runs: BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: '3.10' - run: pip install yq diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index bcabd1d64..5bfd153ae 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -6,19 +6,19 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest env: - CHART_VERIFIER_VERSION: '1.2.1' + CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v3 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} diff --git a/CHANGELOG.md b/CHANGELOG.md index ef4ab5a08..3a1357f04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ ## Unreleased Changes: -* Earliest Kubernetes version tested is now 1.20 +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) diff --git a/Chart.yaml b/Chart.yaml index 456b1a961..d74782ba1 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,8 +4,8 @@ apiVersion: v2 name: vault version: 0.23.0 -appVersion: 1.12.1 -kubeVersion: ">= 1.20.0-0" +appVersion: 1.13.1 +kubeVersion: ">= 1.22.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png @@ -15,3 +15,5 @@ sources: - https://github.com/hashicorp/vault-helm - https://github.com/hashicorp/vault-k8s - https://github.com/hashicorp/vault-csi-provider +annotations: + charts.openshift.io/name: HashiCorp Vault diff --git a/Makefile b/Makefile index e423f3529..560022064 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.25.0 +KIND_K8S_VERSION?=v1.26.3 # Generate json schema for chart values. See test/README.md for more details. values-schema: diff --git a/README.md b/README.md index 3d649447f..6e7014360 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ this README. Please refer to the Kubernetes and Helm documentation. The versions required are: * **Helm 3.6+** - * **Kubernetes 1.20+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 5862977ec..6ae714bae 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -4,7 +4,7 @@ SPDX-License-Identifier: MPL-2.0 */}} {{- if .Values.injector.podDisruptionBudget }} -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index c823a4206..3ff11099b 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -9,7 +9,7 @@ SPDX-License-Identifier: MPL-2.0 {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 662815308..3aba66885 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -17,13 +17,7 @@ SPDX-License-Identifier: MPL-2.0 {{- $servicePort := .Values.server.service.port -}} {{- $pathType := .Values.server.ingress.pathType -}} {{- $kubeVersion := .Capabilities.KubeVersion.Version }} -{{ if semverCompare ">= 1.19.0-0" $kubeVersion }} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end }} kind: Ingress metadata: name: {{ template "vault.fullname" . }} @@ -72,4 +66,4 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 11effe99c..911cf8dfe 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 7eaf0ccf0..c63f76368 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index 63c793951..6d35f690a 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -6,9 +6,9 @@ setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" export CHART_VOLUME=vault-helm-chart-src - local IMAGE="quay.io/redhat-certification/chart-verifier:1.2.1" + local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1" # chart-verifier requires an openshift version if a cluster isn't available - local OPENSHIFT_VERSION="4.8" + local OPENSHIFT_VERSION="4.12" local DISABLED_TESTS="chart-testing" local run_cmd="chart-verifier" @@ -40,7 +40,7 @@ teardown_file() { } @test "has-kubeversion" { - check_result v1.0/has-kubeversion + check_result v1.1/has-kubeversion } @test "is-helm-v3" { @@ -76,10 +76,19 @@ teardown_file() { } @test "images-are-certified" { - check_result v1.0/images-are-certified + check_result v1.1/images-are-certified +} + +@test "required-annotations-present" { + check_result v1.0/required-annotations-present } @test "chart-testing" { skip "Skipping since this test requires a kubernetes/openshift cluster" check_result v1.0/chart-testing } + +@test "signature-is-valid" { + skip "Chart is not signed : Signature verification not required" + check_result v1.0/signature-is-valid +} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 03fc738c0..72be93fcc 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -31,18 +31,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-disruptionbudget.yaml \ - --set 'injector.podDisruptionBudget.minAvailable=2' \ - --kube-version 1.20.15 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { +@test "injector/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ @@ -51,4 +40,4 @@ load _helpers . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 05b1f34d7..4cb3ae63b 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -98,19 +98,7 @@ load _helpers [ "${actual}" = "2" ] } -@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-disruptionbudget.yaml \ - --set 'server.ha.enabled=true' \ - --set 'server.ha.replicas=1' \ - --kube-version 1.20.15 \ - . | tee /dev/stderr | - yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { +@test "server/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-disruptionbudget.yaml \ @@ -120,4 +108,4 @@ load _helpers . | tee /dev/stderr | yq '.apiVersion == "policy/v1"' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 588d01a12..0cc5b266c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -197,7 +197,7 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: k8s 1.20.15 uses correct service format when not ha - yaml" { +@test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" { cd `chart_dir` local actual=$(helm template \ @@ -206,7 +206,7 @@ load _helpers --set 'server.dev.enabled=false' \ --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ - --kube-version 1.20.15 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault" ] @@ -227,14 +227,14 @@ load _helpers [ "${actual}" = "release-name-vault" ] } -@test "server/ingress: pathType is added to Kubernetes version == 1.20.15" { +@test "server/ingress: pathType is added to Kubernetes version == 1.26.3" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=ImplementationSpecific \ - --kube-version 1.20.15 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "ImplementationSpecific" ] @@ -247,7 +247,7 @@ load _helpers --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set server.ingress.pathType=Prefix \ - --kube-version 1.20.0 \ + --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) [ "${actual}" = "Prefix" ] diff --git a/values.openshift.yaml b/values.openshift.yaml index 13a7463b2..88521a16b 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -13,9 +13,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" diff --git a/values.yaml b/values.yaml index ac82a3170..08b1ad1e1 100644 --- a/values.yaml +++ b/values.yaml @@ -73,7 +73,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.12.1" + tag: "1.13.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -372,7 +372,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.12.1" + tag: "1.13.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 9f189801a6317350bb61b1c49ceaa7e703524137 Mon Sep 17 00:00:00 2001 From: Bhargav Akhani <47673253+bhargav2427@users.noreply.github.com> Date: Tue, 4 Apr 2023 19:47:24 +0530 Subject: [PATCH 081/108] Add portnumber (#831) * Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset. Co-authored-by: Kyle Schochenmaier --- templates/server-statefulset.yaml | 4 ++-- test/unit/server-statefulset.bats | 27 +++++++++++++++++++++++++++ values.yaml | 4 ++++ 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index d7a34acb6..7ab7de8e2 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -156,7 +156,7 @@ spec: {{- if .Values.server.readinessProbe.path }} httpGet: path: {{ .Values.server.readinessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.readinessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} {{- else }} # Check status; unsealed vault servers return 0 @@ -177,7 +177,7 @@ spec: livenessProbe: httpGet: path: {{ .Values.server.livenessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.livenessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index e56ce8449..510c888d4 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1829,3 +1829,30 @@ load _helpers yq -r '.name' | tee /dev/stderr) [ "${actual}" = "foo" ] } + +#-------------------------------------------------------------------- +# readinessProbe + +@test "server/StatefulSet: server.readinessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.readinessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + + +#-------------------------------------------------------------------- +# livenessProbe + +@test "server/StatefulSet: server.livenessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} diff --git a/values.yaml b/values.yaml index 08b1ad1e1..e59992719 100644 --- a/values.yaml +++ b/values.yaml @@ -505,6 +505,8 @@ server: # If you need to use a http path instead of the default exec # path: /v1/sys/health?standbyok=true + # Port number on which readinessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -519,6 +521,8 @@ server: livenessProbe: enabled: false path: "/v1/sys/health?standbyok=true" + # Port nuumber on which livenessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates From fc7d4326fcc5bbaa1b42aa4120d01d39e64e75a5 Mon Sep 17 00:00:00 2001 From: Kyle Schochenmaier Date: Tue, 4 Apr 2023 10:21:42 -0500 Subject: [PATCH 082/108] Add changelog for #831 (#867) * Add changelog for #831 * fixes bats test --- CHANGELOG.md | 1 + test/unit/server-statefulset.bats | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a1357f04..3a1dbf082 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Changes: Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) * injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) ## 0.23.0 (November 28th, 2022) diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 510c888d4..67cde811b 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1838,6 +1838,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.readinessProbe.enabled=true' \ + --set 'server.readinessProbe.path=foo' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe.httpGet.port' | tee /dev/stderr) [ "${actual}" = "8200" ] From 0fe916481c86aa97f521cf88879fa38a6946e7b5 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 6 Apr 2023 19:45:10 +0100 Subject: [PATCH 083/108] Add Vault Agent sidecar to CSI Provider (#749) Adds Agent as a sidecar for the CSI Provider to: * Cache k8s auth login leases * Cache secret leases * Automatically renew renewable leases in the background --- CHANGELOG.md | 1 + templates/_helpers.tpl | 10 + templates/csi-agent-configmap.yaml | 29 +++ templates/csi-daemonset.yaml | 67 +++++-- .../vault-kv-secretproviderclass.yaml | 3 +- test/acceptance/csi.bats | 38 +++- test/unit/csi-agent-configmap.bats | 45 +++++ test/unit/csi-daemonset.bats | 182 +++++++++++++----- values.schema.json | 34 ++++ values.yaml | 23 ++- 10 files changed, 366 insertions(+), 66 deletions(-) create mode 100644 templates/csi-agent-configmap.yaml create mode 100644 test/unit/csi-agent-configmap.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a1dbf082..823fb5640 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) * server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) * injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) ## 0.23.0 (November 28th, 2022) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index dcfcbb8b8..4b6baf10e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -778,6 +778,16 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + {{/* Sets extra CSI daemonset annotations */}} diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml new file mode 100644 index 000000000..cb373f833 --- /dev/null +++ b/templates/csi-agent-configmap.yaml @@ -0,0 +1,29 @@ +{{- template "vault.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index e38cc47d5..0285a0cbb 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -55,11 +55,13 @@ spec: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} {{- if .Values.csi.extraArgs }} - {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- end }} env: - name: VAULT_ADDR - {{- if .Values.global.externalVaultAddr }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} value: "{{ .Values.global.externalVaultAddr }}" {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} @@ -67,9 +69,10 @@ spec: volumeMounts: - name: providervol mountPath: "/provider" - - name: mountpoint-dir - mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - mountPropagation: HostToContainer + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} {{- if .Values.csi.volumeMounts }} {{- toYaml .Values.csi.volumeMounts | nindent 12}} {{- end }} @@ -91,15 +94,57 @@ spec: periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "vault.name" . }}-agent + image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - vault + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: VAULT_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: VAULT_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} volumes: - name: providervol hostPath: path: {{ .Values.csi.daemonSet.providersDir }} - - name: mountpoint-dir - hostPath: - path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - {{- if .Values.csi.volumes }} - {{- toYaml .Values.csi.volumes | nindent 8}} - {{- end }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} {{- include "imagePullSecrets" . | nindent 6 }} {{- end }} diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml index b9470fe29..d52fab1bc 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 # The "Hello World" Vault SecretProviderClass -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: vault-kv @@ -10,7 +10,6 @@ spec: provider: vault parameters: roleName: "kv-role" - vaultAddress: http://vault:8200 objects: | - objectName: "bar" secretPath: "secret/data/kv1" diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index ea164f7dd..2d7ba8de9 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -9,19 +9,28 @@ load _helpers kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly + # so we can see Agent's cache working. + CSI_DRIVER_VERSION=1.3.2 + helm install secrets-store-csi-driver secrets-store-csi-driver \ + --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version=$(CSI_DRIVER_VERSION) \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ - --set syncSecret.enabled=true + --set tokenRequests[0].audience="vault" \ + --set enableSecretRotation=true \ + --set rotationPollInterval=5s # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ --namespace=acceptance \ --set="server.dev.enabled=true" \ --set="csi.enabled=true" \ - --set="injector.enabled=false" . + --set="csi.debug=true" \ + --set="csi.agent.logLevel=debug" \ + --set="injector.enabled=false" \ + . kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider @@ -29,10 +38,7 @@ load _helpers cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ - disable_iss_validation=true' + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ @@ -46,6 +52,22 @@ load _helpers result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) [[ "$result" == "hello1" ]] + + for i in $(seq 10); do + sleep 2 + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "returning cached response: path=/v1/auth/kubernetes/login")" ]; then + echo "Agent returned a cached login response" + return + fi + + echo "Waiting for a cached response from Agent..." + done + + # Print the logs and fail the test + echo "Failed to find a log for a cached Agent response" + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider + exit 1 } # Clean up diff --git a/test/unit/csi-agent-configmap.bats b/test/unit/csi-agent-configmap.bats new file mode 100644 index 000000000..4ae4a30b8 --- /dev/null +++ b/test/unit/csi-agent-configmap.bats @@ -0,0 +1,45 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/Agent-ConfigMap: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-agent-configmap.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Agent-ConfigMap: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-agent-config" ] +} + +@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --release-name not-external-test \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://not-external-test-vault.default.svc:8200" +} + +@test "csi/Agent-ConfigMap: Vault addr correctly set for externalVaultAddr" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.data["config.hcl"]' | tee /dev/stderr) + echo "${actual}" | grep "http://vault-outside" +} \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 0da308b67..76c74b37f 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -65,24 +65,32 @@ load _helpers } # Image -@test "csi/daemonset: image is configurable" { +@test "csi/daemonset: images are configurable" { cd `chart_dir` - local actual=$(helm template \ + local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set "csi.enabled=true" \ - --set "csi.image.repository=SomeOtherImage" \ + --set "csi.image.repository=Image1" \ --set "csi.image.tag=0.0.1" \ + --set "csi.image.pullPolicy=PullPolicy1" \ + --set "csi.agent.image.repository=Image2" \ + --set "csi.agent.image.tag=0.0.2" \ + --set "csi.agent.image.pullPolicy=PullPolicy2" \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:0.0.1" ] + yq -r '.spec.template.spec.containers' | tee /dev/stderr) - local actual=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set "csi.enabled=true" \ - --set "csi.image.pullPolicy=SomePullPolicy" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) - [ "${actual}" = "SomePullPolicy" ] + local actual=$(echo $object | + yq -r '.[0].image' | tee /dev/stderr) + [ "${actual}" = "Image1:0.0.1" ] + local actual=$(echo $object | + yq -r '.[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy1" ] + local actual=$(echo $object | + yq -r '.[1].image' | tee /dev/stderr) + [ "${actual}" = "Image2:0.0.2" ] + local actual=$(echo $object | + yq -r '.[1].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "PullPolicy2" ] } @test "csi/daemonset: Custom imagePullSecrets" { @@ -379,21 +387,6 @@ load _helpers [ "${actual}" = "/etc/kubernetes/secrets-store-csi-providers" ] } -@test "csi/daemonset: csi kubeletRootDir default" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/var/lib/kubelet/pods" ] -} - @test "csi/daemonset: csi providersDir override " { cd `chart_dir` @@ -410,22 +403,6 @@ load _helpers [ "${actual}" = "/alt/csi-prov-dir" ] } -@test "csi/daemonset: csi kubeletRootDir override" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - --show-only templates/csi-daemonset.yaml \ - --set 'csi.enabled=true' \ - --set 'csi.daemonSet.kubeletRootDir=/alt/kubelet-root' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "mountpoint-dir")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.hostPath.path' | tee /dev/stderr) - [ "${actual}" = "/alt/kubelet-root/pods" ] -} - #-------------------------------------------------------------------- # volumeMounts @@ -564,11 +541,39 @@ load _helpers [ "${actual}" = "14" ] } +@test "csi/daemonset: VAULT_ADDR defaults to Agent unix socket" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + +@test "csi/daemonset: VAULT_ADDR remains pointed to Agent unix socket if external Vault" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'global.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "unix:///var/run/vault/agent.sock" ] +} + @test "csi/daemonset: with only injector.externalVaultAddr" { cd `chart_dir` local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ + --set 'csi.agent.enabled=false' \ --release-name not-external-test \ --set 'injector.externalVaultAddr=http://vault-outside' \ . | tee /dev/stderr | @@ -584,6 +589,7 @@ load _helpers local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ --set 'csi.enabled=true' \ + --set 'csi.agent.enabled=false' \ --set 'global.externalVaultAddr=http://vault-outside' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -648,3 +654,93 @@ load _helpers yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# Agent sidecar configurables + +@test "csi/daemonset: Agent sidecar enabled by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers | length' | tee /dev/stderr) + [ "${actual}" = "2" ] +} + +@test "csi/daemonset: Agent sidecar can pass extra args" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.extraArgs[0]=-config=extra-config.hcl' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].args[2]' | tee /dev/stderr) + [ "${actual}" = "-config=extra-config.hcl" ] +} + +@test "csi/daemonset: Agent log level settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logLevel=error' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "error" ] +} + +@test "csi/daemonset: Agent log format settable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "json" ] +} + +@test "csi/daemonset: Agent default resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "csi/daemonset: Agent custom resources" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.agent.resources.requests.memory=256Mi' \ + --set 'csi.agent.resources.requests.cpu=250m' \ + --set 'csi.agent.resources.limits.memory=512Mi' \ + --set 'csi.agent.resources.limits.cpu=500m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + local value=$(echo $object | + yq -r '.requests.memory' | tee /dev/stderr) + [ "${value}" = "256Mi" ] + + local value=$(echo $object | + yq -r '.requests.cpu' | tee /dev/stderr) + [ "${value}" = "250m" ] + + local value=$(echo $object | + yq -r '.limits.memory' | tee /dev/stderr) + [ "${value}" = "512Mi" ] + + local value=$(echo $object | + yq -r '.limits.cpu' | tee /dev/stderr) + [ "${value}" = "500m" ] +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index c52c20088..44980e169 100644 --- a/values.schema.json +++ b/values.schema.json @@ -5,6 +5,40 @@ "csi": { "type": "object", "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, "daemonSet": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index e59992719..75da40b28 100644 --- a/values.yaml +++ b/values.yaml @@ -997,7 +997,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.1" + tag: "1.3.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1061,7 +1061,26 @@ csi: # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} - + agent: + enabled: true + extraArgs: [] + + image: + repository: "hashicorp/vault" + tag: "1.13.1" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m # Priority class for csi pods priorityClassName: "" From d52c4a519db8c9d92c3d9ec60d3e6c0a82121307 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 6 Apr 2023 15:38:23 -0700 Subject: [PATCH 084/108] Prepare for 0.24.0 release (#868) --- CHANGELOG.md | 2 ++ Chart.yaml | 2 +- test/acceptance/csi.bats | 2 +- values.openshift.yaml | 2 +- values.yaml | 2 +- 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 823fb5640..d1c2f32b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.24.0 (April 6, 2023) + Changes: * Earliest Kubernetes version tested is now 1.22 * `vault` updated to 1.13.1 diff --git a/Chart.yaml b/Chart.yaml index d74782ba1..a4f7485d5 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: vault -version: 0.23.0 +version: 0.24.0 appVersion: 1.13.1 kubeVersion: ">= 1.22.0-0" description: Official HashiCorp Vault Chart diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 2d7ba8de9..d45436419 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -14,7 +14,7 @@ load _helpers CSI_DRIVER_VERSION=1.3.2 helm install secrets-store-csi-driver secrets-store-csi-driver \ --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ - --version=$(CSI_DRIVER_VERSION) \ + --version=$CSI_DRIVER_VERSION \ --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ diff --git a/values.openshift.yaml b/values.openshift.yaml index 88521a16b..da71dcfb9 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -9,7 +9,7 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.1.0-ubi" + tag: "1.2.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" diff --git a/values.yaml b/values.yaml index 75da40b28..9df0ffa1a 100644 --- a/values.yaml +++ b/values.yaml @@ -65,7 +65,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.1.0" + tag: "1.2.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent From 14c77c449d43f22f812ae8d5d0d6433c4188cc89 Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 085/108] Explain this fork in the README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 6e7014360..4b887433c 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +# MaaS Vault + +This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. + # Vault Helm Chart > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If From a208997c7359688896d248a53abb62b97d5a67dd Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 086/108] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 19 ++++++++++++++----- templates/server-service.yaml | 3 +++ values.yaml | 16 +++++----------- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 4b887433c..9b33e2e25 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart @@ -42,7 +42,16 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm install vault hashicorp/vault ``` -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more -detailed installation instructions. +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + +## Customizations + +This Helm chart has been customized in the following ways: + +### Support LoadBalancerIP Field + +The Service spec in the **server-service.yaml** file now allows setting a +specific IP address when the Service type is set to `LoadBalancer` and a +**maas.lbAddress** value has been provided. diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 8e34c88c5..647b7d350 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -28,6 +28,9 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} + {{- if and (.Values.maas.lbAddress) (eq (.Values.server.service.type | toString) "LoadBalancer") }} + loadBalancerIP: {{ .Values.maas.lbAddress }} + {{- end }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} diff --git a/values.yaml b/values.yaml index 9df0ffa1a..1756b8ead 100644 --- a/values.yaml +++ b/values.yaml @@ -667,8 +667,8 @@ server: # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. + # Configures the service type for the main Vault service. Can be ClusterIP, + # NodePort, or LoadBalancer. #type: ClusterIP # Do not wait for pods to be ready @@ -684,15 +684,9 @@ server: # will be random if left blank. #nodePort: 30000 - # When HA mode is enabled - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #activeNodePort: 30001 - - # When HA mode is enabled - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #standbyNodePort: 30002 + # If type is set to "LoadBalancer", a specific IP address can be attached + # to the load balancer, will be random if left blank. + #loadBalancerIP: # Port on which Vault server is listening port: 8200 From c0e3c3daa325c533f1b5ea86db15ad3b8243e52e Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 087/108] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 6 ++++++ templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ values.yaml | 2 ++ 3 files changed, 28 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 4b6baf10e..b633c83ff 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -166,6 +166,11 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} + {{- if .Values.server.logrotate }} + - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + configMap: + name: {{ template "vault.fullname" . }}-logrotate-config + {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -292,6 +297,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 1756b8ead..90bc804c4 100644 --- a/values.yaml +++ b/values.yaml @@ -923,6 +923,8 @@ server: # YAML-formatted multi-line templated string map of the annotations to apply # to the statefulSet. annotations: {} + # A boolean flag to setup logrotate as a side car continer + logrotate: null # Set the pod and container security contexts. # If not set, these will default to, and for *not* OpenShift: From e42f208d3c25e80de7a5ca1bfa1ebecb76dfe3c5 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 088/108] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/_helpers.tpl | 9 ++++++--- templates/datadog-audit-configmap.yaml | 10 ++++++++++ templates/logrotate-config-configmap.yaml | 20 -------------------- templates/logrotate-configmap.yaml | 10 ++++++++++ 4 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 templates/datadog-audit-configmap.yaml delete mode 100644 templates/logrotate-config-configmap.yaml create mode 100644 templates/logrotate-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index b633c83ff..136726155 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -166,10 +166,13 @@ extra volumes the user may have specified (such as a secret with TLS). configMap: name: {{ template "vault.fullname" . }}-config {{ end }} - {{- if .Values.server.logrotate }} - - name: {{ template "vault.fullname" . }}-logrotate-configs-vol + {{- if .Values.server.logrotate.enabled }} + - name: {{ template "vault.fullname" . }}-logrotate-config configMap: - name: {{ template "vault.fullname" . }}-logrotate-config + name: {{ template "vault.fullname" . }}-logrotate-configmap + - name: {{ template "vault.fullname" . }}-datadog-config + configMap: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap {{- end}} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} diff --git a/templates/datadog-audit-configmap.yaml b/templates/datadog-audit-configmap.yaml new file mode 100644 index 000000000..5190d7fb7 --- /dev/null +++ b/templates/datadog-audit-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap + namespace: {{ .Release.Namespace }} +data: + conf.yaml: |- +{{ .Values.server.logrotate.datadogsidecar.config | indent 6 }} +{{ end }} diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file diff --git a/templates/logrotate-configmap.yaml b/templates/logrotate-configmap.yaml new file mode 100644 index 000000000..0e90cd293 --- /dev/null +++ b/templates/logrotate-configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.server.logrotate.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-configmap + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: |- +{{ .Values.server.logrotate.config.logRotateConf | indent 6 }} +{{ end }} From 6cca865bf4a8b991fd7bb96a06664d1d77b9358c Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 089/108] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - values.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 136726155..a27da7335 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -300,7 +300,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* diff --git a/values.yaml b/values.yaml index 90bc804c4..7e59a1873 100644 --- a/values.yaml +++ b/values.yaml @@ -396,7 +396,6 @@ server: # limits: # memory: 256Mi # cpu: 250m - # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. # If deployment is on OpenShift, the following block is ignored. From ead92985c7562dfa0e64237c432bf096066edaaf Mon Sep 17 00:00:00 2001 From: Julian Setiawan Date: Thu, 2 Apr 2020 08:33:52 -0400 Subject: [PATCH 090/108] Explain this fork in the README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b33e2e25..3299d2577 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. +This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. # Vault Helm Chart From 2ec2a82cc687551e63a82feddadc1d59d8a85c33 Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 091/108] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3299d2577..9b33e2e25 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MaaS Vault This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes. -This repository is used as a submodule in other repositories that install and setup Vault. No changes should be required in this repository. +This repository is used as a submodule in other repositories that install and setup Vault. # Vault Helm Chart From 82c1870560015efdbf31777de8090f5c39d4c24e Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 092/108] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 1 + templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index a27da7335..136726155 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -300,6 +300,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file From c8f726fd7f520c78924613bd1822509988856963 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 093/108] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/logrotate-config-configmap.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file From e72399abf2e3f50cae5d723fd541ad480377d8ac Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 094/108] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 136726155..a27da7335 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -300,7 +300,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* From 99af695f2060fcb20e360b1beb506c9afb42eb37 Mon Sep 17 00:00:00 2001 From: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:54:46 -0400 Subject: [PATCH 095/108] feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9b33e2e25..2cffb757d 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + ## Customizations This Helm chart has been customized in the following ways: From a8f0998f3f31905816bae875f9490c56bfcc1715 Mon Sep 17 00:00:00 2001 From: adhish2001 Date: Thu, 14 Jul 2022 10:58:01 -0400 Subject: [PATCH 096/108] fix: deploy_local.sh error with file --- templates/injector-deployment.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 7e0101a41..e9f13dd17 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -167,5 +167,8 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} - {{- include "imagePullSecrets" . | nindent 6 }} + {{- if .Values.global.imagePullSecrets }} {{- include "imagePullSecrets" . | nindent 6 }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end } {{ end }} From 6e500dea6088897042e231fc2241b7210376e8d4 Mon Sep 17 00:00:00 2001 From: adhish2001 Date: Thu, 14 Jul 2022 12:39:30 -0400 Subject: [PATCH 097/108] minor changes --- templates/injector-deployment.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index e9f13dd17..e51c11c22 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -167,8 +167,5 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} - {{- if .Values.global.imagePullSecrets }} {{- include "imagePullSecrets" . | nindent 6 }} - imagePullSecrets: - {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} - {{- end } -{{ end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{ end }} \ No newline at end of file From 7d4bc5227cbcb35f91b127d2c01428ed2cf8135c Mon Sep 17 00:00:00 2001 From: marcboudreau Date: Thu, 9 Apr 2020 20:04:23 -0400 Subject: [PATCH 098/108] Adding support for LoadBalancerIP field in ServiceSpec --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 2cffb757d..9b33e2e25 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,6 @@ Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). - ## Customizations This Helm chart has been customized in the following ways: From e3043dcacfb2d682b284a7ae8e954fa4d089c255 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 099/108] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 1 + templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index a27da7335..136726155 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -300,6 +300,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file From e29392800b8d7ff707099788ec5e176642134b4f Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 100/108] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/logrotate-config-configmap.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file From 8c5452aa465c5423e94e09844a074e91ec0d4cc1 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 101/108] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 136726155..a27da7335 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -300,7 +300,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* From e6348b602e3f8520b40b34bf10a4dc9b3279a2b1 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 19 May 2021 08:19:24 -0400 Subject: [PATCH 102/108] DATAGO-13861: Adding support for logrotate --- templates/_helpers.tpl | 1 + templates/logrotate-config-configmap.yaml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index a27da7335..136726155 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -300,6 +300,7 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} + {{- end -}} {{/* diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml new file mode 100644 index 000000000..02f606e98 --- /dev/null +++ b/templates/logrotate-config-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.server.logrotate}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-logrotate-config + namespace: {{ .Release.Namespace }} +data: + logrotate.conf: | + /vault/audit/audit.log { + rotate 1 + copytruncate + size 5M + missingok + compress + postrotate + pkill -HUP -f "vault server" + echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status + endscript + } +{{ end }} \ No newline at end of file From 04c8467fbb1993ef891c194c9aabe3fcc15c41c3 Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:05:05 -0400 Subject: [PATCH 103/108] DATAGO-13861: Adding audit log rotation and shipment to datdog --- templates/logrotate-config-configmap.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 templates/logrotate-config-configmap.yaml diff --git a/templates/logrotate-config-configmap.yaml b/templates/logrotate-config-configmap.yaml deleted file mode 100644 index 02f606e98..000000000 --- a/templates/logrotate-config-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.server.logrotate}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-logrotate-config - namespace: {{ .Release.Namespace }} -data: - logrotate.conf: | - /vault/audit/audit.log { - rotate 1 - copytruncate - size 5M - missingok - compress - postrotate - pkill -HUP -f "vault server" - echo "`date`: Audit log rotated - SIGHUP exit code is $?" > /vault/audit/last-rotate-status - endscript - } -{{ end }} \ No newline at end of file From e8d9f816967233954589287d5dfe5721374c46eb Mon Sep 17 00:00:00 2001 From: Hadie Laham Date: Wed, 26 May 2021 09:09:13 -0400 Subject: [PATCH 104/108] Fixing minor typos and removing extra lines --- templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 136726155..a27da7335 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -300,7 +300,6 @@ storage might be desired by the user. {{- end }} {{ end }} {{ end }} - {{- end -}} {{/* From 8c7a91b19ce985e875a374cb86ccc9fdf6f85c01 Mon Sep 17 00:00:00 2001 From: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:54:46 -0400 Subject: [PATCH 105/108] feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham --- Makefile | 3 + README.md | 1 + templates/_helpers.tpl | 2 + templates/csi-daemonset.yaml | 7 ++ templates/injector-deployment.yaml | 13 ++ templates/server-ha-standby-service.yaml | 4 + test/acceptance/csi.bats | 1 - test/unit/csi-daemonset.bats | 15 ++- test/unit/schema.bats | 6 + test/unit/server-statefulset.bats | 56 +++++++++ values.schema.json | 144 +++++++++++++++++++++++ values.yaml | 9 ++ 12 files changed, 259 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 560022064..10572bc77 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,7 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance +<<<<<<< HEAD # filter bats unit tests to run. UNIT_TESTS_FILTER?='.*' @@ -16,6 +17,8 @@ KIND_CLUSTER_NAME?=vault-helm # kind k8s version KIND_K8S_VERSION?=v1.26.3 +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) # Generate json schema for chart values. See test/README.md for more details. values-schema: helm schema-gen values.yaml > values.schema.json diff --git a/README.md b/README.md index 9b33e2e25..2cffb757d 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). + ## Customizations This Helm chart has been customized in the following ways: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index a27da7335..aea187fc1 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -131,6 +131,8 @@ template logic. {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} + {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 0285a0cbb..64fb34cc2 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,3 +1,4 @@ +<<<<<<< HEAD {{/* Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 @@ -5,6 +6,9 @@ SPDX-License-Identifier: MPL-2.0 {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} +======= +{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) apiVersion: apps/v1 kind: DaemonSet metadata: @@ -14,9 +18,12 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} +<<<<<<< HEAD {{- if .Values.csi.daemonSet.extraLabels -}} {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} {{- end -}} +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index e51c11c22..f5a17bf26 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -46,6 +46,13 @@ spec: {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} +<<<<<<< HEAD +======= + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.injector.gid | default 1000 }} + runAsUser: {{ .Values.injector.uid | default 100 }} +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) {{- end }} containers: - name: sidecar-injector @@ -111,12 +118,15 @@ spec: value: "{{ .Values.injector.agentDefaults.memLimit }}" - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" +<<<<<<< HEAD - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" {{- end }} +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: @@ -156,12 +166,15 @@ spec: successThreshold: {{ .Values.injector.startupProbe.successThreshold }} timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} {{- if .Values.injector.certs.secretName }} +<<<<<<< HEAD volumeMounts: - name: webhook-certs mountPath: /etc/webhook/certs readOnly: true {{- end }} {{- if .Values.injector.certs.secretName }} +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) volumes: - name: webhook-certs secret: diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index b9f643586..8653d72f1 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -5,10 +5,14 @@ SPDX-License-Identifier: MPL-2.0 {{ template "vault.mode" . }} {{- if ne .mode "external" }} +<<<<<<< HEAD {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.standby.enabled | toString) "true" }} +======= +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) # Service for standby Vault pod apiVersion: v1 kind: Service diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index d45436419..c5863d442 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -4,7 +4,6 @@ load _helpers @test "csi: testing deployment" { cd `chart_dir` - kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 76c74b37f..7f740ea25 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -304,7 +304,11 @@ load _helpers [ "${actual}" = "true" ] } +<<<<<<< HEAD @test "csi/daemonset: tolerations can be set as string" { +======= +@test "csi/daemonset: tolerations can be set" { +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) cd `chart_dir` local actual=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -315,6 +319,7 @@ load _helpers [ "${actual}" = "true" ] } +<<<<<<< HEAD @test "csi/daemonset: tolerations can be set as YAML" { cd `chart_dir` local actual=$(helm template \ @@ -352,6 +357,8 @@ load _helpers } +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) #-------------------------------------------------------------------- # volumes @@ -372,6 +379,7 @@ load _helpers [ "${actual}" = "{}" ] } +<<<<<<< HEAD @test "csi/daemonset: csi providersDir default" { cd `chart_dir` @@ -403,6 +411,8 @@ load _helpers [ "${actual}" = "/alt/csi-prov-dir" ] } +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) #-------------------------------------------------------------------- # volumeMounts @@ -540,6 +550,7 @@ load _helpers yq -r '.timeoutSeconds' | tee /dev/stderr) [ "${actual}" = "14" ] } +<<<<<<< HEAD @test "csi/daemonset: VAULT_ADDR defaults to Agent unix socket" { cd `chart_dir` @@ -743,4 +754,6 @@ load _helpers local value=$(echo $object | yq -r '.limits.cpu' | tee /dev/stderr) [ "${value}" = "500m" ] -} \ No newline at end of file +} +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) diff --git a/test/unit/schema.bats b/test/unit/schema.bats index 9a61d7d5a..350e160ed 100644 --- a/test/unit/schema.bats +++ b/test/unit/schema.bats @@ -7,9 +7,15 @@ load _helpers # schema, setting it as a string fails 'helm template'. @test "schema: csi enabled datatype" { cd `chart_dir` +<<<<<<< HEAD run helm template . --set csi.enabled="123" [ "$status" -eq 1 ] [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] +======= + run helm template . --set csi.enabled="nope" + [ "$status" -eq 1 ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) run helm template . --set csi.enabled=true [ "$status" -eq 0 ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 67cde811b..851410ac9 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1857,3 +1857,59 @@ load _helpers yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) [ "${actual}" = "8200" ] } + +#-------------------------------------------------------------------- +# enterprise license autoload support +@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] +} + +@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] +} + +@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] +} + +@test "server/StatefulSet: blank secretName does not set env var" { + cd `chart_dir` + + # setting secretName=null + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=null' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] + + # omitting secretName + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] +} diff --git a/values.schema.json b/values.schema.json index 44980e169..313cfeab9 100644 --- a/values.schema.json +++ b/values.schema.json @@ -5,6 +5,7 @@ "csi": { "type": "object", "properties": { +<<<<<<< HEAD "agent": { "type": "object", "properties": { @@ -39,6 +40,8 @@ } } }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "daemonSet": { "type": "object", "properties": { @@ -48,6 +51,7 @@ "string" ] }, +<<<<<<< HEAD "extraLabels": { "type": "object" }, @@ -74,6 +78,8 @@ } } }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "updateStrategy": { "type": "object", "properties": { @@ -91,10 +97,14 @@ "type": "boolean" }, "enabled": { +<<<<<<< HEAD "type": [ "boolean", "string" ] +======= + "type": "boolean" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "extraArgs": { "type": "array" @@ -142,6 +152,7 @@ "string" ] }, +<<<<<<< HEAD "extraLabels": { "type": "object" }, @@ -157,6 +168,13 @@ "priorityClassName": { "type": "string" }, +======= + "tolerations": { + "type": ["null", "string"] + } + } + }, +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "readinessProbe": { "type": "object", "properties": { @@ -188,9 +206,12 @@ "object", "string" ] +<<<<<<< HEAD }, "extraLabels": { "type": "object" +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -214,9 +235,12 @@ "enabled": { "type": "boolean" }, +<<<<<<< HEAD "externalVaultAddr": { "type": "string" }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "imagePullSecrets": { "type": "array" }, @@ -246,10 +270,14 @@ "type": "object", "properties": { "affinity": { +<<<<<<< HEAD "type": [ "object", "string" ] +======= + "type": "string" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "agentDefaults": { "type": "object", @@ -268,6 +296,7 @@ }, "template": { "type": "string" +<<<<<<< HEAD }, "templateConfig": { "type": "object", @@ -279,6 +308,8 @@ "type": "string" } } +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -323,10 +354,14 @@ } }, "enabled": { +<<<<<<< HEAD "type": [ "boolean", "string" ] +======= + "type": "boolean" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "externalVaultAddr": { "type": "string" @@ -362,6 +397,23 @@ "properties": { "enabled": { "type": "boolean" +<<<<<<< HEAD +======= + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ttl": { + "type": "string" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -383,6 +435,7 @@ "type": "object" }, "nodeSelector": { +<<<<<<< HEAD "type": [ "null", "object", @@ -396,6 +449,11 @@ ] }, "podDisruptionBudget": { +======= + "type": ["null", "string"] + }, + "objectSelector": { +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "type": "object" }, "port": { @@ -413,6 +471,7 @@ "revokeOnShutdown": { "type": "boolean" }, +<<<<<<< HEAD "securityContext": { "type": "object", "properties": { @@ -430,6 +489,8 @@ } } }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "service": { "type": "object", "properties": { @@ -441,6 +502,7 @@ } } }, +<<<<<<< HEAD "serviceAccount": { "type": "object", "properties": { @@ -504,6 +566,11 @@ "webhookAnnotations": { "type": [ "object", +======= + "tolerations": { + "type": [ + "null", +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "string" ] } @@ -513,10 +580,14 @@ "type": "object", "properties": { "affinity": { +<<<<<<< HEAD "type": [ "object", "string" ] +======= + "type": "string" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "annotations": { "type": [ @@ -608,10 +679,14 @@ } }, "enabled": { +<<<<<<< HEAD "type": [ "boolean", "string" ] +======= + "type": "boolean" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "enterpriseLicense": { "type": "object", @@ -627,12 +702,15 @@ "extraArgs": { "type": "string" }, +<<<<<<< HEAD "extraPorts": { "type": [ "null", "array" ] }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "extraContainers": { "type": [ "null", @@ -666,6 +744,7 @@ "string" ] }, +<<<<<<< HEAD "clusterAddr": { "type": [ "null", @@ -677,6 +756,10 @@ "string", "object" ] +======= + "config": { + "type": "string" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "disruptionBudget": { "type": "object", @@ -699,10 +782,14 @@ "type": "object", "properties": { "config": { +<<<<<<< HEAD "type": [ "string", "object" ] +======= + "type": "string" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "enabled": { "type": "boolean" @@ -734,9 +821,12 @@ "ingress": { "type": "object", "properties": { +<<<<<<< HEAD "activeService": { "type": "boolean" }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "annotations": { "type": [ "object", @@ -763,6 +853,7 @@ } } }, +<<<<<<< HEAD "ingressClassName": { "type": "string" }, @@ -772,6 +863,11 @@ "pathType": { "type": "string" }, +======= + "labels": { + "type": "object" + }, +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "tls": { "type": "array" } @@ -823,7 +919,10 @@ "nodeSelector": { "type": [ "null", +<<<<<<< HEAD "object", +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "string" ] }, @@ -865,9 +964,12 @@ "route": { "type": "object", "properties": { +<<<<<<< HEAD "activeService": { "type": "boolean" }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "annotations": { "type": [ "object", @@ -882,15 +984,19 @@ }, "labels": { "type": "object" +<<<<<<< HEAD }, "tls": { "type": "object" +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, "service": { "type": "object", "properties": { +<<<<<<< HEAD "active": { "type": "object", "properties": { @@ -899,6 +1005,8 @@ } } }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "annotations": { "type": [ "object", @@ -908,6 +1016,7 @@ "enabled": { "type": "boolean" }, +<<<<<<< HEAD "externalTrafficPolicy": { "type": "string" }, @@ -944,6 +1053,13 @@ }, "standbyNodePort": { "type": "integer" +======= + "port": { + "type": "integer" + }, + "targetPort": { + "type": "integer" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -959,6 +1075,7 @@ "create": { "type": "boolean" }, +<<<<<<< HEAD "extraLabels": { "type": "object" }, @@ -972,6 +1089,10 @@ "type": "boolean" } } +======= + "name": { + "type": "string" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -982,10 +1103,14 @@ "type": "object", "properties": { "config": { +<<<<<<< HEAD "type": [ "string", "object" ] +======= + "type": "string" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "enabled": { "type": [ @@ -1003,6 +1128,7 @@ "object", "string" ] +<<<<<<< HEAD }, "securityContext": { "type": "object", @@ -1037,6 +1163,14 @@ "type": [ "null", "array", +======= + } + } + }, + "tolerations": { + "type": [ + "null", +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "string" ] }, @@ -1054,9 +1188,12 @@ "null", "array" ] +<<<<<<< HEAD }, "hostNetwork": { "type": "boolean" +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -1073,17 +1210,24 @@ ] }, "enabled": { +<<<<<<< HEAD "type": [ "boolean", "string" ] +======= + "type": "boolean" +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "externalPort": { "type": "integer" }, +<<<<<<< HEAD "externalTrafficPolicy": { "type": "string" }, +======= +>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "publishNotReadyAddresses": { "type": "boolean" }, diff --git a/values.yaml b/values.yaml index 7e59a1873..50108a913 100644 --- a/values.yaml +++ b/values.yaml @@ -212,6 +212,15 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only From 26e56b062a1fabe227c67d7742fa0c5d4b1a0135 Mon Sep 17 00:00:00 2001 From: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:25:38 -0400 Subject: [PATCH 106/108] Datago 30304/upgrading vault to 1.9.2 (#14) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 --- templates/csi-daemonset.yaml | 7 -- templates/injector-deployment.yaml | 13 --- test/acceptance/csi.bats | 10 ++ test/unit/csi-daemonset.bats | 23 +++++ test/unit/server-route.bats | 38 ++++++++ values.schema.json | 144 ----------------------------- 6 files changed, 71 insertions(+), 164 deletions(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 64fb34cc2..0285a0cbb 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,4 +1,3 @@ -<<<<<<< HEAD {{/* Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 @@ -6,9 +5,6 @@ SPDX-License-Identifier: MPL-2.0 {{- template "vault.csiEnabled" . -}} {{- if .csiEnabled -}} -======= -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) apiVersion: apps/v1 kind: DaemonSet metadata: @@ -18,12 +14,9 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -<<<<<<< HEAD {{- if .Values.csi.daemonSet.extraLabels -}} {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} {{- end -}} -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f5a17bf26..e51c11c22 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -46,13 +46,6 @@ spec: {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} -<<<<<<< HEAD -======= - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.injector.gid | default 1000 }} - runAsUser: {{ .Values.injector.uid | default 100 }} ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) {{- end }} containers: - name: sidecar-injector @@ -118,15 +111,12 @@ spec: value: "{{ .Values.injector.agentDefaults.memLimit }}" - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" -<<<<<<< HEAD - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" {{- end }} -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: @@ -166,15 +156,12 @@ spec: successThreshold: {{ .Values.injector.startupProbe.successThreshold }} timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} {{- if .Values.injector.certs.secretName }} -<<<<<<< HEAD volumeMounts: - name: webhook-certs mountPath: /etc/webhook/certs readOnly: true {{- end }} {{- if .Values.injector.certs.secretName }} -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) volumes: - name: webhook-certs secret: diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c5863d442..c617b8068 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,7 +2,15 @@ load _helpers +check_skip_csi() { + if [ ! -z ${SKIP_CSI} ]; then + skip "Skipping CSI tests" + fi +} + @test "csi: testing deployment" { + check_skip_csi + cd `chart_dir` kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance @@ -71,6 +79,8 @@ load _helpers # Clean up teardown() { + check_skip_csi + if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 7f740ea25..791b9d85e 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -53,6 +53,29 @@ load _helpers [ "${actual}" = "true" ] } +# priorityClassName + +@test "csi/daemonset: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.priorityClassName=armaggeddon' \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + # serviceAccountName reference name @test "csi/daemonset: serviceAccountName reference name" { cd `chart_dir` diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 51b1a3021..1daea2684 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -179,3 +179,41 @@ load _helpers yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) [ "${actual}" = "Redirect" ] } + +@test "server/route: OpenShift - route termination mode set to default passthrough" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "passthrough" ] +} + +@test "server/route: OpenShift - route termination mode set to edge" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.termination=edge' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "edge" ] +} + +@test "server/route: OpenShift - route custom tls entry" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ + . | tee /dev/stderr | + yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) + [ "${actual}" = "Redirect" ] +} diff --git a/values.schema.json b/values.schema.json index 313cfeab9..44980e169 100644 --- a/values.schema.json +++ b/values.schema.json @@ -5,7 +5,6 @@ "csi": { "type": "object", "properties": { -<<<<<<< HEAD "agent": { "type": "object", "properties": { @@ -40,8 +39,6 @@ } } }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "daemonSet": { "type": "object", "properties": { @@ -51,7 +48,6 @@ "string" ] }, -<<<<<<< HEAD "extraLabels": { "type": "object" }, @@ -78,8 +74,6 @@ } } }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "updateStrategy": { "type": "object", "properties": { @@ -97,14 +91,10 @@ "type": "boolean" }, "enabled": { -<<<<<<< HEAD "type": [ "boolean", "string" ] -======= - "type": "boolean" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "extraArgs": { "type": "array" @@ -152,7 +142,6 @@ "string" ] }, -<<<<<<< HEAD "extraLabels": { "type": "object" }, @@ -168,13 +157,6 @@ "priorityClassName": { "type": "string" }, -======= - "tolerations": { - "type": ["null", "string"] - } - } - }, ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "readinessProbe": { "type": "object", "properties": { @@ -206,12 +188,9 @@ "object", "string" ] -<<<<<<< HEAD }, "extraLabels": { "type": "object" -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -235,12 +214,9 @@ "enabled": { "type": "boolean" }, -<<<<<<< HEAD "externalVaultAddr": { "type": "string" }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "imagePullSecrets": { "type": "array" }, @@ -270,14 +246,10 @@ "type": "object", "properties": { "affinity": { -<<<<<<< HEAD "type": [ "object", "string" ] -======= - "type": "string" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "agentDefaults": { "type": "object", @@ -296,7 +268,6 @@ }, "template": { "type": "string" -<<<<<<< HEAD }, "templateConfig": { "type": "object", @@ -308,8 +279,6 @@ "type": "string" } } -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -354,14 +323,10 @@ } }, "enabled": { -<<<<<<< HEAD "type": [ "boolean", "string" ] -======= - "type": "boolean" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "externalVaultAddr": { "type": "string" @@ -397,23 +362,6 @@ "properties": { "enabled": { "type": "boolean" -<<<<<<< HEAD -======= - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "ttl": { - "type": "string" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -435,7 +383,6 @@ "type": "object" }, "nodeSelector": { -<<<<<<< HEAD "type": [ "null", "object", @@ -449,11 +396,6 @@ ] }, "podDisruptionBudget": { -======= - "type": ["null", "string"] - }, - "objectSelector": { ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "type": "object" }, "port": { @@ -471,7 +413,6 @@ "revokeOnShutdown": { "type": "boolean" }, -<<<<<<< HEAD "securityContext": { "type": "object", "properties": { @@ -489,8 +430,6 @@ } } }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "service": { "type": "object", "properties": { @@ -502,7 +441,6 @@ } } }, -<<<<<<< HEAD "serviceAccount": { "type": "object", "properties": { @@ -566,11 +504,6 @@ "webhookAnnotations": { "type": [ "object", -======= - "tolerations": { - "type": [ - "null", ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "string" ] } @@ -580,14 +513,10 @@ "type": "object", "properties": { "affinity": { -<<<<<<< HEAD "type": [ "object", "string" ] -======= - "type": "string" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "annotations": { "type": [ @@ -679,14 +608,10 @@ } }, "enabled": { -<<<<<<< HEAD "type": [ "boolean", "string" ] -======= - "type": "boolean" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "enterpriseLicense": { "type": "object", @@ -702,15 +627,12 @@ "extraArgs": { "type": "string" }, -<<<<<<< HEAD "extraPorts": { "type": [ "null", "array" ] }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "extraContainers": { "type": [ "null", @@ -744,7 +666,6 @@ "string" ] }, -<<<<<<< HEAD "clusterAddr": { "type": [ "null", @@ -756,10 +677,6 @@ "string", "object" ] -======= - "config": { - "type": "string" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "disruptionBudget": { "type": "object", @@ -782,14 +699,10 @@ "type": "object", "properties": { "config": { -<<<<<<< HEAD "type": [ "string", "object" ] -======= - "type": "string" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "enabled": { "type": "boolean" @@ -821,12 +734,9 @@ "ingress": { "type": "object", "properties": { -<<<<<<< HEAD "activeService": { "type": "boolean" }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "annotations": { "type": [ "object", @@ -853,7 +763,6 @@ } } }, -<<<<<<< HEAD "ingressClassName": { "type": "string" }, @@ -863,11 +772,6 @@ "pathType": { "type": "string" }, -======= - "labels": { - "type": "object" - }, ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "tls": { "type": "array" } @@ -919,10 +823,7 @@ "nodeSelector": { "type": [ "null", -<<<<<<< HEAD "object", -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "string" ] }, @@ -964,12 +865,9 @@ "route": { "type": "object", "properties": { -<<<<<<< HEAD "activeService": { "type": "boolean" }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "annotations": { "type": [ "object", @@ -984,19 +882,15 @@ }, "labels": { "type": "object" -<<<<<<< HEAD }, "tls": { "type": "object" -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, "service": { "type": "object", "properties": { -<<<<<<< HEAD "active": { "type": "object", "properties": { @@ -1005,8 +899,6 @@ } } }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "annotations": { "type": [ "object", @@ -1016,7 +908,6 @@ "enabled": { "type": "boolean" }, -<<<<<<< HEAD "externalTrafficPolicy": { "type": "string" }, @@ -1053,13 +944,6 @@ }, "standbyNodePort": { "type": "integer" -======= - "port": { - "type": "integer" - }, - "targetPort": { - "type": "integer" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -1075,7 +959,6 @@ "create": { "type": "boolean" }, -<<<<<<< HEAD "extraLabels": { "type": "object" }, @@ -1089,10 +972,6 @@ "type": "boolean" } } -======= - "name": { - "type": "string" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -1103,14 +982,10 @@ "type": "object", "properties": { "config": { -<<<<<<< HEAD "type": [ "string", "object" ] -======= - "type": "string" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "enabled": { "type": [ @@ -1128,7 +1003,6 @@ "object", "string" ] -<<<<<<< HEAD }, "securityContext": { "type": "object", @@ -1163,14 +1037,6 @@ "type": [ "null", "array", -======= - } - } - }, - "tolerations": { - "type": [ - "null", ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "string" ] }, @@ -1188,12 +1054,9 @@ "null", "array" ] -<<<<<<< HEAD }, "hostNetwork": { "type": "boolean" -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) } } }, @@ -1210,24 +1073,17 @@ ] }, "enabled": { -<<<<<<< HEAD "type": [ "boolean", "string" ] -======= - "type": "boolean" ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) }, "externalPort": { "type": "integer" }, -<<<<<<< HEAD "externalTrafficPolicy": { "type": "string" }, -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) "publishNotReadyAddresses": { "type": "boolean" }, From 2262e102dcfd8f393837aea9739f617804bb0eca Mon Sep 17 00:00:00 2001 From: xiaocongji <85846543+xiaocongji@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:47:22 -0400 Subject: [PATCH 107/108] feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- templates/_helpers.tpl | 2 +- templates/server-clusterrolebinding.yaml | 2 +- templates/server-ha-standby-service.yaml | 4 ---- test/unit/csi-daemonset.bats | 13 ------------- test/unit/schema.bats | 6 ------ values.schema.json | 3 +++ values.yaml | 3 ++- 7 files changed, 7 insertions(+), 26 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index aea187fc1..aca803d6d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -131,7 +131,7 @@ template logic. {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index b694129b5..24288df3e 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -26,4 +26,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 8653d72f1..b9f643586 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -5,14 +5,10 @@ SPDX-License-Identifier: MPL-2.0 {{ template "vault.mode" . }} {{- if ne .mode "external" }} -<<<<<<< HEAD {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.standby.enabled | toString) "true" }} -======= -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) # Service for standby Vault pod apiVersion: v1 kind: Service diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 791b9d85e..b6752619d 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -327,11 +327,7 @@ load _helpers [ "${actual}" = "true" ] } -<<<<<<< HEAD @test "csi/daemonset: tolerations can be set as string" { -======= -@test "csi/daemonset: tolerations can be set" { ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) cd `chart_dir` local actual=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -342,7 +338,6 @@ load _helpers [ "${actual}" = "true" ] } -<<<<<<< HEAD @test "csi/daemonset: tolerations can be set as YAML" { cd `chart_dir` local actual=$(helm template \ @@ -380,8 +375,6 @@ load _helpers } -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) #-------------------------------------------------------------------- # volumes @@ -402,7 +395,6 @@ load _helpers [ "${actual}" = "{}" ] } -<<<<<<< HEAD @test "csi/daemonset: csi providersDir default" { cd `chart_dir` @@ -434,8 +426,6 @@ load _helpers [ "${actual}" = "/alt/csi-prov-dir" ] } -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) #-------------------------------------------------------------------- # volumeMounts @@ -573,7 +563,6 @@ load _helpers yq -r '.timeoutSeconds' | tee /dev/stderr) [ "${actual}" = "14" ] } -<<<<<<< HEAD @test "csi/daemonset: VAULT_ADDR defaults to Agent unix socket" { cd `chart_dir` @@ -778,5 +767,3 @@ load _helpers yq -r '.limits.cpu' | tee /dev/stderr) [ "${value}" = "500m" ] } -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) diff --git a/test/unit/schema.bats b/test/unit/schema.bats index 350e160ed..9a61d7d5a 100644 --- a/test/unit/schema.bats +++ b/test/unit/schema.bats @@ -7,15 +7,9 @@ load _helpers # schema, setting it as a string fails 'helm template'. @test "schema: csi enabled datatype" { cd `chart_dir` -<<<<<<< HEAD run helm template . --set csi.enabled="123" [ "$status" -eq 1 ] [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] -======= - run helm template . --set csi.enabled="nope" - [ "$status" -eq 1 ] - [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) run helm template . --set csi.enabled=true [ "$status" -eq 0 ] diff --git a/values.schema.json b/values.schema.json index 44980e169..e1628b1b6 100644 --- a/values.schema.json +++ b/values.schema.json @@ -908,6 +908,9 @@ "enabled": { "type": "boolean" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "externalTrafficPolicy": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 50108a913..bdcfd8e4a 100644 --- a/values.yaml +++ b/values.yaml @@ -165,7 +165,6 @@ injector: # for more details. # timeoutSeconds: 30 - # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -212,6 +211,8 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector From 23131a22a12361d1385948f825b9a3ec8a6a16d7 Mon Sep 17 00:00:00 2001 From: xiaocongji <85846543+xiaocongji@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:29:43 -0400 Subject: [PATCH 108/108] DATAGO-59401: Upgrading vault to 1.11.x (#18) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) * Fix CSI acceptance tests (#728) * Update minimum required helm version in readme (#730) Co-authored-by: Tom Proctor * Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault * Set default object selector for webhooks to exclude injector itself (#736) Set default object selector for webhooks to exclude injector itself If `injector.failurePolicy` is set to `Fail`, there is a race condition where if the mutating webhook config is setup before the injector, then the injector can fail to start because it tries to inject itself. We can work around this by ignoring the injector pod in in the webhook by default. Thanks to @joeyslalom for the object selector to exclude the pod. Fixes https://github.com/hashicorp/vault-k8s/issues/258 * Prepare for release 0.20.1 (#739) Prepare for release 0.20.1 Improvements: * `vault-k8s` updated to 0.16.1 CHANGES: * `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) Co-authored-by: Theron Voran * Mention minimum helm version in changelog (#742) Also add a features section to 0.20.0 * Start testing against Kubernetes 1.24 (#744) Start testing against Kubernetes 1.24 Update .github/workflows/acceptance.yaml Remove skip csi Co-authored-by: Theron Voran * Update .helmignore (#732) Review .helmignore file, ignore CI in chart * Set VAULT_ADDR env var for CSI Provider pods (#745) * Support to add annotations in injector serviceaccount (#753) * changelog++ (#757) * jira-sync: transition to "Closed" not "Close" (#758) * Add support for nodePort for active and standby services (#610) * Feat/adding pod and container security context (#750) Allow the injector's pod- and container-level securityContext to be fully specified by the user, via new options `injector.securityContext.pod` and `injector.securityContext.container` with more complete defaults. Deprecates `injector.uid` and `injector.gid`. If `injector.uid` or `injector.gid` are set by the user, the old pod securityContext settings will be used. Otherwise the new defaults and settings are used. Co-authored-by: Theron Voran * Changelog and schema update for active/standby node port (#761) * Changelog and schema update for active/standby node port Follow-up to https://github.com/hashicorp/vault-helm/pull/610 * changelog++ and json schema update (#762) Changelog updates for #750, and json schema update. * Update jira sync (#768) * csi/server.statefulset: custom security context (#767) csi/server.statefulset: custom security context This adds flexibility to have custom pod template and container `securityContext` and preserves current default values and behavior. Fixes https://github.com/hashicorp/vault-helm/issues/663. This also is a way to address https://github.com/hashicorp/vault-helm/pull/599 so that people can specify, for example, the CSI to run in a privileged container for OpenShift. This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750 and builds on the same principles. Side note: I am not able to run `helm schema-gen` since it is unmaintained and does not work with M1 Macs. * Prepare for 0.21.0 release (#771) Prepare for 0.21.0 release CHANGES: * `vault-k8s` updated to 0.17.0. (this) * `vault-csi-provider` updated to 1.2.0 (this) * `vault` updated to 1.11.2 (this) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: * server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) * DOC: Minor typos fixes (#669) Co-authored-by: Tom Proctor * update values comments for server.securityContext (#778) Since container is empty for openshift. * CI: run acceptance tests on push to any (#781) * Add support for the Prometheus Operator (#772) support collecting Vault server metrics by deploying PrometheusOperator CustomResources. Co-authored-by: Sam Weston Co-authored-by: Theron Voran * Update vault-k8s to 1.0.0 (#784) Update vault-k8s to 1.0.0 Also update Kubernetes versions tested against, including adding 1.25 Update consul in tests for Kubernetes 1.25 support * Prepare for 0.22.0 release (#785) Prepare for 0.21.1 release * Update Vault to 1.11.3 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * Datago 30304/upgrading vault to 1.9.2 (#14) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 * feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * chore(59401): Upgrade vault to 1.11.x --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Aleksey Co-authored-by: Bruno Padilha <1850071+brunopadz@users.noreply.github.com> Co-authored-by: Jack Halford Co-authored-by: ChrisFraun Co-authored-by: Alex Khaerov Co-authored-by: Sam Weston Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 Co-authored-by: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> --- Makefile | 3 --- templates/csi-daemonset.yaml | 7 +++++++ values.yaml | 34 +++++++++++++++++++++++++++------- 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 10572bc77..560022064 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,6 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance -<<<<<<< HEAD # filter bats unit tests to run. UNIT_TESTS_FILTER?='.*' @@ -17,8 +16,6 @@ KIND_CLUSTER_NAME?=vault-helm # kind k8s version KIND_K8S_VERSION?=v1.26.3 -======= ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) # Generate json schema for chart values. See test/README.md for more details. values-schema: helm schema-gen values.yaml > values.schema.json diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 0285a0cbb..c89d494cb 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -66,6 +66,13 @@ spec: {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} {{- end }} + env: + - name: VAULT_ADDR + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- end }} volumeMounts: - name: providervol mountPath: "/provider" diff --git a/values.yaml b/values.yaml index bdcfd8e4a..d2465f214 100644 --- a/values.yaml +++ b/values.yaml @@ -237,7 +237,7 @@ injector: # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} - + certs: # secretName is the name of the secret that has the TLS certificate and # private key to serve the injector webhook. If this is null, then the @@ -343,7 +343,6 @@ injector: serviceAccount: # Extra annotations to attach to the injector serviceAccount annotations: {} - # A disruption budget limits the number of pods of a replicated application # that are down simultaneously from voluntary disruptions podDisruptionBudget: {} @@ -693,9 +692,15 @@ server: # will be random if left blank. #nodePort: 30000 - # If type is set to "LoadBalancer", a specific IP address can be attached - # to the load balancer, will be random if left blank. - #loadBalancerIP: + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #activeNodePort: 30001 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #standbyNodePort: 30002 # Port on which Vault server is listening port: 8200 @@ -932,8 +937,23 @@ server: # YAML-formatted multi-line templated string map of the annotations to apply # to the statefulSet. annotations: {} - # A boolean flag to setup logrotate as a side car continer - logrotate: null + + # Set the pod and container security contexts. + # If not set, these will default to, and for *not* OpenShift: + # pod: + # runAsNonRoot: true + # runAsGroup: {{ .Values.server.gid | default 1000 }} + # runAsUser: {{ .Values.server.uid | default 100 }} + # fsGroup: {{ .Values.server.gid | default 1000 }} + # container: + # allowPrivilegeEscalation: false + # + # If not set, these will default to, and for OpenShift: + # pod: {} + # container: {} + securityContext: + pod: {} + container: {} # Set the pod and container security contexts. # If not set, these will default to, and for *not* OpenShift: