Updating GHA and default Vault version (#863)

Test with latest kind k8s versions 1.22-1.26. Remove support for old
disruptionbudget and ingress APIs (pre 1.22).

Pin all actions to SHAs, and use the common jira sync.

Update the default Vault version to v1.13.1.

Update chart-verifier used in tests to 1.10.1, also add an openshift
name annotation to Chart.yaml (one of the required checks).

.github/workflows/acceptance.yaml

@@ -7,19 +7,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        kind-k8s-version: [1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3]
+        kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup test tools
         uses: ./.github/workflows/setup-test-tools
 
       - name: Create K8s Kind Cluster
-        uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
         with:
           config: test/kind/config.yaml
           node_image: kindest/node:v${{ matrix.kind-k8s-version }}
-          version: v0.16.0
+          version: v0.17.0
 
       - run: bats --tap --timing ./test/acceptance
         env:

.github/workflows/jira.yaml

@@ -1,72 +1,17 @@
+name: Jira Sync
 on:
   issues:
     types: [opened, closed, deleted, reopened]
   pull_request_target:
     types: [opened, closed, reopened]
   issue_comment: # Also triggers when commenting on a PR from the conversation view
     types: [created]
-
-name: Jira Sync
-
 jobs:
   sync:
-    runs-on: ubuntu-latest
-    name: Jira sync
-    steps:
-    - name: Login
-      uses: atlassian/[email protected]
-      env:
-        JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
-        JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
-        JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
-
-    - name: Preprocess
-      if: github.event.action == 'opened' || github.event.action == 'created'
-      id: preprocess
-      run: |
-        if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
-          echo "::set-output name=type::PR"
-        else
-          echo "::set-output name=type::ISS"
-        fi
-
-    - name: Create ticket
-      if: github.event.action == 'opened'
-      uses: tomhjp/[email protected]
-      with:
-        project: VAULT
-        issuetype: "GH Issue"
-        summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}"
-        description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_"
-        # customfield_10089 is Issue Link custom field
-        # customfield_10091 is team custom field
-        extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}'
-
-    - name: Search
-      if: github.event.action != 'opened'
-      id: search
-      uses: tomhjp/[email protected]
-      with:
-        # cf[10089] is Issue Link custom field
-        jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
-
-    - name: Sync comment
-      if: github.event.action == 'created' && steps.search.outputs.issue
-      uses: tomhjp/[email protected]
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
-
-    - name: Close ticket
-      if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue
-      uses: atlassian/[email protected]
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: Closed
-
-    - name: Reopen ticket
-      if: github.event.action == 'reopened' && steps.search.outputs.issue
-      uses: atlassian/[email protected]
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: "Pending Triage"
+    uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main
+    secrets:
+      JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
+      JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
+      JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
+    with:
+      teams-array: '["ecosystem", "foundations"]'

.github/workflows/setup-test-tools/action.yaml

@@ -4,7 +4,7 @@ description: Install bats and python-yq
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-node@v2
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
       with:
         node-version: '16'
     - run: npm install -g bats@${BATS_VERSION}
@@ -13,7 +13,7 @@ runs:
         BATS_VERSION: '1.8.2'
     - run: bats -v
       shell: bash
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
       with:
         python-version: '3.10'
     - run: pip install yq

.github/workflows/tests.yaml

@@ -6,19 +6,19 @@ jobs:
   bats-unit-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - uses: ./.github/workflows/setup-test-tools
       - run: bats --tap --timing ./test/unit
 
   chart-verifier:
     runs-on: ubuntu-latest
     env:
-      CHART_VERIFIER_VERSION: '1.2.1'
+      CHART_VERIFIER_VERSION: '1.10.1'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup test tools
         uses: ./.github/workflows/setup-test-tools
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: '1.19.2'
       - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}

CHANGELOG.md

@@ -1,7 +1,8 @@
 ## Unreleased
 
 Changes:
-* Earliest Kubernetes version tested is now 1.20
+* Earliest Kubernetes version tested is now 1.22
+* `vault` updated to 1.13.1
 
 Features:
 * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)

Chart.yaml

@@ -4,8 +4,8 @@
 apiVersion: v2
 name: vault
 version: 0.23.0
-appVersion: 1.12.1
-kubeVersion: ">= 1.20.0-0"
+appVersion: 1.13.1
+kubeVersion: ">= 1.22.0-0"
 description: Official HashiCorp Vault Chart
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
@@ -15,3 +15,5 @@ sources:
   - https://github.com/hashicorp/vault-helm
   - https://github.com/hashicorp/vault-k8s
   - https://github.com/hashicorp/vault-csi-provider
+annotations:
+  charts.openshift.io/name: HashiCorp Vault

Makefile

@@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false
 KIND_CLUSTER_NAME?=vault-helm
 
 # kind k8s version
-KIND_K8S_VERSION?=v1.25.0
+KIND_K8S_VERSION?=v1.26.3
 
 # Generate json schema for chart values. See test/README.md for more details.
 values-schema:

README.md

@@ -21,7 +21,7 @@ this README. Please refer to the Kubernetes and Helm documentation.
 The versions required are:
 
   * **Helm 3.6+**
-  * **Kubernetes 1.20+** - This is the earliest version of Kubernetes tested.
+  * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested.
     It is possible that this chart works with earlier versions but it is
     untested.
 

templates/injector-disruptionbudget.yaml

@@ -4,7 +4,7 @@ SPDX-License-Identifier: MPL-2.0
 */}}
 
 {{- if .Values.injector.podDisruptionBudget }}
-apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "vault.fullname" . }}-agent-injector

templates/server-disruptionbudget.yaml

@@ -9,7 +9,7 @@ SPDX-License-Identifier: MPL-2.0
 {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
 # PodDisruptionBudget to prevent degrading the server cluster through
 # voluntary cluster changes.
-apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "vault.fullname" . }}

templates/server-ingress.yaml

@@ -17,13 +17,7 @@ SPDX-License-Identifier: MPL-2.0
 {{- $servicePort := .Values.server.service.port -}}
 {{- $pathType := .Values.server.ingress.pathType -}}
 {{- $kubeVersion := .Capabilities.KubeVersion.Version }}
-{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
 apiVersion: networking.k8s.io/v1
-{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
-apiVersion: networking.k8s.io/v1beta1
-{{ else }}
-apiVersion: extensions/v1beta1
-{{ end }}
 kind: Ingress
 metadata:
   name: {{ template "vault.fullname" . }}
@@ -72,4 +66,4 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

test/acceptance/server-ha-enterprise-dr.bats

@@ -7,7 +7,7 @@ load _helpers
 
   helm install "$(name_prefix)-east" \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.12.1-ent' \
+    --set='server.image.tag=1.13.1-ent' \
     --set='injector.enabled=false' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
@@ -75,7 +75,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.12.1-ent' \
+    --set='server.image.tag=1.13.1-ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
     --set='server.enterpriseLicense.secretName=vault-license' .

test/acceptance/server-ha-enterprise-perf.bats

@@ -8,7 +8,7 @@ load _helpers
   helm install "$(name_prefix)-east" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.12.1-ent' \
+    --set='server.image.tag=1.13.1-ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
     --set='server.enterpriseLicense.secretName=vault-license' .
@@ -75,7 +75,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.12.1-ent' \
+    --set='server.image.tag=1.13.1-ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
     --set='server.enterpriseLicense.secretName=vault-license' .

test/chart/verifier.bats

@@ -6,9 +6,9 @@ setup_file() {
     cd `chart_dir`
     export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json"
     export CHART_VOLUME=vault-helm-chart-src
-    local IMAGE="quay.io/redhat-certification/chart-verifier:1.2.1"
+    local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1"
     # chart-verifier requires an openshift version if a cluster isn't available
-    local OPENSHIFT_VERSION="4.8"
+    local OPENSHIFT_VERSION="4.12"
     local DISABLED_TESTS="chart-testing"
 
     local run_cmd="chart-verifier"
@@ -40,7 +40,7 @@ teardown_file() {
 }
 
 @test "has-kubeversion" {
-    check_result v1.0/has-kubeversion
+    check_result v1.1/has-kubeversion
 }
 
 @test "is-helm-v3" {
@@ -76,10 +76,19 @@ teardown_file() {
 }
 
 @test "images-are-certified" {
-    check_result v1.0/images-are-certified
+    check_result v1.1/images-are-certified
+}
+
+@test "required-annotations-present" {
+    check_result v1.0/required-annotations-present
 }
 
 @test "chart-testing" {
     skip "Skipping since this test requires a kubernetes/openshift cluster"
     check_result v1.0/chart-testing
 }
+
+@test "signature-is-valid" {
+    skip "Chart is not signed : Signature verification not required"
+    check_result v1.0/signature-is-valid
+}

test/unit/injector-disruptionbudget.bats

@@ -31,18 +31,7 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      --show-only templates/injector-disruptionbudget.yaml \
-      --set 'injector.podDisruptionBudget.minAvailable=2' \
-      --kube-version 1.20.15 \
-      . | tee /dev/stderr |
-      yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
-}
-
-@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" {
+@test "injector/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" {
   cd `chart_dir`
   local actual=$(helm template \
       --show-only templates/injector-disruptionbudget.yaml \
@@ -51,4 +40,4 @@ load _helpers
       . | tee /dev/stderr |
       yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
   [ "${actual}" = "true" ]
-}
+}

test/unit/server-ha-disruptionbudget.bats

@@ -98,19 +98,7 @@ load _helpers
   [ "${actual}" = "2" ]
 }
 
-@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      --show-only templates/server-disruptionbudget.yaml \
-      --set 'server.ha.enabled=true' \
-      --set 'server.ha.replicas=1' \
-      --kube-version 1.20.15 \
-      . | tee /dev/stderr |
-      yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
-}
-
-@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" {
+@test "server/DisruptionBudget: apiVersion is set correctly >= version 1.21 of kube" {
   cd `chart_dir`
   local actual=$(helm template \
       --show-only templates/server-disruptionbudget.yaml \
@@ -120,4 +108,4 @@ load _helpers
       . | tee /dev/stderr |
       yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
   [ "${actual}" = "true" ]
-}
+}