Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for external vault #207

Merged
merged 2 commits into from
Feb 21, 2020
Merged

Added support for external vault #207

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
836081c
Added support for external vault
tvoran Feb 19, 2020
d3dae1a
unit tests
tvoran Feb 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,9 @@ Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- if .Values.injector.externalVaultAddr -}}
{{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}}
{{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
{{- $_ := set . "mode" "ha" -}}
Expand Down
4 changes: 4 additions & 0 deletions templates/injector-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,11 @@ spec:
- name: AGENT_INJECT_LOG_LEVEL
value: {{ .Values.injector.logLevel | default "info" }}
- name: AGENT_INJECT_VAULT_ADDR
{{- if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }}
Expand Down
2 changes: 2 additions & 0 deletions templates/server-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
Expand All @@ -19,3 +20,4 @@ subjects:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
2 changes: 2 additions & 0 deletions templates/server-config-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
{{ if or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "") -}}
apiVersion: v1
Expand All @@ -21,3 +22,4 @@ data:
{{ end }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 2 additions & 0 deletions templates/server-disruptionbudget.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
Expand All @@ -20,3 +21,4 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end -}}
{{- end -}}
3 changes: 3 additions & 0 deletions templates/server-ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- $servicePort := .Values.server.service.port -}}
Expand Down Expand Up @@ -42,3 +44,4 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
3 changes: 3 additions & 0 deletions templates/server-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
# Service for Vault cluster
apiVersion: v1
Expand Down Expand Up @@ -43,3 +45,4 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}
{{- end }}
2 changes: 2 additions & 0 deletions templates/server-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
apiVersion: v1
kind: ServiceAccount
Expand All @@ -12,3 +13,4 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}
{{ end }}
2 changes: 2 additions & 0 deletions templates/server-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
Expand Down Expand Up @@ -143,3 +144,4 @@ spec:
{{- end }}
{{ template "vault.volumeclaims" . }}
{{ end }}
{{ end }}
2 changes: 2 additions & 0 deletions templates/ui-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if eq (.Values.ui.enabled | toString) "true" }}
# Headless service for Vault server DNS entries. This service should only
Expand Down Expand Up @@ -43,3 +44,4 @@ spec:
{{- end -}}

{{ end }}
{{ end }}
34 changes: 34 additions & 0 deletions test/unit/injector-deployment.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,3 +154,37 @@ load _helpers
yq -r '.[5].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ]
}

@test "injector/deployment: with externalVaultAddr" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.[2].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]

local actual=$(echo $object |
yq -r '.[2].value' | tee /dev/stderr)
[ "${actual}" = "http://vault-outside" ]
}

@test "injector/deployment: without externalVaultAddr" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
--release-name not-external-test \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.[2].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]

local actual=$(echo $object |
yq -r '.[2].value' | tee /dev/stderr)
[ "${actual}" = "http://not-external-test-vault.default.svc:8200" ]
}
10 changes: 10 additions & 0 deletions test/unit/server-clusterrolebinding.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,13 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-clusterrolebinding.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
10 changes: 10 additions & 0 deletions test/unit/server-configmap.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,13 @@ load _helpers
yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
[ ! -z "${actual}" ]
}

@test "server/ConfigMap: disabled by injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-config-configmap.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
11 changes: 11 additions & 0 deletions test/unit/server-dev-statefulset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,17 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "server/dev-StatefulSet: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.dev.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "server/dev-StatefulSet: image defaults to server.image.repository:tag" {
cd `chart_dir`
local actual=$(helm template \
Expand Down
10 changes: 10 additions & 0 deletions test/unit/server-ha-disruptionbudget.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,16 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "server/DisruptionBudget: disable with injector.exernalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-disruptionbudget.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "server/DisruptionBudget: correct maxUnavailable with n=1" {
cd `chart_dir`
local actual=$(helm template \
Expand Down
11 changes: 11 additions & 0 deletions test/unit/server-ha-statefulset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,17 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "server/ha-StatefulSet: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.ha.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "server/ha-StatefulSet: image defaults to server.image.repository:tag" {
cd `chart_dir`
local actual=$(helm template \
Expand Down
11 changes: 11 additions & 0 deletions test/unit/server-ingress.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,17 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "server/ingress: disable by injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-ingress.yaml \
--set 'server.ingress.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "server/ingress: checking host entry gets added and path is /" {
cd `chart_dir`
local actual=$(helm template \
Expand Down
30 changes: 30 additions & 0 deletions test/unit/server-service.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,36 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "server/Service: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.dev.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.service.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.ha.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.service.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.standalone.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.service.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

# This can be seen as testing just what we put into the YAML raw, but
# this is such an important part of making everything work we verify it here.
@test "server/Service: tolerates unready endpoints" {
Expand Down
54 changes: 54 additions & 0 deletions test/unit/server-serviceaccount.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,57 @@ load _helpers
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

@test "server/ServiceAccount: disable with global.enabled false" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.dev.enabled=true' \
--set 'global.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.ha.enabled=true' \
--set 'global.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "server/ServiceAccount: disable by injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.dev.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.ha.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/server-service.yaml \
--set 'server.standalone.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
11 changes: 11 additions & 0 deletions test/unit/server-statefulset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,17 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "server/standalone-StatefulSet: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" {
cd `chart_dir`
local actual=$(helm template \
Expand Down
27 changes: 27 additions & 0 deletions test/unit/ui-service.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,33 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "ui/Service: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/ui-service.yaml \
--set 'server.dev.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/ui-service.yaml \
--set 'server.ha.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

local actual=$( (helm template \
--show-only templates/ui-service.yaml \
--set 'server.standalone.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "ui/Service: ClusterIP type by default" {
cd `chart_dir`
local actual=$(helm template \
Expand Down
Loading