Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VAULT-571 Matching documented behavior and consul #703

Merged
merged 11 commits into from
Mar 21, 2022
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
## Unreleased

CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for csi, injector, and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.9.3
* CSI provider default image to 1.0.0

Expand Down
47 changes: 46 additions & 1 deletion templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,50 @@ Expand the name of the chart.
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}

{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}

{{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
Expand All @@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- if .Values.injector.externalVaultAddr -}}
{{- $_ := set . "mode" "external" -}}
{{- else if ne (.Values.server.enabled | toString) "true" -}}
{{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}}
Expand Down
3 changes: 2 additions & 1 deletion templates/csi-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down
3 changes: 2 additions & 1 deletion templates/csi-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand Down
3 changes: 2 additions & 1 deletion templates/csi-daemonset.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
Expand Down
3 changes: 2 additions & 1 deletion templates/csi-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
5 changes: 4 additions & 1 deletion templates/injector-certs-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -9,3 +11,4 @@ metadata:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}
5 changes: 3 additions & 2 deletions templates/injector-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -10,7 +11,7 @@ metadata:
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
verbs:
- "get"
- "list"
- "watch"
Expand Down
3 changes: 2 additions & 1 deletion templates/injector-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand Down
3 changes: 2 additions & 1 deletion templates/injector-deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
Expand Down
3 changes: 2 additions & 1 deletion templates/injector-mutating-webhook.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
Expand Down
5 changes: 4 additions & 1 deletion templates/injector-network-policy.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
Expand All @@ -19,3 +21,4 @@ spec:
- port: 8080
protocol: TCP
{{ end }}
{{ end }}
5 changes: 4 additions & 1 deletion templates/injector-psp-role.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand All @@ -15,3 +17,4 @@ rules:
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion templates/injector-psp-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand All @@ -16,3 +18,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion templates/injector-psp.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
Expand Down Expand Up @@ -41,3 +43,4 @@ spec:
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion templates/injector-role.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand All @@ -24,3 +26,4 @@ rules:
- "patch"
- "delete"
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion templates/injector-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand All @@ -17,3 +19,4 @@ subjects:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
3 changes: 2 additions & 1 deletion templates/injector-service.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:
Expand Down
3 changes: 2 additions & 1 deletion templates/injector-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
5 changes: 4 additions & 1 deletion templates/server-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
{{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
Expand All @@ -22,3 +24,4 @@ subjects:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
5 changes: 4 additions & 1 deletion templates/server-config-configmap.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
{{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
Expand Down Expand Up @@ -36,3 +38,4 @@ data:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion templates/server-discovery-role.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand All @@ -17,3 +19,4 @@ rules:
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}
5 changes: 4 additions & 1 deletion templates/server-discovery-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
Expand All @@ -25,3 +27,4 @@ subjects:
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
{{ end }}
5 changes: 4 additions & 1 deletion templates/server-disruptionbudget.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
{{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: policy/v1beta1
Expand All @@ -22,3 +24,4 @@ spec:
component: server
{{- end -}}
{{- end -}}
{{- end -}}
5 changes: 4 additions & 1 deletion templates/server-ha-active-service.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for active Vault pod
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -40,3 +42,4 @@ spec:
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion templates/server-ha-standby-service.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for standby Vault pod
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -40,3 +42,4 @@ spec:
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}
3 changes: 2 additions & 1 deletion templates/server-headless-service.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
Expand Down
5 changes: 4 additions & 1 deletion templates/server-ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
{{- $servicePort := .Values.server.service.port -}}
Expand Down Expand Up @@ -72,3 +74,4 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion templates/server-psp-role.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand All @@ -16,3 +18,4 @@ rules:
resourceNames:
- {{ template "vault.fullname" . }}
{{- end }}
{{- end }}
Loading