Adding new and changed files for testing of PR_46

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/config-map-46.yml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-configmap
+  namespace: vault
+  labels:
+    bot: conformitron
+data:
+  Namespace: vault
+  prNumber: "46"
+  commitHash: 99810700d2079bc948c4e557fc82a8ded6228760
+  deployed: "1715362025"
+  env: common

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/namespace.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault
+  labels:
+      aws.conformance.vendor: hashicorp
+      aws.conformance.vendor-solution: vault
+      aws.conformance.vendor-solution-version: 0.25.0

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/vault-helm.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vault
+  namespace: vault
+spec:
+  chart:
+    spec:
+      chart: vault
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp
+        namespace: flux-system
+      version: 0.25.0
+  interval: 1m0s
+  targetNamespace: vault
+  values:
+    csi:
+      enabled: true
+    server:
+      ha:
+        enabled: true
+        raft:
+          config: |
+            ui = true
+            listener "tcp" {
+              tls_disable = 1
+              address = "[::]:8200"
+              cluster_address = "[::]:8201"
+            }
+            storage "raft" {
+              path = "/vault/data"
+            }
+            service_registration "kubernetes" {}
+          enabled: true
+        replicas: 1

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/vault-source.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: hashicorp
+  namespace: flux-system
+spec:
+  interval: 30s
+  url: https://helm.releases.hashicorp.com

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/vault-unseal-rb.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-unseal-rb
+  namespace: vault
+subjects:
+  - kind: ServiceAccount
+    name: vault-unseal-sa
+roleRef:
+  kind: Role
+  name: vault-unseal-role
+  apiGroup: rbac.authorization.k8s.io

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/vault-unseal-role.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-unseal-role
+  namespace: vault
+rules:
+  - apiGroups: [""]
+    resources: 
+      - "pods"
+      - "pods/log"
+    verbs: 
+      - "get"
+      - "list"
+      - "watch"
+      - "delete"
+  - apiGroups: [""]
+    resources: 
+      - "pods/exec"
+    verbs: 
+      - "create"
+  - apiGroups: [""]
+    resources:
+        - "secrets"
+    verbs:
+        - "*"

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/vault-unseal-sa.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-unseal-sa
+  namespace: vault

eks-anywhere-common/Addons/Partner/Merge-Demo/Vault/vault-unseal.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-unseal
+  namespace: vault
+spec:
+  template:
+    spec:
+      serviceAccountName: vault-unseal-sa
+      containers:
+        - name: vault-unseal
+          image: 'bitnami/kubectl:latest'
+          command:
+            - /bin/sh
+          args:
+            - '-c'
+            - >-
+              vault_running="NotRunning";
+              while [ "$vault_running" != "Running" ]; do vault_running=`kubectl get pods -n vault vault-vault-0 -o jsonpath="{.status.phase}"` && echo waiting; sleep 10; done; sleep 10;
+              kubectl exec -ti vault-vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > /tmp/unseal.json;
+              vault_unseal=`cat /tmp/unseal.json | jq -r '.unseal_keys_hex[0]'`;
+              kubectl exec -ti vault-vault-0 -- vault operator unseal $vault_unseal;
+              kubectl create secret generic vault-unseal-token --from-file='/tmp/unseal.json';
+              sleep 10;
+      restartPolicy: Never
+  backoffLimit: 4

eks-anywhere-common/Testers/Merge-Demo/Vault/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:3.17
+
+ARG VAULT_VERSION=1.12.2
+
+RUN apk update \
+ && apk add curl jq wget unzip bash \
+ && wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip \
+ && unzip vault_${VAULT_VERSION}_linux_amd64.zip \
+ && mv vault /usr/local/bin/
+
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl \
+ && chmod +x ./kubectl \
+ && mv ./kubectl /usr/local/bin

eks-anywhere-common/Testers/Merge-Demo/Vault/kvJob.yaml

@@ -0,0 +1,31 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: test-vault-kv
+  namespace: vault
+spec:
+  template:
+    spec:
+      serviceAccountName: vault-unseal-sa
+      containers:
+        - name: test-vault-kv
+          image: 'baghelg/vault-k8ctl:alpine'
+          imagePullPolicy: Always
+          command:
+            - /bin/bash
+          args:
+            - '-c'
+            - >-
+              vault_running="NotRunning";
+              while [ "$vault_running" != "Running" ]; 
+              do vault_running=`kubectl get pods -n vault vault-vault-0 -o jsonpath="{.status.phase}"` && echo waiting;
+              export VAULT_ADDR="http://vault-vault:8200";
+              export VAULT_TOKEN=`kubectl get secrets vault-unseal-token -o json -n vault | jq -r '.data."unseal.json"' | base64 -d | jq -r '."root_token"'`;
+              vault secrets enable -version=2 kv;
+              vault kv put -mount=kv my-secret foo=a bar=b;
+              sleep 10;
+              export op=`vault kv get -mount=kv -field=foo my-secret` ; [[ "${op}" == "a" ]] && echo "Vault KV engine works!";
+              sleep 10;
+              done;
+      restartPolicy: Never
+  backoffLimit: 1