From 1f68852dc24e90e9d59f2ef8f6c92fae47fd5f00 Mon Sep 17 00:00:00 2001 From: fischerman <privat@bjorn-fischer.de> Date: Wed, 15 Jan 2020 11:03:20 +0100 Subject: [PATCH 01/79] add lifecycle to vault instead of extra container (#179) --- templates/server-statefulset.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 48edf16..985bf59 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -117,9 +117,6 @@ spec: successThreshold: 1 timeoutSeconds: 5 {{- end }} - {{- if .Values.server.extraContainers }} - {{ toYaml .Values.server.extraContainers | nindent 8}} - {{- end }} lifecycle: # Vault container doesn't receive SIGTERM from Kubernetes # and after the grace period ends, Kube sends SIGKILL. This @@ -128,6 +125,9 @@ spec: preStop: exec: command: ["/bin/sh","-c","kill -SIGTERM $(pidof vault)"] + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8}} + {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} -- GitLab From 4209cbcc2d0de21f4eee61d04d7b5e450149f73f Mon Sep 17 00:00:00 2001 From: fischerman <privat@bjorn-fischer.de> Date: Wed, 15 Jan 2020 11:06:54 +0100 Subject: [PATCH 02/79] make shareProcessNamespace configurable (#174) * make shareProcessNamespace configurable * add unit tests --- CHANGELOG.md | 4 ++++ templates/server-statefulset.yaml | 3 +++ test/unit/server-statefulset.bats | 27 +++++++++++++++++++++++++++ values.yaml | 4 ++++ 4 files changed, 38 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49b506f..770935f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +Improvements: + +* Allow process namespace sharing between Vault and sidecar containers + ## 0.3.3 (January 14th, 2020) Security: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 985bf59..5ae60af 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -38,6 +38,9 @@ spec: {{ template "vault.nodeselector" . }} terminationGracePeriodSeconds: 10 serviceAccountName: {{ template "vault.fullname" . }} + {{ if .Values.server.shareProcessNamespace }} + shareProcessNamespace: true + {{ end }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.server.gid | default 1000 }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 4ab9cb0..cfc0c4b 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -670,6 +670,33 @@ load _helpers [ "${containers_count}" = 1 ] } +# sharedProcessNamespace + +@test "server/standalone-StatefulSet: shareProcessNamespace disabled by default" { + cd `chart_dir` + + # Test that it defines it + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr) + + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: shareProcessNamespace enabled" { + cd `chart_dir` + + # Test that it defines it + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.shareProcessNamespace=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + # extra labels @test "server/standalone-StatefulSet: specify extraLabels" { diff --git a/values.yaml b/values.yaml index d632113..2aac944 100644 --- a/values.yaml +++ b/values.yaml @@ -113,6 +113,10 @@ server: # extraContainers is a list of sidecar containers. Specified as a raw YAML string. extraContainers: null + # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers + # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation + shareProcessNamespace: false + # extraArgs is a string containing additional Vault server arguments. extraArgs: "" -- GitLab From 0099ea8a94d730ed9e24c0f16c43350a5b2d8130 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 15 Jan 2020 10:16:28 -0500 Subject: [PATCH 03/79] changelog++ --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 770935f..510e2de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ Improvements: * Allow process namespace sharing between Vault and sidecar containers +Bugs: + +* Fix bug where Vault lifecycle was appended after extra containers. + ## 0.3.3 (January 14th, 2020) Security: -- GitLab From eccd71bfe22401cb738072a85b8538d8796e39df Mon Sep 17 00:00:00 2001 From: Yong Wen Chua <lawliet89@users.noreply.github.com> Date: Sat, 18 Jan 2020 20:36:45 +0800 Subject: [PATCH 04/79] Allow configure StatefulSet updateStrategy (#172) --- templates/server-statefulset.yaml | 4 ++-- test/unit/server-ha-statefulset.bats | 11 +++++++++++ values.yaml | 18 +++++++++++------- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 5ae60af..c89175d 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -15,7 +15,7 @@ spec: podManagementPolicy: Parallel replicas: {{ template "vault.replicas" . }} updateStrategy: - type: OnDelete + type: {{ .Values.server.updateStrategyType }} selector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} @@ -122,7 +122,7 @@ spec: {{- end }} lifecycle: # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This + # and after the grace period ends, Kube sends SIGKILL. This # causes issues with graceful shutdowns such as deregistering itself # from Consul (zombie services). preStop: diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 833a304..5f05c3c 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -97,6 +97,17 @@ load _helpers [ "${actual}" = "OnDelete" ] } +@test "server/ha-StatefulSet: RollingUpdate updateStrategy" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.updateStrategyType="RollingUpdate"' \ + . | tee /dev/stderr | + yq -r '.spec.updateStrategy.type' | tee /dev/stderr) + [ "${actual}" = "RollingUpdate" ] +} + #-------------------------------------------------------------------- # affinity diff --git a/values.yaml b/values.yaml index 2aac944..3fee150 100644 --- a/values.yaml +++ b/values.yaml @@ -21,8 +21,8 @@ injector: tag: "0.1.2" pullPolicy: IfNotPresent - # agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is + # agentImage sets the repo and tag of the Vault image to use for the Vault Agent + # containers. This should be set to the official Vault image. Vault 1.3.1+ is # required. agentImage: repository: "vault" @@ -76,6 +76,10 @@ server: # Overrides the default Image Pull Policy pullPolicy: IfNotPresent + # Configure the Update Strategy Type for the StatefulSet + # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategyType: "OnDelete" + resources: # resources: # requests: @@ -85,7 +89,7 @@ server: # memory: 256Mi # cpu: 250m - # Ingress allows ingress services to be created to allow external access + # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. ingress: enabled: false @@ -109,7 +113,7 @@ server: # method. https://www.vaultproject.io/docs/auth/kubernetes.html authDelegator: enabled: true - + # extraContainers is a list of sidecar containers. Specified as a raw YAML string. extraContainers: null @@ -198,12 +202,12 @@ server: # used to communicate with pods directly through DNS instead of a round robin # load balancer. # clusterIP: None - - # Configures the service type for the main Vault service. Can be ClusterIP + + # Configures the service type for the main Vault service. Can be ClusterIP # or NodePort. #type: ClusterIP - # If type is set to "NodePort", a specific nodePort value can be configured, + # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. #nodePort: 30000 -- GitLab From 7a6e8c3648aca626b7da6eb56aa932f2e2e2bf72 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Sat, 18 Jan 2020 07:38:00 -0500 Subject: [PATCH 05/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 510e2de..41d49d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Allow process namespace sharing between Vault and sidecar containers +* Addedd configurable to change updateStrategy Bugs: -- GitLab From 45c91187826c981d9e87b80aa0c7890e08abeeae Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 30 Jan 2020 09:39:08 -0800 Subject: [PATCH 06/79] Adding sleep in the preStop lifecycle step (#188) Aims to make vault pod termination more graceful with respect to user requests. --- templates/server-statefulset.yaml | 8 +++++++- test/unit/server-statefulset.bats | 21 +++++++++++++++++++++ values.yaml | 3 +++ 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index c89175d..abde79d 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -127,7 +127,13 @@ spec: # from Consul (zombie services). preStop: exec: - command: ["/bin/sh","-c","kill -SIGTERM $(pidof vault)"] + command: [ + "/bin/sh", "-c", + # Adding a sleep here to give the pod eviction a + # chance to propagate, so requests will not be made + # to this pod while it's terminating + "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", + ] {{- if .Values.server.extraContainers }} {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index cfc0c4b..60b54c8 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -841,3 +841,24 @@ load _helpers yq -r '.spec.template.spec.containers[0].args[0]' | tee /dev/stderr) [[ "${actual}" = *"foobar"* ]] } + +#-------------------------------------------------------------------- +# preStop +@test "server/standalone-StatefulSet: preStop sleep duration default" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr) + [[ "${actual}" = "sleep 5 &&"* ]] +} + +@test "server/standalone-StatefulSet: preStop sleep duration 10" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.preStopSleepSeconds=10' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr) + [[ "${actual}" = "sleep 10 &&"* ]] +} diff --git a/values.yaml b/values.yaml index 3fee150..5433026 100644 --- a/values.yaml +++ b/values.yaml @@ -135,6 +135,9 @@ server: path: "/v1/sys/health?standbyok=true" initialDelaySeconds: 60 + # Used to set the sleep time during the preStop step + preStopSleepSeconds: 5 + # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. extraEnvironmentVars: {} -- GitLab From 1f94e221c35df3600569aa9819734d0e09db77ff Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 30 Jan 2020 09:49:29 -0800 Subject: [PATCH 07/79] changelog++ --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 41d49d3..9daae18 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,8 @@ Improvements: * Allow process namespace sharing between Vault and sidecar containers -* Addedd configurable to change updateStrategy +* Added configurable to change updateStrategy +* Added sleep in the preStop lifecycle step Bugs: -- GitLab From 77b973c17fd202feea949d45a552f1ab15167c63 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 6 Feb 2020 08:44:38 -0800 Subject: [PATCH 08/79] Helm 3 support (#195) Update chart and tests to Helm 3 Co-authored-by: Matt Piekunka <mpiekunk@users.noreply.github.com> Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com> --- CONTRIBUTING.md | 16 +-- Chart.yaml | 2 +- README.md | 2 +- templates/injector-deployment.yaml | 2 +- templates/server-disruptionbudget.yaml | 4 +- templates/server-service.yaml | 2 +- templates/server-statefulset.yaml | 2 +- templates/ui-service.yaml | 2 +- test/acceptance/injector.bats | 4 +- test/acceptance/server-dev.bats | 4 +- test/acceptance/server-ha.bats | 11 +- test/acceptance/server.bats | 4 +- test/docker/Test.dockerfile | 2 +- test/terraform/main.tf | 22 +-- test/terraform/service-account.yaml | 18 --- test/terraform/variables.tf | 2 +- test/unit/injector-clusterrole.bats | 8 +- test/unit/injector-clusterrolebinding.bats | 8 +- test/unit/injector-deployment.bats | 32 ++--- test/unit/injector-mutating-webhook.bats | 22 +-- test/unit/injector-service.bats | 16 +-- test/unit/injector-serviceaccount.bats | 8 +- test/unit/server-clusterrolebinding.bats | 42 +++--- test/unit/server-configmap.bats | 26 ++-- test/unit/server-dev-statefulset.bats | 60 ++++----- test/unit/server-ha-disruptionbudget.bats | 26 ++-- test/unit/server-ha-statefulset.bats | 90 ++++++------- test/unit/server-ingress.bats | 16 +-- test/unit/server-service.bats | 119 ++++++++--------- test/unit/server-serviceaccount.bats | 6 +- test/unit/server-statefulset.bats | 148 ++++++++++----------- test/unit/ui-service.bats | 62 ++++----- 32 files changed, 374 insertions(+), 414 deletions(-) delete mode 100644 test/terraform/service-account.yaml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a0efc72..431dfa8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -123,7 +123,7 @@ Changes to the Helm chart should be accompanied by appropriate unit tests. In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output. In this way, we're able to test that the various conditionals in the templates render as we would expect. -Each test defines the files that should be rendered using the `-x` flag, then it might adjust chart values by adding `--set` flags as well. +Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well. The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/). `yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length). The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match. @@ -142,7 +142,7 @@ Here are some examples of common test patterns: @test "ui/Service: no type by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -158,7 +158,7 @@ Here are some examples of common test patterns: @test "ui/Service: specified type" { cd `chart_dir` local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'ui.serviceType=LoadBalancer' \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) @@ -173,7 +173,7 @@ Here are some examples of common test patterns: @test "server/standalone-StatefulSet: custom resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.requests.memory=256Mi' \ --set 'server.resources.requests.cpu=250m' \ @@ -182,7 +182,7 @@ Here are some examples of common test patterns: [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.limits.memory=256Mi' \ --set 'server.resources.limits.cpu=250m' \ @@ -197,10 +197,10 @@ Here are some examples of common test patterns: ``` @test "syncCatalog/Deployment: disabled by default" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/Chart.yaml b/Chart.yaml index f46cfe4..8a41081 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v2 name: vault version: 0.3.3 description: Install and configure Vault on Kubernetes. diff --git a/README.md b/README.md index 8d93c45..c6071b7 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ of this README. Please refer to the Kubernetes and Helm documentation. The versions required are: - * **Helm 2.10+** - This is the earliest version of Helm tested. It is possible + * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. * **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index ed5a2da..86c54ff 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,5 +1,5 @@ -# Deployment for the injector {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +# Deployment for the injector apiVersion: apps/v1 kind: Deployment metadata: diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index f41aedd..40ba8b4 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,7 +1,7 @@ -# PodDisruptionBudget to prevent degrading the server cluster through -# voluntary cluster changes. {{ template "vault.mode" . }} {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: diff --git a/templates/server-service.yaml b/templates/server-service.yaml index a9c5ede..4ea2363 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,5 +1,5 @@ -# Service for Vault cluster {{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +# Service for Vault cluster apiVersion: v1 kind: Service metadata: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index abde79d..8a51e6d 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,6 +1,6 @@ -# StatefulSet to run the actual vault server cluster. {{ template "vault.mode" . }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +# StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet metadata: diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 00bab47..cfc53e5 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,11 +1,11 @@ {{ template "vault.mode" . }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if eq (.Values.ui.enabled | toString) "true" }} # Headless service for Vault server DNS entries. This service should only # point to Vault servers. For access to an agent, one should assume that # the agent is installed locally on the node and the NODE_IP should be used. # If the node can't run a Vault agent, then this service can be used to # communicate directly to a server agent. -{{- if eq (.Values.ui.enabled | toString) "true" }} apiVersion: v1 kind: Service metadata: diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index 35f4b9c..2fdb7a5 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -19,7 +19,7 @@ load _helpers kubectl label secret test app=vault-agent-demo - helm install --name="$(name_prefix)" \ + helm install "$(name_prefix)" \ --set="server.extraVolumes[0].type=secret" \ --set="server.extraVolumes[0].name=test" . wait_for_running $(name_prefix)-0 @@ -46,7 +46,7 @@ load _helpers # Clean up teardown() { echo "helm/pvc teardown" - helm delete --purge vault + helm delete vault kubectl delete --all pvc kubectl delete secret test kubectl delete job pgdump diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats index eeec698..05f3661 100644 --- a/test/acceptance/server-dev.bats +++ b/test/acceptance/server-dev.bats @@ -8,7 +8,7 @@ load _helpers kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - helm install --name="$(name_prefix)" --set='server.dev.enabled=true' . + helm install "$(name_prefix)" --set='server.dev.enabled=true' . wait_for_running $(name_prefix)-0 # Replicas @@ -55,7 +55,7 @@ load _helpers # Clean up teardown() { echo "helm/pvc teardown" - helm delete --purge vault + helm delete vault kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true } diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 78d5505..f29e31f 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -5,8 +5,7 @@ load _helpers @test "server/ha: testing deployment" { cd `chart_dir` - - helm install --name="$(name_prefix)" \ + helm install "$(name_prefix)" \ --set='server.ha.enabled=true' . wait_for_running $(name_prefix)-0 @@ -95,8 +94,8 @@ setup() { kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - helm install https://github.com/hashicorp/consul-helm/archive/v0.8.1.tar.gz \ - --name consul \ + helm install consul \ + https://github.com/hashicorp/consul-helm/archive/v0.16.2.tar.gz \ --set 'ui.enabled=false' \ wait_for_running_consul @@ -104,8 +103,8 @@ setup() { #cleanup teardown() { - helm delete --purge vault - helm delete --purge consul + helm delete vault + helm delete consul kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true } diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 3c4a075..d8edbd5 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -9,7 +9,7 @@ load _helpers kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance - helm install --name="$(name_prefix)" . + helm install "$(name_prefix)" . wait_for_running $(name_prefix)-0 # Sealed, not initialized @@ -112,7 +112,7 @@ load _helpers # Clean up teardown() { echo "helm/pvc teardown" - helm delete --purge vault + helm delete vault kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true } diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 51cc166..003a06f 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -37,7 +37,7 @@ RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s mv ./kubectl /usr/local/bin/kubectl # helm -RUN curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash +RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash # bats RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \ diff --git a/test/terraform/main.tf b/test/terraform/main.tf index c4f3516..e3fc2ef 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -1,7 +1,3 @@ -locals { - service_account_path = "${path.module}/service-account.yaml" -} - provider "google" { project = "${var.project}" region = "us-central1" @@ -15,7 +11,7 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = "${var.zone}" - version_prefix = "1.12." + version_prefix = "1.15." } data "google_service_account" "gcpapi" { @@ -91,19 +87,3 @@ resource "null_resource" "kubectl" { command = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context" } } - -resource "null_resource" "helm" { - count = "${var.init_cli ? 1 : 0 }" - depends_on = ["null_resource.kubectl"] - - triggers = { - cluster = "${google_container_cluster.cluster.id}" - } - - provisioner "local-exec" { - command = <<EOF -kubectl apply -f '${local.service_account_path}' -helm init --service-account helm -EOF - } -} diff --git a/test/terraform/service-account.yaml b/test/terraform/service-account.yaml deleted file mode 100644 index 05d1846..0000000 --- a/test/terraform/service-account.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: helm - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: helm - namespace: kube-system diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf index 5fc445b..971af4e 100644 --- a/test/terraform/variables.tf +++ b/test/terraform/variables.tf @@ -15,7 +15,7 @@ variable "zone" { variable "init_cli" { default = true - description = "Whether to init the CLI tools kubectl, helm, etc. or not." + description = "Whether to init kubectl or not." } variable "gcp_service_account" { diff --git a/test/unit/injector-clusterrole.bats b/test/unit/injector-clusterrole.bats index 4c5c1d9..7c25f39 100755 --- a/test/unit/injector-clusterrole.bats +++ b/test/unit/injector-clusterrole.bats @@ -5,7 +5,7 @@ load _helpers @test "injector/ClusterRole: enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-clusterrole.yaml \ + --show-only templates/injector-clusterrole.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -13,10 +13,10 @@ load _helpers @test "injector/ClusterRole: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/injector-clusterrole.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-clusterrole.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/injector-clusterrolebinding.bats b/test/unit/injector-clusterrolebinding.bats index efeab4c..6e21787 100755 --- a/test/unit/injector-clusterrolebinding.bats +++ b/test/unit/injector-clusterrolebinding.bats @@ -5,7 +5,7 @@ load _helpers @test "injector/ClusterRoleBinding: enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-clusterrolebinding.yaml \ + --show-only templates/injector-clusterrolebinding.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -13,10 +13,10 @@ load _helpers @test "injector/ClusterRoleBinding: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/injector-clusterrolebinding.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index cdb07ce..1f6caaa 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -5,7 +5,7 @@ load _helpers @test "injector/deployment: default injector.enabled" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -14,7 +14,7 @@ load _helpers @test "injector/deployment: enable with injector.enabled true" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -23,11 +23,11 @@ load _helpers @test "injector/deployment: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-deployment.yaml \ --set 'global.enabled=false' \ --set 'injector.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -35,7 +35,7 @@ load _helpers @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.image.repository=foo' \ --set 'injector.image.tag=1.2.3' \ . | tee /dev/stderr | @@ -43,7 +43,7 @@ load _helpers [ "${actual}" = "foo:1.2.3" ] local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.image.repository=foo' \ --set 'injector.image.tag=1.2.3' \ . | tee /dev/stderr | @@ -54,7 +54,7 @@ load _helpers @test "injector/deployment: default imagePullPolicy" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) [ "${actual}" = "IfNotPresent" ] @@ -63,7 +63,7 @@ load _helpers @test "injector/deployment: default resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -72,7 +72,7 @@ load _helpers @test "injector/deployment: custom resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.enabled=true' \ --set 'injector.resources.requests.memory=256Mi' \ --set 'injector.resources.requests.cpu=250m' \ @@ -81,7 +81,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.enabled=true' \ --set 'injector.resources.limits.memory=256Mi' \ --set 'injector.resources.limits.cpu=250m' \ @@ -90,7 +90,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.enabled=true' \ --set 'injector.resources.requests.cpu=250m' \ . | tee /dev/stderr | @@ -98,7 +98,7 @@ load _helpers [ "${actual}" = "250m" ] local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.enabled=true' \ --set 'injector.resources.limits.cpu=250m' \ . | tee /dev/stderr | @@ -109,7 +109,7 @@ load _helpers @test "injector/deployment: manual TLS environment vars" { cd `chart_dir` local object=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ --set 'injector.certs.secretName=foobar' \ --set 'injector.certs.certName=test.crt' \ --set 'injector.certs.keyName=test.key' \ @@ -136,13 +136,13 @@ load _helpers @test "injector/deployment: auto TLS by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].volumeMounts | length' | tee /dev/stderr) [ "${actual}" = "0" ] local object=$(helm template \ - -x templates/injector-deployment.yaml \ + --show-only templates/injector-deployment.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index dd0d643..2eefcf2 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -5,7 +5,7 @@ load _helpers @test "injector/MutatingWebhookConfiguration: enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-mutating-webhook.yaml \ + --show-only templates/injector-mutating-webhook.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -13,20 +13,20 @@ load _helpers @test "injector/MutatingWebhookConfiguration: disable with global.enabled false" { cd `chart_dir` - local actual=$(helm template \ - -x templates/injector-mutating-webhook.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-mutating-webhook.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "injector/MutatingWebhookConfiguration: disable with injector.enabled false" { cd `chart_dir` - local actual=$(helm template \ - -x templates/injector-mutating-webhook.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -34,7 +34,7 @@ load _helpers @test "injector/MutatingWebhookConfiguration: namespace is set" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-mutating-webhook.yaml \ + --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ --namespace foo \ . | tee /dev/stderr | @@ -45,7 +45,7 @@ load _helpers @test "injector/MutatingWebhookConfiguration: caBundle is empty" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-mutating-webhook.yaml \ + --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ --namespace foo \ . | tee /dev/stderr | @@ -56,7 +56,7 @@ load _helpers @test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-mutating-webhook.yaml \ + --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ --namespace foo \ . | tee /dev/stderr | @@ -67,7 +67,7 @@ load _helpers @test "injector/MutatingWebhookConfiguration: can set namespaceSelector" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-mutating-webhook.yaml \ + --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ --set 'injector.namespaceSelector.matchLabels.injector=true' \ . | tee /dev/stderr | diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index 03f908f..af8787d 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -5,13 +5,13 @@ load _helpers @test "injector/Service: service enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-service.yaml \ + --show-only templates/injector-service.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/injector-service.yaml \ + --show-only templates/injector-service.yaml \ --set 'injector.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -20,18 +20,18 @@ load _helpers @test "injector/Service: disable with global.enabled false" { cd `chart_dir` - local actual=$(helm template \ - -x templates/injector-service.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-service.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/injector-service.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-service.yaml \ --set 'global.enabled=false' \ --set 'injector.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/injector-serviceaccount.bats b/test/unit/injector-serviceaccount.bats index 7009a76..1055d90 100755 --- a/test/unit/injector-serviceaccount.bats +++ b/test/unit/injector-serviceaccount.bats @@ -5,7 +5,7 @@ load _helpers @test "injector/ServiceAccount: enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/injector-serviceaccount.yaml \ + --show-only templates/injector-serviceaccount.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -13,10 +13,10 @@ load _helpers @test "injector/ServiceAccount: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/injector-serviceaccount.yaml \ + local actual=$( (helm template \ + --show-only templates/injector-serviceaccount.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index 7d140b8..d1245c4 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -4,59 +4,59 @@ load _helpers @test "server/ClusterRoleBinding: enabled by default" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-clusterrolebinding.yaml \ + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ --set 'server.dev.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(helm template \ - -x templates/server-clusterrolebinding.yaml \ + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ --set 'server.ha.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(helm template \ - -x templates/server-clusterrolebinding.yaml \ - . | tee /dev/stderr | + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } @test "server/ClusterRoleBinding: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-clusterrolebinding.yaml \ + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/ClusterRoleBinding: can disable with server.authDelegator" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-clusterrolebinding.yaml \ + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ --set 'server.authDelegator.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-clusterrolebinding.yaml \ + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ --set 'server.authDelegator.enabled=false' \ --set 'server.ha.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-clusterrolebinding.yaml \ + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ --set 'server.authDelegator.enabled=false' \ --set 'server.dev.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index 7a66c53..679a76f 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -5,20 +5,20 @@ load _helpers @test "server/ConfigMap: enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + --show-only templates/server-config-configmap.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + --show-only templates/server-config-configmap.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + --show-only templates/server-config-configmap.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -27,20 +27,20 @@ load _helpers @test "server/ConfigMap: disabled by server.dev.enabled true" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + local actual=$( (helm template \ + --show-only templates/server-config-configmap.yaml \ --set 'server.dev.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/ConfigMap: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + local actual=$( (helm template \ + --show-only templates/server-config-configmap.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -48,7 +48,7 @@ load _helpers @test "server/ConfigMap: standalone extraConfig is set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + --show-only templates/server-config-configmap.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.standalone.config="{\"hello\": \"world\"}"' \ . | tee /dev/stderr | @@ -56,7 +56,7 @@ load _helpers [ ! -z "${actual}" ] local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + --show-only templates/server-config-configmap.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.standalone.config="{\"foo\": \"bar\"}"' \ . | tee /dev/stderr | @@ -67,7 +67,7 @@ load _helpers @test "server/ConfigMap: ha extraConfig is set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + --show-only templates/server-config-configmap.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.config="{\"hello\": \"world\"}"' \ . | tee /dev/stderr | @@ -75,7 +75,7 @@ load _helpers [ ! -z "${actual}" ] local actual=$(helm template \ - -x templates/server-config-configmap.yaml \ + --show-only templates/server-config-configmap.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.config="{\"foo\": \"bar\"}"' \ . | tee /dev/stderr | diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 5f1e45a..57acd20 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -5,7 +5,7 @@ load _helpers @test "server/dev-StatefulSet: enable with server.dev.enabled true" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -14,11 +14,11 @@ load _helpers @test "server/dev-StatefulSet: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ --set 'global.enabled=false' \ --set 'server.dev.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -26,7 +26,7 @@ load _helpers @test "server/dev-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=1.2.3' \ --set 'server.dev.enabled=true' \ @@ -39,7 +39,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=' \ --set 'server.dev.enabled=true' \ @@ -54,7 +54,7 @@ load _helpers @test "server/dev-StatefulSet: default replicas" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.replicas' | tee /dev/stderr) @@ -64,7 +64,7 @@ load _helpers @test "server/dev-StatefulSet: cant set replicas" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.dev.replicas=100' \ . | tee /dev/stderr | @@ -78,7 +78,7 @@ load _helpers @test "server/dev-StatefulSet: updateStrategy" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.updateStrategy.type' | tee /dev/stderr) @@ -91,7 +91,7 @@ load _helpers @test "server/dev-StatefulSet: default resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr) @@ -101,7 +101,7 @@ load _helpers @test "server/dev-StatefulSet: custom resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.resources.requests.memory=256Mi' \ --set 'server.resources.requests.cpu=250m' \ @@ -110,7 +110,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.resources.limits.memory=256Mi' \ --set 'server.resources.limits.cpu=250m' \ @@ -119,7 +119,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.resources.requests.cpu=250m' \ . | tee /dev/stderr | @@ -127,7 +127,7 @@ load _helpers [ "${actual}" = "250m" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.resources.limits.cpu=250m' \ . | tee /dev/stderr | @@ -143,7 +143,7 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -160,7 +160,7 @@ load _helpers # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -181,7 +181,7 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.extraVolumes[0].type=secret' \ --set 'server.extraVolumes[0].name=foo' \ @@ -198,7 +198,7 @@ load _helpers # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -217,7 +217,7 @@ load _helpers @test "server/dev-StatefulSet: no storageClass on claim by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr) @@ -230,7 +230,7 @@ load _helpers @test "server/dev-StatefulSet: set extraEnvironmentVars" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.extraEnvironmentVars.FOO=bar' \ --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ @@ -260,7 +260,7 @@ load _helpers @test "server/dev-StatefulSet: set extraSecretEnvironmentVars" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraSecretEnvironmentVars[0].envName=ENV_FOO_0' \ --set 'server.extraSecretEnvironmentVars[0].secretName=secret_name_0' \ --set 'server.extraSecretEnvironmentVars[0].secretKey=secret_key_0' \ @@ -297,7 +297,7 @@ load _helpers @test "server/dev-StatefulSet: can't set storageClass" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.dataStorage.enabled=true' \ --set 'server.dataStorage.storageClass=foo' \ @@ -306,7 +306,7 @@ load _helpers [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.auditStorage.storageClass=foo' \ @@ -315,7 +315,7 @@ load _helpers [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.auditStorage.storageClass=foo' \ @@ -331,7 +331,7 @@ load _helpers @test "server/dev-StatefulSet: uid default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr) @@ -341,7 +341,7 @@ load _helpers @test "server/dev-StatefulSet: uid configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.uid=2000' \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | @@ -352,7 +352,7 @@ load _helpers @test "server/dev-StatefulSet: gid default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr) @@ -362,7 +362,7 @@ load _helpers @test "server/dev-StatefulSet: gid configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.gid=2000' \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | @@ -373,7 +373,7 @@ load _helpers @test "server/dev-StatefulSet: fsgroup default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) @@ -383,7 +383,7 @@ load _helpers @test "server/dev-StatefulSet: fsgroup configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.gid=2000' \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 6e60707..2c0174a 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -5,7 +5,7 @@ load _helpers @test "server/DisruptionBudget: enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-disruptionbudget.yaml \ + --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -14,31 +14,31 @@ load _helpers @test "server/DisruptionBudget: disable with server.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-disruptionbudget.yaml \ + local actual=$( (helm template \ + --show-only templates/server-disruptionbudget.yaml \ --set 'globa.enabled=false' \ --set 'server.ha.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/DisruptionBudget: disable with server.disruptionBudget.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-disruptionbudget.yaml \ + local actual=$( (helm template \ + --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.disruptionBudget.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/DisruptionBudget: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-disruptionbudget.yaml \ + local actual=$( (helm template \ + --show-only templates/server-disruptionbudget.yaml \ --set 'global.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -46,7 +46,7 @@ load _helpers @test "server/DisruptionBudget: correct maxUnavailable with n=1" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-disruptionbudget.yaml \ + --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=1' \ . | tee /dev/stderr | @@ -57,7 +57,7 @@ load _helpers @test "server/DisruptionBudget: correct maxUnavailable with n=3" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-disruptionbudget.yaml \ + --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=3' \ . | tee /dev/stderr | @@ -68,7 +68,7 @@ load _helpers @test "server/DisruptionBudget: correct maxUnavailable with n=5" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-disruptionbudget.yaml \ + --show-only templates/server-disruptionbudget.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=5' \ . | tee /dev/stderr | diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 5f05c3c..a40e92f 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -5,7 +5,7 @@ load _helpers @test "server/ha-StatefulSet: enable with server.ha.enabled true" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -14,11 +14,11 @@ load _helpers @test "server/ha-StatefulSet: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ --set 'global.enabled=false' \ --set 'server.ha.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -26,7 +26,7 @@ load _helpers @test "server/ha-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=1.2.3' \ --set 'server.ha.enabled=true' \ @@ -39,7 +39,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=' \ --set 'server.ha.enabled=true' \ @@ -54,7 +54,7 @@ load _helpers @test "server/ha-StatefulSet: tls disabled" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'global.tlsDisable=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -70,7 +70,7 @@ load _helpers @test "server/ha-StatefulSet: tls enabled" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'global.tlsDisable=false' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -90,7 +90,7 @@ load _helpers @test "server/ha-StatefulSet: OnDelete updateStrategy" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.updateStrategy.type' | tee /dev/stderr) @@ -100,7 +100,7 @@ load _helpers @test "server/ha-StatefulSet: RollingUpdate updateStrategy" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.updateStrategyType="RollingUpdate"' \ . | tee /dev/stderr | @@ -114,14 +114,14 @@ load _helpers @test "server/ha-StatefulSet: default affinity" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.affinity' | tee /dev/stderr) [ "${actual}" != "null" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.affinity=' \ . | tee /dev/stderr | @@ -135,7 +135,7 @@ load _helpers @test "server/ha-StatefulSet: default replicas" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.replicas' | tee /dev/stderr) @@ -145,7 +145,7 @@ load _helpers @test "server/ha-StatefulSet: custom replicas" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.replicas=10' \ . | tee /dev/stderr | @@ -159,7 +159,7 @@ load _helpers @test "server/ha-StatefulSet: default resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr) @@ -169,7 +169,7 @@ load _helpers @test "server/ha-StatefulSet: custom resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.resources.requests.memory=256Mi' \ --set 'server.resources.requests.cpu=250m' \ @@ -178,7 +178,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.resources.limits.memory=256Mi' \ --set 'server.resources.limits.cpu=250m' \ @@ -187,7 +187,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.resources.requests.cpu=250m' \ . | tee /dev/stderr | @@ -195,7 +195,7 @@ load _helpers [ "${actual}" = "250m" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.resources.limits.cpu=250m' \ . | tee /dev/stderr | @@ -210,7 +210,7 @@ load _helpers cd `chart_dir` # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -227,7 +227,7 @@ load _helpers # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -247,7 +247,7 @@ load _helpers cd `chart_dir` # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -269,7 +269,7 @@ load _helpers # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -291,7 +291,7 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraVolumes[0].type=secret' \ --set 'server.extraVolumes[0].name=foo' \ @@ -308,7 +308,7 @@ load _helpers # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -330,7 +330,7 @@ load _helpers @test "server/ha-StatefulSet: set extraEnvironmentVars" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraEnvironmentVars.FOO=bar' \ --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ @@ -360,7 +360,7 @@ load _helpers @test "server/ha-StatefulSet: set extraSecretEnvironmentVars" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.extraSecretEnvironmentVars[0].envName=ENV_FOO_0' \ --set 'server.extraSecretEnvironmentVars[0].secretName=secret_name_0' \ @@ -398,7 +398,7 @@ load _helpers @test "server/ha-StatefulSet: no storage by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.volumeClaimTemplates | length' | tee /dev/stderr) @@ -409,7 +409,7 @@ load _helpers @test "server/ha-StatefulSet: cant set data storage" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.dataStorage.enabled=true' \ --set 'server.dataStorage.storageClass=foo' \ @@ -421,7 +421,7 @@ load _helpers @test "server/ha-StatefulSet: can set storageClass" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.dataStorage.enabled=false' \ --set 'server.auditStorage.enabled=true' \ @@ -434,7 +434,7 @@ load _helpers @test "server/ha-StatefulSet: can disable storage" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.auditStorage.enabled=false' \ --set 'server.dataStorage.enabled=false' \ @@ -443,7 +443,7 @@ load _helpers [ "${actual}" = "0" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=false' \ @@ -455,7 +455,7 @@ load _helpers @test "server/ha-StatefulSet: can mount audit" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.auditStorage.enabled=true' \ . | tee /dev/stderr | @@ -465,7 +465,7 @@ load _helpers @test "server/ha-StatefulSet: no data storage" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.auditStorage.enabled=false' \ --set 'server.dataStorage.enabled=true' \ @@ -474,7 +474,7 @@ load _helpers [ "${actual}" = "0" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \ @@ -486,7 +486,7 @@ load _helpers @test "server/ha-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr) @@ -496,7 +496,7 @@ load _helpers @test "server/ha-StatefulSet: tolerations can be set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.tolerations=foobar' \ . | tee /dev/stderr | @@ -507,7 +507,7 @@ load _helpers @test "server/ha-StatefulSet: nodeSelector is not set by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq '.spec.template.spec.nodeSelector' | tee /dev/stderr) @@ -517,7 +517,7 @@ load _helpers @test "server/ha-StatefulSet: specified nodeSelector" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.nodeSelector=testing' \ . | tee /dev/stderr | @@ -530,7 +530,7 @@ load _helpers @test "server/ha-StatefulSet: uid default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr) @@ -540,7 +540,7 @@ load _helpers @test "server/ha-StatefulSet: uid configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.uid=2000' \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | @@ -551,7 +551,7 @@ load _helpers @test "server/ha-StatefulSet: gid default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr) @@ -561,7 +561,7 @@ load _helpers @test "server/ha-StatefulSet: gid configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.gid=2000' \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | @@ -572,7 +572,7 @@ load _helpers @test "server/ha-StatefulSet: fsgroup default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) @@ -582,7 +582,7 @@ load _helpers @test "server/ha-StatefulSet: fsgroup configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.gid=2000' \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index b0950ca..1cf1576 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -4,9 +4,9 @@ load _helpers @test "server/ingress: disabled by default" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-ingress.yaml \ - . | tee /dev/stderr | + local actual=$( (helm template \ + --show-only templates/server-ingress.yaml \ + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -14,7 +14,7 @@ load _helpers @test "server/ingress: checking host entry gets added and path is /" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-ingress.yaml \ + --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ @@ -23,7 +23,7 @@ load _helpers [ "${actual}" = 'test.com' ] local actual=$(helm template \ - -x templates/server-ingress.yaml \ + --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ @@ -36,7 +36,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ - -x templates/server-ingress.yaml \ + --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ @@ -50,11 +50,11 @@ load _helpers cd `chart_dir` local actual=$(helm template \ - -x templates/server-ingress.yaml \ + --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ --set 'server.ingress.labels.traffic=external' \ --set 'server.ingress.labels.team=dev' \ . | tee /dev/stderr | yq -r '.metadata.labels.traffic' | tee /dev/stderr) [ "${actual}" = "external" ] -} \ No newline at end of file +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index c276c43..adcf95f 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -5,111 +5,110 @@ load _helpers @test "server/Service: service enabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } - @test "server/Service: disable with global.enabled false" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ --set 'global.enabled=false' \ --set 'server.service.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ --set 'global.enabled=false' \ --set 'server.service.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.enabled=false' \ --set 'server.service.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/Service: disable with server.service.enabled false" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ --set 'server.service.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.service.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/Service: disable with global.enabled false server.service.enabled false" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ --set 'global.enabled=false' \ --set 'server.service.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ --set 'global.enabled=false' \ --set 'server.service.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/server-service.yaml \ + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.enabled=false' \ --set 'server.service.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -119,21 +118,21 @@ load _helpers @test "server/Service: tolerates unready endpoints" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr) @@ -143,7 +142,7 @@ load _helpers @test "server/Service: generic annotations" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.service.annotations.vaultIsAwesome=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) @@ -153,21 +152,21 @@ load _helpers @test "server/Service: publish not ready" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "true" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) @@ -177,21 +176,21 @@ load _helpers @test "server/Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -200,7 +199,7 @@ load _helpers @test "server/Service: type can set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ --set 'server.service.type=NodePort' \ . | tee /dev/stderr | @@ -208,7 +207,7 @@ load _helpers [ "${actual}" = "NodePort" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.type=NodePort' \ . | tee /dev/stderr | @@ -216,7 +215,7 @@ load _helpers [ "${actual}" = "NodePort" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.service.type=NodePort' \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) @@ -226,21 +225,21 @@ load _helpers @test "server/Service: clusterIP empty by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.clusterIP' | tee /dev/stderr) [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.clusterIP' | tee /dev/stderr) [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ . | tee /dev/stderr | yq -r '.spec.clusterIP' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -249,7 +248,7 @@ load _helpers @test "server/Service: clusterIP can set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ --set 'server.service.clusterIP=None' \ . | tee /dev/stderr | @@ -257,7 +256,7 @@ load _helpers [ "${actual}" = "None" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.clusterIP=None' \ . | tee /dev/stderr | @@ -265,7 +264,7 @@ load _helpers [ "${actual}" = "None" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.service.clusterIP=None' \ . | tee /dev/stderr | yq -r '.spec.clusterIP' | tee /dev/stderr) @@ -275,13 +274,13 @@ load _helpers @test "server/Service: port and targetPort will be 8200 by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ . | tee /dev/stderr | yq -r '.spec.ports[0].port' | tee /dev/stderr) [ "${actual}" = "8200" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ . | tee /dev/stderr | yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) [ "${actual}" = "8200" ] @@ -290,14 +289,14 @@ load _helpers @test "server/Service: port and targetPort can be set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.service.port=8000' \ . | tee /dev/stderr | yq -r '.spec.ports[0].port' | tee /dev/stderr) [ "${actual}" = "8000" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.service.targetPort=80' \ . | tee /dev/stderr | yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) @@ -307,7 +306,7 @@ load _helpers @test "server/Service: nodeport can set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ --set 'server.service.type=NodePort' \ --set 'server.service.nodePort=30008' \ @@ -316,7 +315,7 @@ load _helpers [ "${actual}" = "30008" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.type=NodePort' \ --set 'server.service.nodePort=30009' \ @@ -325,7 +324,7 @@ load _helpers [ "${actual}" = "30009" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.service.type=NodePort' \ --set 'server.service.nodePort=30010' \ . | tee /dev/stderr | @@ -336,7 +335,7 @@ load _helpers @test "server/Service: nodeport can't set when type isn't NodePort" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ --set 'server.service.nodePort=30008' \ . | tee /dev/stderr | @@ -344,7 +343,7 @@ load _helpers [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ --set 'server.service.nodePort=30009' \ . | tee /dev/stderr | @@ -352,7 +351,7 @@ load _helpers [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-service.yaml \ + --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.service.nodePort=30010' \ . | tee /dev/stderr | diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 23c4841..66fd84b 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -5,7 +5,7 @@ load _helpers @test "server/ServiceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-serviceaccount.yaml \ + --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ --set 'server.serviceAccount.annotations.foo=bar' \ . | tee /dev/stderr | @@ -13,7 +13,7 @@ load _helpers [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-serviceaccount.yaml \ + --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ --set 'server.serviceAccount.annotations.foo=bar' \ . | tee /dev/stderr | @@ -21,7 +21,7 @@ load _helpers [ "${actual}" = "bar" ] local actual=$(helm template \ - -x templates/server-serviceaccount.yaml \ + --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 60b54c8..059e1c4 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -5,7 +5,7 @@ load _helpers @test "server/standalone-StatefulSet: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -14,7 +14,7 @@ load _helpers @test "server/standalone-StatefulSet: enable with server.standalone.enabled true" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -23,11 +23,11 @@ load _helpers @test "server/standalone-StatefulSet: disable with global.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ --set 'global.enabled=false' \ --set 'server.standalone.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -35,7 +35,7 @@ load _helpers @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=1.2.3' \ . | tee /dev/stderr | @@ -43,7 +43,7 @@ load _helpers [ "${actual}" = "foo:1.2.3" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=1.2.3' \ --set 'server.standalone.enabled=true' \ @@ -55,7 +55,7 @@ load _helpers @test "server/standalone-StatefulSet: image tag defaults to latest" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=' \ . | tee /dev/stderr | @@ -63,7 +63,7 @@ load _helpers [ "${actual}" = "foo:latest" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.repository=foo' \ --set 'server.image.tag=' \ --set 'server.standalone.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers @test "server/standalone-StatefulSet: default imagePullPolicy" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) [ "${actual}" = "IfNotPresent" ] @@ -84,7 +84,7 @@ load _helpers @test "server/standalone-StatefulSet: Custom imagePullPolicy" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.image.pullPolicy=Always' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr) @@ -94,7 +94,7 @@ load _helpers @test "server/standalone-StatefulSet: Custom imagePullSecrets" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'global.imagePullSecrets[0].name=foo' \ --set 'global.imagePullSecrets[1].name=bar' \ . | tee /dev/stderr | @@ -112,7 +112,7 @@ load _helpers @test "server/standalone-StatefulSet: default imagePullSecrets" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -124,7 +124,7 @@ load _helpers @test "server/standalone-StatefulSet: OnDelete updateStrategy" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.updateStrategy.type' | tee /dev/stderr) [ "${actual}" = "OnDelete" ] @@ -136,7 +136,7 @@ load _helpers @test "server/standalone-StatefulSet: default replicas" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.replicas' | tee /dev/stderr) @@ -146,14 +146,14 @@ load _helpers @test "server/standalone-StatefulSet: custom replicas" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.replicas=100' \ . | tee /dev/stderr | yq -r '.spec.replicas' | tee /dev/stderr) [ "${actual}" = "1" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.standalone.replicas=100' \ . | tee /dev/stderr | @@ -167,7 +167,7 @@ load _helpers @test "server/standalone-StatefulSet: default resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr) @@ -177,7 +177,7 @@ load _helpers @test "server/standalone-StatefulSet: custom resources" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.requests.memory=256Mi' \ --set 'server.resources.requests.cpu=250m' \ @@ -186,7 +186,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.limits.memory=256Mi' \ --set 'server.resources.limits.cpu=250m' \ @@ -195,7 +195,7 @@ load _helpers [ "${actual}" = "256Mi" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.requests.cpu=250m' \ . | tee /dev/stderr | @@ -203,7 +203,7 @@ load _helpers [ "${actual}" = "250m" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.limits.cpu=250m' \ . | tee /dev/stderr | @@ -219,7 +219,7 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ . | tee /dev/stderr | @@ -234,7 +234,7 @@ load _helpers [ "${actual}" = "null" ] local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -251,7 +251,7 @@ load _helpers # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ . | tee /dev/stderr | @@ -266,7 +266,7 @@ load _helpers [ "${actual}" = "/vault/userconfig/foo" ] local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -287,7 +287,7 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraVolumes[0].type=secret' \ --set 'server.extraVolumes[0].name=foo' \ . | tee /dev/stderr | @@ -302,7 +302,7 @@ load _helpers [ "${actual}" = "foo" ] local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.extraVolumes[0].type=secret' \ --set 'server.extraVolumes[0].name=foo' \ @@ -319,7 +319,7 @@ load _helpers # Test that it mounts it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ . | tee /dev/stderr | @@ -334,7 +334,7 @@ load _helpers [ "${actual}" = "/vault/userconfig/foo" ] local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.extraVolumes[0].type=configMap' \ --set 'server.extraVolumes[0].name=foo' \ @@ -353,7 +353,7 @@ load _helpers @test "server/standalone-StatefulSet: can mount audit" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "audit")' | tee /dev/stderr) @@ -365,7 +365,7 @@ load _helpers @test "server/standalone-StatefulSet: set extraEnvironmentVars" { cd `chart_dir` local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.stanadlone.enabled=true' \ --set 'server.extraEnvironmentVars.FOO=bar' \ --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ @@ -389,7 +389,7 @@ load _helpers [ "${actual}" = "foobar" ] local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraEnvironmentVars.FOO=bar' \ --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ . | tee /dev/stderr | @@ -418,13 +418,13 @@ load _helpers @test "server/standalone-StatefulSet: storageClass on claim by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr) [ "${actual}" = "null" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr) @@ -435,7 +435,7 @@ load _helpers @test "server/standalone-StatefulSet: can set storageClass" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ --set 'server.dataStorage.storageClass=foo' \ . | tee /dev/stderr | @@ -443,7 +443,7 @@ load _helpers [ "${actual}" = "foo" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.dataStorage.enabled=false' \ --set 'server.auditStorage.enabled=true' \ @@ -453,7 +453,7 @@ load _helpers [ "${actual}" = "foo" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.auditStorage.storageClass=foo' \ @@ -462,7 +462,7 @@ load _helpers [ "${actual}" = "foo" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \ . | tee /dev/stderr | @@ -470,7 +470,7 @@ load _helpers [ "${actual}" = "2" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \ @@ -482,7 +482,7 @@ load _helpers @test "server/standalone-StatefulSet: can disable storage" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=false' \ --set 'server.dataStorage.enabled=true' \ . | tee /dev/stderr | @@ -490,7 +490,7 @@ load _helpers [ "${actual}" = "1" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=false' \ . | tee /dev/stderr | @@ -498,7 +498,7 @@ load _helpers [ "${actual}" = "1" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.auditStorage.enabled=false' \ --set 'server.dataStorage.enabled=true' \ @@ -507,7 +507,7 @@ load _helpers [ "${actual}" = "1" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=false' \ @@ -516,7 +516,7 @@ load _helpers [ "${actual}" = "1" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \ . | tee /dev/stderr | @@ -524,7 +524,7 @@ load _helpers [ "${actual}" = "2" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.auditStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \ @@ -533,7 +533,7 @@ load _helpers [ "${actual}" = "2" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=fa;se' \ --set 'server.dataStorage.enabled=false' \ . | tee /dev/stderr | @@ -541,7 +541,7 @@ load _helpers [ "${actual}" = "0" ] local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.auditStorage.enabled=false' \ --set 'server.dataStorage.enabled=false' \ @@ -553,7 +553,7 @@ load _helpers @test "server/standalone-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -562,7 +562,7 @@ load _helpers @test "server/standalone-StatefulSet: tolerations can be set" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.tolerations=foobar' \ . | tee /dev/stderr | yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr) @@ -572,7 +572,7 @@ load _helpers @test "server/standalone-StatefulSet: nodeSelector is not set by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq '.spec.template.spec.nodeSelector' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -581,7 +581,7 @@ load _helpers @test "server/standalone-StatefulSet: specified nodeSelector" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.nodeSelector=testing' \ . | tee /dev/stderr | yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) @@ -596,7 +596,7 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraContainers[0].image=test-image' \ --set 'server.extraContainers[0].name=test-container' \ --set 'server.extraContainers[0].ports[0].name=test-port' \ @@ -642,7 +642,7 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraContainers[0].image=test-image' \ --set 'server.extraContainers[0].name=test-container' \ --set 'server.extraContainers[1].image=test-image' \ @@ -661,13 +661,13 @@ load _helpers # Test that it defines it local object=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers' | tee /dev/stderr) local containers_count=$(echo $object | yq -r 'length' | tee /dev/stderr) - [ "${containers_count}" = 1 ] + [ "${containers_count}" = 1 ] } # sharedProcessNamespace @@ -677,7 +677,7 @@ load _helpers # Test that it defines it local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr) @@ -689,7 +689,7 @@ load _helpers # Test that it defines it local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.shareProcessNamespace=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr) @@ -702,7 +702,7 @@ load _helpers @test "server/standalone-StatefulSet: specify extraLabels" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraLabels.foo=bar' \ . | tee /dev/stderr | yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) @@ -715,7 +715,7 @@ load _helpers @test "server/standalone-StatefulSet: uid default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr) [ "${actual}" = "100" ] @@ -724,7 +724,7 @@ load _helpers @test "server/standalone-StatefulSet: uid configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.uid=2000' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr) @@ -734,7 +734,7 @@ load _helpers @test "server/standalone-StatefulSet: gid default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr) [ "${actual}" = "1000" ] @@ -743,7 +743,7 @@ load _helpers @test "server/standalone-StatefulSet: gid configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.gid=2000' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr) @@ -753,7 +753,7 @@ load _helpers @test "server/standalone-StatefulSet: fsgroup default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) [ "${actual}" = "1000" ] @@ -762,7 +762,7 @@ load _helpers @test "server/standalone-StatefulSet: fsgroup configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.gid=2000' \ . | tee /dev/stderr | yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) @@ -775,7 +775,7 @@ load _helpers @test "server/standalone-StatefulSet: readinessProbe default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr) [ "${actual}" = "vault status -tls-skip-verify" ] @@ -784,7 +784,7 @@ load _helpers @test "server/standalone-StatefulSet: readinessProbe configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.readinessProbe.enabled=false' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) @@ -795,7 +795,7 @@ load _helpers @test "server/standalone-StatefulSet: livenessProbe default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -804,7 +804,7 @@ load _helpers @test "server/standalone-StatefulSet: livenessProbe configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.livenessProbe.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.path' | tee /dev/stderr) @@ -814,7 +814,7 @@ load _helpers @test "server/standalone-StatefulSet: livenessProbe initialDelaySeconds default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.livenessProbe.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].livenessProbe.initialDelaySeconds' | tee /dev/stderr) @@ -824,7 +824,7 @@ load _helpers @test "server/standalone-StatefulSet: livenessProbe initialDelaySeconds configurable" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.livenessProbe.enabled=true' \ --set 'server.livenessProbe.initialDelaySeconds=30' \ . | tee /dev/stderr | @@ -835,7 +835,7 @@ load _helpers @test "server/standalone-StatefulSet: add extraArgs" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.extraArgs=foobar' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].args[0]' | tee /dev/stderr) @@ -847,7 +847,7 @@ load _helpers @test "server/standalone-StatefulSet: preStop sleep duration default" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr) [[ "${actual}" = "sleep 5 &&"* ]] @@ -856,7 +856,7 @@ load _helpers @test "server/standalone-StatefulSet: preStop sleep duration 10" { cd `chart_dir` local actual=$(helm template \ - -x templates/server-statefulset.yaml \ + --show-only templates/server-statefulset.yaml \ --set 'server.preStopSleepSeconds=10' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr) diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 98d41ff..b0da7bf 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -4,51 +4,51 @@ load _helpers @test "ui/Service: disabled by default" { cd `chart_dir` - local actual=$(helm template \ - -x templates/ui-service.yaml \ + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/ui-service.yaml \ + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/ui-service.yaml \ + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ --set 'server.standalone.enabled=true' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "ui/Service: disable with ui.enabled" { cd `chart_dir` - local actual=$(helm template \ - -x templates/ui-service.yaml \ + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/ui-service.yaml \ + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ --set 'ui.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(helm template \ - -x templates/ui-service.yaml \ + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ --set 'server.standalone.enabled=true' \ --set 'ui.enabled=false' \ - . | tee /dev/stderr | + . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -56,7 +56,7 @@ load _helpers @test "ui/Service: ClusterIP type by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.enabled=true' \ . | tee /dev/stderr | @@ -64,7 +64,7 @@ load _helpers [ "${actual}" = "ClusterIP" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ --set 'ui.enabled=true' \ . | tee /dev/stderr | @@ -72,7 +72,7 @@ load _helpers [ "${actual}" = "ClusterIP" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.standalone.enabled=true' \ --set 'ui.enabled=true' \ . | tee /dev/stderr | @@ -83,7 +83,7 @@ load _helpers @test "ui/Service: specified type" { cd `chart_dir` local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ @@ -92,7 +92,7 @@ load _helpers [ "${actual}" = "LoadBalancer" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ @@ -101,7 +101,7 @@ load _helpers [ "${actual}" = "LoadBalancer" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.standalone.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ @@ -113,7 +113,7 @@ load _helpers @test "ui/Service: LoadBalancerIP set if specified and serviceType == LoadBalancer" { cd `chart_dir` local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ @@ -123,7 +123,7 @@ load _helpers [ "${actual}" = "123.123.123.123" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.serviceType=ClusterIP' \ --set 'ui.enabled=true' \ @@ -136,7 +136,7 @@ load _helpers @test "ui/Service: set loadBalancerSourceRanges when LoadBalancer is configured as serviceType" { cd `chart_dir` local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ @@ -146,7 +146,7 @@ load _helpers [ "${actual}" = "123.123.123.123" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.serviceType=ClusterIP' \ --set 'ui.enabled=true' \ @@ -159,7 +159,7 @@ load _helpers @test "ui/Service: specify annotations" { cd `chart_dir` local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ @@ -169,7 +169,7 @@ load _helpers [ "${actual}" = "bar" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ @@ -179,7 +179,7 @@ load _helpers [ "${actual}" = "bar" ] local actual=$(helm template \ - -x templates/ui-service.yaml \ + --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ -- GitLab From 872ae7a48f084379d410867a628dbfdb917d6578 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 6 Feb 2020 08:46:09 -0800 Subject: [PATCH 09/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9daae18..0e7da58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ Improvements: * Allow process namespace sharing between Vault and sidecar containers * Added configurable to change updateStrategy * Added sleep in the preStop lifecycle step +* Updated chart and tests to Helm 3 Bugs: -- GitLab From 2b2b0dd2fa9e871d7525e35c7eff5a518bbf9c22 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Fri, 21 Feb 2020 08:16:33 -0800 Subject: [PATCH 10/79] Added support for external vault (#207) Uses Values.injector.externalVaultAddr to control the vault address env variable and server yaml rendering. If injector.externalVaultAddr is empty, both the injector and vault are deployed, with the injector using the local vault. If injector.externalVaultAddr is not empty, only the injector is deployed, and it uses the vault at the address specified in injector.externalVaultAddr. --- templates/_helpers.tpl | 4 +- templates/injector-deployment.yaml | 4 ++ templates/server-clusterrolebinding.yaml | 2 + templates/server-config-configmap.yaml | 2 + templates/server-disruptionbudget.yaml | 2 + templates/server-ingress.yaml | 3 ++ templates/server-service.yaml | 3 ++ templates/server-serviceaccount.yaml | 2 + templates/server-statefulset.yaml | 2 + templates/ui-service.yaml | 2 + test/unit/injector-deployment.bats | 34 ++++++++++++++ test/unit/server-clusterrolebinding.bats | 10 +++++ test/unit/server-configmap.bats | 10 +++++ test/unit/server-dev-statefulset.bats | 11 +++++ test/unit/server-ha-disruptionbudget.bats | 10 +++++ test/unit/server-ha-statefulset.bats | 11 +++++ test/unit/server-ingress.bats | 11 +++++ test/unit/server-service.bats | 30 +++++++++++++ test/unit/server-serviceaccount.bats | 54 +++++++++++++++++++++++ test/unit/server-statefulset.bats | 11 +++++ test/unit/ui-service.bats | 27 ++++++++++++ values.yaml | 4 ++ 22 files changed, 248 insertions(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 0098ab1..f985a8c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -51,7 +51,9 @@ Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} {{- define "vault.mode" -}} - {{- if eq (.Values.server.dev.enabled | toString) "true" -}} + {{- if .Values.injector.externalVaultAddr -}} + {{- $_ := set . "mode" "external" -}} + {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} {{- $_ := set . "mode" "ha" -}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 86c54ff..2362915 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -40,7 +40,11 @@ spec: - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR + {{- if .Values.injector.externalVaultAddr }} + value: "{{ .Values.injector.externalVaultAddr }}" + {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- end }} - name: AGENT_INJECT_VAULT_IMAGE value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" {{- if .Values.injector.certs.secretName }} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index ac60cd7..733764f 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -19,3 +20,4 @@ subjects: name: {{ template "vault.fullname" . }} namespace: {{ .Release.Namespace }} {{ end }} +{{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 811500b..6748d0f 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} {{ if or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "") -}} apiVersion: v1 @@ -21,3 +22,4 @@ data: {{ end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 40ba8b4..6d7f824 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" -}} {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. @@ -20,3 +21,4 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- end -}} +{{- end -}} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 0402eab..8786d97 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -1,3 +1,5 @@ +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} {{- $serviceName := include "vault.fullname" . -}} {{- $servicePort := .Values.server.service.port -}} @@ -42,3 +44,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 4ea2363..dc633c6 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,3 +1,5 @@ +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for Vault cluster apiVersion: v1 @@ -43,3 +45,4 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- end }} +{{- end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 557ee1a..b375182 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} apiVersion: v1 kind: ServiceAccount @@ -12,3 +13,4 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "vault.serviceAccount.annotations" . }} {{ end }} +{{ end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 8a51e6d..18e0d6b 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 @@ -143,3 +144,4 @@ spec: {{- end }} {{ template "vault.volumeclaims" . }} {{ end }} +{{ end }} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index cfc53e5..6d89264 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} {{- if eq (.Values.ui.enabled | toString) "true" }} # Headless service for Vault server DNS entries. This service should only @@ -43,3 +44,4 @@ spec: {{- end -}} {{ end }} +{{ end }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 1f6caaa..7018ea9 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -154,3 +154,37 @@ load _helpers yq -r '.[5].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ] } + +@test "injector/deployment: with externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[2].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] + + local actual=$(echo $object | + yq -r '.[2].value' | tee /dev/stderr) + [ "${actual}" = "http://vault-outside" ] +} + +@test "injector/deployment: without externalVaultAddr" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --release-name not-external-test \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[2].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ] + + local actual=$(echo $object | + yq -r '.[2].value' | tee /dev/stderr) + [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ] +} diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index d1245c4..d0d2acf 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -60,3 +60,13 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index 679a76f..2aa8856 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -82,3 +82,13 @@ load _helpers yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr) [ ! -z "${actual}" ] } + +@test "server/ConfigMap: disabled by injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 57acd20..10a9da6 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -23,6 +23,17 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/dev-StatefulSet: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.dev.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/dev-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 2c0174a..f3c329e 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -43,6 +43,16 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/DisruptionBudget: disable with injector.exernalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/DisruptionBudget: correct maxUnavailable with n=1" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index a40e92f..11c4e93 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -23,6 +23,17 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-StatefulSet: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 1cf1576..850ad4c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -11,6 +11,17 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ingress: disable by injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ingress: checking host entry gets added and path is /" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index adcf95f..059a1d3 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -113,6 +113,36 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/Service: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.dev.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.service.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.service.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.service.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + # This can be seen as testing just what we put into the YAML raw, but # this is such an important part of making everything work we verify it here. @test "server/Service: tolerates unready endpoints" { diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 66fd84b..d72de5d 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -27,3 +27,57 @@ load _helpers yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "server/ServiceAccount: disable with global.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ServiceAccount: disable by injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.dev.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 059e1c4..1db272a 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -32,6 +32,17 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/standalone-StatefulSet: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index b0da7bf..59f1818 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -53,6 +53,33 @@ load _helpers [ "${actual}" = "false" ] } +@test "ui/Service: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.dev.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "ui/Service: ClusterIP type by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.yaml b/values.yaml index 5433026..a5437bf 100644 --- a/values.yaml +++ b/values.yaml @@ -15,6 +15,10 @@ injector: # True if you want to enable vault agent injection. enabled: true + # External vault server address for the injector to use. Setting this will + # disable deployment of a vault server along with the injector. + externalVaultAddr: "" + # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" -- GitLab From 71fad856a10b87cd09d56176e330eee0d10e1ef0 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Fri, 21 Feb 2020 08:23:57 -0800 Subject: [PATCH 11/79] changelog++ Also added links --- CHANGELOG.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e7da58..e9c1957 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,14 +2,15 @@ Improvements: -* Allow process namespace sharing between Vault and sidecar containers -* Added configurable to change updateStrategy -* Added sleep in the preStop lifecycle step -* Updated chart and tests to Helm 3 +* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174) +* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172) +* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)] +* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)] +* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)] Bugs: -* Fix bug where Vault lifecycle was appended after extra containers. +* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)] ## 0.3.3 (January 14th, 2020) -- GitLab From 088331f246e8ed5ecd7aeb347dbaf6374ea3b38f Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Fri, 21 Feb 2020 08:25:17 -0800 Subject: [PATCH 12/79] changelog++ missed a couple brackets --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9c1957..1e0bd38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,8 @@ Improvements: -* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174) -* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172) +* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)] +* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)] * Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)] * Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)] * Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)] -- GitLab From 2b0d91d6148457327c50102125d9b1eb8df7dfb1 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Fri, 21 Feb 2020 11:39:41 -0800 Subject: [PATCH 13/79] Fix the injector deployment unit test (#212) Set namespace manually, so the test service will have a known namespace. --- test/unit/injector-deployment.bats | 1 + 1 file changed, 1 insertion(+) diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 7018ea9..cb4d56f 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -177,6 +177,7 @@ load _helpers local object=$(helm template \ --show-only templates/injector-deployment.yaml \ --release-name not-external-test \ + --namespace default \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) -- GitLab From 8a6419e623fcf6fae7a92fbeecf8d91c70a75c3a Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 21 Feb 2020 14:56:30 -0500 Subject: [PATCH 14/79] Update to 0.4.0 (#211) --- CHANGELOG.md | 2 ++ Chart.yaml | 2 +- values.yaml | 6 +++--- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e0bd38..bf3c405 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Unreleased +## 0.4.0 (February 21st, 2020) + Improvements: * Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)] diff --git a/Chart.yaml b/Chart.yaml index 8a41081..a41283c 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.3.3 +version: 0.4.0 description: Install and configure Vault on Kubernetes. home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/values.yaml b/values.yaml index a5437bf..23a61f7 100644 --- a/values.yaml +++ b/values.yaml @@ -22,7 +22,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.1.2" + tag: "0.2.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -30,7 +30,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.3.1" + tag: "1.3.2" # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. This should be set to a multiline string. @@ -76,7 +76,7 @@ server: image: repository: "vault" - tag: "1.3.1" + tag: "1.3.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent -- GitLab From 1ccc64788a4cdc4a818036c342492bb4d87ef117 Mon Sep 17 00:00:00 2001 From: Bruno FERNANDO <bruno.fernando@jobteaser.com> Date: Tue, 3 Mar 2020 19:32:50 +0100 Subject: [PATCH 15/79] feat: add AGENT_INJECT_VAULT_AUTH_PATH option to the injector (#185) * Add related unit tests --- templates/injector-deployment.yaml | 2 ++ test/unit/injector-deployment.bats | 45 ++++++++++++++++++++++++++---- values.yaml | 5 +++- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 2362915..16f6223 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -45,6 +45,8 @@ spec: {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} {{- end }} + - name: AGENT_INJECT_VAULT_AUTH_PATH + value: {{ .Values.injector.authPath }} - name: AGENT_INJECT_VAULT_IMAGE value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" {{- if .Values.injector.certs.secretName }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index cb4d56f..fb00ee3 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -117,19 +117,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) + yq -r '.[5].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ] local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) + yq -r '.[5].value' | tee /dev/stderr) [ "${actual}" = "/etc/webhook/certs/test.crt" ] local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) + yq -r '.[6].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ] local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) + yq -r '.[6].value' | tee /dev/stderr) [ "${actual}" = "/etc/webhook/certs/test.key" ] } @@ -147,11 +147,11 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) + yq -r '.[5].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_AUTO" ] local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) + yq -r '.[6].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ] } @@ -189,3 +189,36 @@ load _helpers yq -r '.[2].value' | tee /dev/stderr) [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ] } + +@test "injector/deployment: default authPath" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[3].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] + + local actual=$(echo $object | + yq -r '.[3].value' | tee /dev/stderr) + [ "${actual}" = "auth/kubernetes" ] +} + +@test "injector/deployment: custom authPath" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.authPath=auth/k8s' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[3].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] + + local actual=$(echo $object | + yq -r '.[3].value' | tee /dev/stderr) + [ "${actual}" = "auth/k8s" ] +} diff --git a/values.yaml b/values.yaml index 23a61f7..24cbfd6 100644 --- a/values.yaml +++ b/values.yaml @@ -32,6 +32,9 @@ injector: repository: "vault" tag: "1.3.2" + # Mount Path of the Vault Kubernetes Auth Method. + authPath: "auth/kubernetes" + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. This should be set to a multiline string. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -124,7 +127,7 @@ server: # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation shareProcessNamespace: false - + # extraArgs is a string containing additional Vault server arguments. extraArgs: "" -- GitLab From 9d92922c9dc1500642278b172a7150c32534de0b Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Tue, 3 Mar 2020 10:37:47 -0800 Subject: [PATCH 16/79] changelog++ --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf3c405..e6efc43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +Improvements: + +* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] + ## 0.4.0 (February 21st, 2020) Improvements: -- GitLab From 9d1693ad13bf364da56f0cfe5210981bbe2bf696 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 15:03:58 -0500 Subject: [PATCH 17/79] Add new vault-k8s environment variables (#219) * Add new vault-k8s envs * update vault image * Add default tests for envs * Add note about supported log parameters * Fix typo in test name --- templates/injector-deployment.yaml | 4 ++ test/unit/injector-deployment.bats | 99 ++++++++++++++++++++++++++++++ values.yaml | 15 ++++- 3 files changed, 115 insertions(+), 3 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 16f6223..fa3688e 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -60,6 +60,10 @@ spec: - name: AGENT_INJECT_TLS_AUTO_HOSTS value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc {{- end }} + - name: AGENT_INJECT_LOG_FORMAT + value: {{ .Values.injector.logFormat | default "standard" }} + - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN + value: {{ .Values.injector.revokeOnShutdown | default false }} args: - agent-inject - 2>&1 diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index fb00ee3..54b5c1c 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -222,3 +222,102 @@ load _helpers yq -r '.[3].value' | tee /dev/stderr) [ "${actual}" = "auth/k8s" ] } + +@test "injector/deployment: default logLevel" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] + + local actual=$(echo $object | + yq -r '.[1].value' | tee /dev/stderr) + [ "${actual}" = "info" ] +} + +@test "injector/deployment: custom logLevel" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.logLevel=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] + + local actual=$(echo $object | + yq -r '.[1].value' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + +@test "injector/deployment: default logFormat" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[7].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] + + local actual=$(echo $object | + yq -r '.[7].value' | tee /dev/stderr) + [ "${actual}" = "standard" ] +} + +@test "injector/deployment: custom logFormat" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[7].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] + + local actual=$(echo $object | + yq -r '.[7].value' | tee /dev/stderr) + [ "${actual}" = "json" ] +} + +@test "injector/deployment: default revoke on shutdown" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[8].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] + + local actual=$(echo $object | + yq -r '.[8].value' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/deployment: custom revoke on shutdown" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.revokeOnShutdown=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[8].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] + + local actual=$(echo $object | + yq -r '.[8].value' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.yaml b/values.yaml index 24cbfd6..e31e40f 100644 --- a/values.yaml +++ b/values.yaml @@ -22,7 +22,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.2.0" + tag: "0.3.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -30,11 +30,20 @@ injector: # required. agentImage: repository: "vault" - tag: "1.3.2" + tag: "1.3.3" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" + # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info + logLevel: "info" + + # Configures the log format of the injector. Supported log formats: "standard", "json". + logFormat: "standard" + + # Configures all Vault Agent sidecars to revoke their token when shutting down + revokeOnShutdown: false + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. This should be set to a multiline string. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -79,7 +88,7 @@ server: image: repository: "vault" - tag: "1.3.2" + tag: "1.3.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent -- GitLab From b8fc51b2be9850368bde67e257224e364ae2db46 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 15:10:41 -0500 Subject: [PATCH 18/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6efc43..0c6a69c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] +* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] ## 0.4.0 (February 21st, 2020) -- GitLab From d0f89fced85148ed1b7b11e96c3f9ca2ece04bbc Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 16:59:59 -0500 Subject: [PATCH 19/79] Change revoke from bool to string (#221) --- templates/injector-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index fa3688e..8f2a53d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -63,7 +63,7 @@ spec: - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN - value: {{ .Values.injector.revokeOnShutdown | default false }} + value: "{{ .Values.injector.revokeOnShutdown | default false }}" args: - agent-inject - 2>&1 -- GitLab From 58b96dbc1057d863d334d10d67a3fbaf3b73bb02 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 18 Mar 2020 15:49:14 -0400 Subject: [PATCH 20/79] Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> --- templates/_helpers.tpl | 8 +- templates/server-config-configmap.yaml | 4 +- templates/server-headless-service.yaml | 35 +++++++ templates/server-statefulset.yaml | 8 +- test/acceptance/server-ha-raft.bats | 121 +++++++++++++++++++++++++ test/unit/server-configmap.bats | 30 ++++++ test/unit/server-dev-statefulset.bats | 20 ++-- test/unit/server-ha-statefulset.bats | 20 ++-- test/unit/server-statefulset.bats | 16 ++-- values.yaml | 23 +++++ 10 files changed, 252 insertions(+), 33 deletions(-) create mode 100644 templates/server-headless-service.yaml create mode 100644 test/acceptance/server-ha-raft.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f985a8c..5639142 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -133,6 +133,10 @@ Set's additional environment variables based on the mode. - name: VAULT_DEV_ROOT_TOKEN_ID value: "root" {{ end }} + {{ if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} + - name: VAULT_CLUSTER_ADDR + value: "https://$(HOSTNAME).vault-internal:8201" + {{ end }} {{- end -}} {{/* @@ -144,7 +148,7 @@ based on the mode configured. - name: audit mountPath: /vault/audit {{ end }} - {{ if eq .mode "standalone" }} + {{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true")) }} {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }} - name: data mountPath: /vault/data @@ -169,7 +173,7 @@ storage might be desired by the user. {{- define "vault.volumeclaims" -}} {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} volumeClaimTemplates: - {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (eq .mode "standalone") }} + {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} - metadata: name: data spec: diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 6748d0f..6e05850 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -17,8 +17,10 @@ data: disable_mlock = true {{- if eq .mode "standalone" }} {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} - {{- else if eq .mode "ha" }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} {{ tpl .Values.server.ha.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} + {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} {{ end }} {{- end }} {{- end }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml new file mode 100644 index 0000000..80a94a3 --- /dev/null +++ b/templates/server-headless-service.yaml @@ -0,0 +1,35 @@ +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-internal + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +{{- if .Values.server.service.annotations }} +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} +spec: + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: "{{ include "vault.scheme" . }}" + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + - name: internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 18e0d6b..5b4752b 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -12,7 +12,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} spec: - serviceName: {{ template "vault.fullname" . }} + serviceName: {{ template "vault.fullname" . }}-internal podManagementPolicy: Parallel replicas: {{ template "vault.replicas" . }} updateStrategy: @@ -71,11 +71,15 @@ spec: - name: VAULT_ADDR value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" - name: VAULT_API_ADDR - value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" + value: "{{ include "vault.scheme" . }}-internal://$(POD_IP):8200" - name: SKIP_CHOWN value: "true" - name: SKIP_SETCAP value: "true" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats new file mode 100644 index 0000000..17951b8 --- /dev/null +++ b/test/acceptance/server-ha-raft.bats @@ -0,0 +1,121 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ha-raft: testing deployment" { + cd `chart_dir` + + helm install "$(name_prefix)" \ + --set='server.ha.enabled=true' \ + --set='server.ha.raft.enabled=true' . + wait_for_running $(name_prefix)-0 + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "true" ] + + local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "false" ] + + # Security + local ipc=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]') + [ "${ipc}" == "IPC_LOCK" ] + + # Replicas + local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.replicas') + [ "${replicas}" == "3" ] + + # Volume Mounts + local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.template.spec.containers[0].volumeMounts | length') + [ "${volumeCount}" == "2" ] + + # Volumes + local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.template.spec.volumes | length') + [ "${volumeCount}" == "1" ] + + local volume=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.template.spec.volumes[0].configMap.name') + [ "${volume}" == "$(name_prefix)-config" ] + + # Service + local service=$(kubectl get service "$(name_prefix)" --output json | + jq -r '.spec.clusterIP') + [ "${service}" != "None" ] + + local service=$(kubectl get service "$(name_prefix)" --output json | + jq -r '.spec.type') + [ "${service}" == "ClusterIP" ] + + local ports=$(kubectl get service "$(name_prefix)" --output json | + jq -r '.spec.ports | length') + [ "${ports}" == "2" ] + + local ports=$(kubectl get service "$(name_prefix)" --output json | + jq -r '.spec.ports[0].port') + [ "${ports}" == "8200" ] + + local ports=$(kubectl get service "$(name_prefix)" --output json | + jq -r '.spec.ports[1].port') + [ "${ports}" == "8201" ] + + # Vault Init + local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ + vault operator init -format=json -n 1 -t 1) + + local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') + [ "${token}" != "" ] + + local root=$(echo ${init} | jq -r '.root_token') + [ "${root}" != "" ] + + kubectl exec -ti vault-0 -- vault operator unseal ${token} + wait_for_ready "$(name_prefix)-0" + + sleep 5 + + # Vault Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + if [[ ${pod?} != "$(name_prefix)-0" ]] + then + kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 + kubectl exec -ti ${pod} -- vault operator unseal ${token} + wait_for_ready "${pod}" + fi + done + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] + + local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] + + kubectl exec "$(name_prefix)-0" -- vault login ${root} + + local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft configuration -format=json | + jq -r '.data.config.servers | length') + [ "${raft_status}" == "3" ] +} + +setup() { + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance +} + +#cleanup +teardown() { + helm delete vault + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true +} diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index 2aa8856..fe2ac12 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -17,6 +17,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + local actual=$(helm template \ --show-only templates/server-config-configmap.yaml \ --set 'server.standalone.enabled=true' \ @@ -25,6 +33,28 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/ConfigMap: raft config disabled by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + grep "raft" | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" != "true" ] +} + +@test "server/ConfigMap: raft config can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + . | tee /dev/stderr | + grep "raft" | yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + + @test "server/ConfigMap: disabled by server.dev.enabled true" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 10a9da6..5ce3405 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -249,19 +249,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[8].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[8].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) + yq -r '.[9].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) + yq -r '.[9].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -282,23 +282,23 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) + yq -r '.[7].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[8].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 11c4e93..db2ea6b 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -349,19 +349,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) + yq -r '.[7].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[6].value' | tee /dev/stderr) + yq -r '.[7].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[8].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[8].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -383,23 +383,23 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) + yq -r '.[7].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[8].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 1db272a..25d7798 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -384,19 +384,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) + yq -r '.[7].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[6].value' | tee /dev/stderr) + yq -r '.[7].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[8].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[8].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] local object=$(helm template \ @@ -407,19 +407,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[6].name' | tee /dev/stderr) + yq -r '.[7].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[6].value' | tee /dev/stderr) + yq -r '.[7].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[8].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[8].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } diff --git a/values.yaml b/values.yaml index e31e40f..50aa6b6 100644 --- a/values.yaml +++ b/values.yaml @@ -314,12 +314,35 @@ server: ha: enabled: false replicas: 3 + + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where + # Vault's persistence is external (such as Consul), enabling Raft mode will create + # persistent volumes for Vault to store data. The Vault cluster will coordinate leader + # elections and failovers internally. + raft: + + # Enables Raft integrated storage + enabled: false + config: | + ui = true + cluster_addr = "https://POD_IP:8201" + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + + storage "raft" { + path = "/vault/data" + } # config is a raw string of default configuration when using a Stateful # deployment. Default is to use a Consul for its HA storage backend. # This should be HCL. config: | ui = true + cluster_addr = "https://POD_IP:8201" listener "tcp" { tls_disable = 1 -- GitLab From 9e0030d70ac0c11df6e64eb577cba84891417e12 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 18 Mar 2020 15:50:53 -0400 Subject: [PATCH 21/79] changelog++ --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c6a69c..251877b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +Features: + +* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)] + Improvements: * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] -- GitLab From fa13c47858ca89076f84378ff554e205116481d6 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Wed, 18 Mar 2020 21:30:22 -0700 Subject: [PATCH 22/79] Add injector.extraEnvironmentVars (#232) Allows user-specified environment variables to be set in the injector deployment. --- templates/_helpers.tpl | 4 ++-- templates/injector-deployment.yaml | 1 + test/unit/injector-deployment.bats | 38 ++++++++++++++++++++++++++++++ values.yaml | 5 ++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5639142..1fd6f3f 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -288,9 +288,9 @@ Inject extra environment vars in the format key:value, if populated {{- define "vault.extraEnvironmentVars" -}} {{- if .extraEnvironmentVars -}} {{- range $key, $value := .extraEnvironmentVars }} -- name: {{ $key }} +- name: {{ printf "%s" $key | replace "." "_" | upper | quote }} value: {{ $value | quote }} -{{- end -}} +{{- end }} {{- end -}} {{- end -}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 8f2a53d..378f468 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -64,6 +64,7 @@ spec: value: {{ .Values.injector.logFormat | default "standard" }} - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN value: "{{ .Values.injector.revokeOnShutdown | default false }}" + {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject - 2>&1 diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 54b5c1c..e3419cf 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -321,3 +321,41 @@ load _helpers yq -r '.[8].value' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# extraEnvironmentVars + +@test "injector/deployment: set extraEnvironmentVars" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.extraEnvironmentVars.FOO=bar' \ + --set 'injector.extraEnvironmentVars.FOOBAR=foobar' \ + --set 'injector.extraEnvironmentVars.lower\.case=sanitized' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[9].name' | tee /dev/stderr) + [ "${actual}" = "FOO" ] + + local actual=$(echo $object | + yq -r '.[9].value' | tee /dev/stderr) + [ "${actual}" = "bar" ] + + local actual=$(echo $object | + yq -r '.[10].name' | tee /dev/stderr) + [ "${actual}" = "FOOBAR" ] + + local actual=$(echo $object | + yq -r '.[10].value' | tee /dev/stderr) + [ "${actual}" = "foobar" ] + + local actual=$(echo $object | + yq -r '.[11].name' | tee /dev/stderr) + [ "${actual}" = "LOWER_CASE" ] + + local actual=$(echo $object | + yq -r '.[11].value' | tee /dev/stderr) + [ "${actual}" = "sanitized" ] +} diff --git a/values.yaml b/values.yaml index 50aa6b6..a4aeeea 100644 --- a/values.yaml +++ b/values.yaml @@ -81,6 +81,11 @@ injector: # memory: 256Mi # cpu: 250m + # extraEnvironmentVars is a list of extra enviroment variables to set in the + # injector deployment. + extraEnvironmentVars: {} + # KUBERNETES_SERVICE_HOST: kubernetes.default.svc + server: # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. -- GitLab From aeaeaa02fb892814bdcb7c8325fa98d9bf48f430 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Wed, 18 Mar 2020 21:32:45 -0700 Subject: [PATCH 23/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 251877b..2b75ffe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Improvements: * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] +* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)] ## 0.4.0 (February 21st, 2020) -- GitLab From 1a8d9de5112d5078ceb7b5faa5dfc215df24c307 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 19 Mar 2020 22:43:52 -0700 Subject: [PATCH 24/79] Injector scheduler options (#234) Adds affinity, tolerations, and nodeSelector options for the injector deployment that are separate from those options on the vault server statefulset. Co-authored-by: Sergei Shishov <sergei.shishov@dubizzle.com> --- templates/_helpers.tpl | 30 ++++++++++++++ templates/injector-deployment.yaml | 3 ++ test/unit/injector-deployment.bats | 66 ++++++++++++++++++++++++++++++ test/unit/server-statefulset.bats | 19 +++++++++ values.yaml | 17 ++++++++ 5 files changed, 135 insertions(+) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 1fd6f3f..107c173 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -212,6 +212,16 @@ Set's the affinity for pod placement when running in standalone and HA modes. {{ end }} {{- end -}} +{{/* +Sets the injector affinity for pod placement +*/}} +{{- define "injector.affinity" -}} + {{- if .Values.injector.affinity }} + affinity: + {{ tpl .Values.injector.affinity . | nindent 8 | trim }} + {{ end }} +{{- end -}} + {{/* Set's the toleration for pod placement when running in standalone and HA modes. */}} @@ -222,6 +232,16 @@ Set's the toleration for pod placement when running in standalone and HA modes. {{- end }} {{- end -}} +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "injector.tolerations" -}} + {{- if .Values.injector.tolerations }} + tolerations: + {{ tpl .Values.injector.tolerations . | nindent 8 | trim }} + {{- end }} +{{- end -}} + {{/* Set's the node selector for pod placement when running in standalone and HA modes. */}} @@ -232,6 +252,16 @@ Set's the node selector for pod placement when running in standalone and HA mode {{- end }} {{- end -}} +{{/* +Sets the injector node selector for pod placement +*/}} +{{- define "injector.nodeselector" -}} + {{- if .Values.injector.nodeSelector }} + nodeSelector: + {{ tpl .Values.injector.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end -}} + {{/* Sets extra pod annotations */}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 378f468..4233726 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -24,6 +24,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} component: webhook spec: + {{ template "injector.affinity" . }} + {{ template "injector.tolerations" . }} + {{ template "injector.nodeselector" . }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" securityContext: runAsNonRoot: true diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index e3419cf..033ce7c 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -359,3 +359,69 @@ load _helpers yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "sanitized" ] } + +#-------------------------------------------------------------------- +# affinity + +@test "injector/deployment: affinity not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/deployment: affinity can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.affinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# tolerations + +@test "injector/deployment: tolerations not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/deployment: tolerations can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.tolerations=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# nodeSelector + +@test "injector/deployment: nodeSelector is not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/deployment: nodeSelector can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.nodeSelector=testing' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) + [ "${actual}" = "testing" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 25d7798..35ebf21 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -561,6 +561,25 @@ load _helpers [ "${actual}" = "0" ] } +@test "server/standalone-StatefulSet: affinity is set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity["podAntiAffinity"]? != null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: affinity can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.affinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "server/standalone-StatefulSet: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.yaml b/values.yaml index a4aeeea..9e2c7f5 100644 --- a/values.yaml +++ b/values.yaml @@ -86,6 +86,23 @@ injector: extraEnvironmentVars: {} # KUBERNETES_SERVICE_HOST: kubernetes.default.svc + # Affinity Settings for injector pods + # This should be a multi-line string matching the affinity section of a + # PodSpec. + affinity: null + + # Toleration Settings for injector pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: null + + # nodeSelector labels for injector pod assignment, formatted as a muli-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + server: # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. -- GitLab From 127b95d6f99b8b3aee04dec2bb38246487b958df Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 19 Mar 2020 22:45:58 -0700 Subject: [PATCH 25/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b75ffe..49318fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Improvements: * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] * Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)] +* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)] ## 0.4.0 (February 21st, 2020) -- GitLab From 2a37c571d77a528783a9d16a77becc91e21ccab6 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Fri, 20 Mar 2020 08:37:40 -0700 Subject: [PATCH 26/79] Making all annotations multi-line strings (#227) Annotations for various objects were either multi-line strings or yaml maps strings, so this is making them all multi-line strings for consistency. Also updated the doc comment for namespaceSelector, since it's being read as a yaml map (toYaml). --- templates/_helpers.tpl | 14 ++++++++++++-- templates/server-ingress.yaml | 5 +---- templates/server-service.yaml | 2 +- test/unit/server-ingress.bats | 12 ++++++++++++ test/unit/server-service.bats | 2 +- test/unit/server-serviceaccount.bats | 4 ++-- test/unit/ui-service.bats | 4 ++-- values.yaml | 11 ++++++++--- 8 files changed, 39 insertions(+), 15 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 107c173..866b826 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -278,7 +278,7 @@ Sets extra ui service annotations {{- define "vault.ui.annotations" -}} {{- if .Values.ui.annotations }} annotations: - {{- toYaml .Values.ui.annotations | nindent 4 }} + {{- tpl .Values.ui.annotations . | nindent 4 }} {{- end }} {{- end -}} @@ -288,7 +288,17 @@ Sets extra service account annotations {{- define "vault.serviceAccount.annotations" -}} {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} annotations: - {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} + {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- end }} +{{- end -}} + +{{/* +Sets extra ingress annotations +*/}} +{{- define "vault.ingress.annotations" -}} + {{- if .Values.server.ingress.annotations }} + annotations: + {{- tpl .Values.server.ingress.annotations . | nindent 4 }} {{- end }} {{- end -}} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 8786d97..32755f3 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -16,10 +16,7 @@ metadata: {{- with .Values.server.ingress.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.server.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + {{- template "vault.ingress.annotations" . }} spec: {{- if .Values.server.ingress.tls }} tls: diff --git a/templates/server-service.yaml b/templates/server-service.yaml index dc633c6..68a06fb 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -18,7 +18,7 @@ metadata: # https://github.com/kubernetes/kubernetes/issues/58662 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" {{- if .Values.server.service.annotations }} -{{ toYaml .Values.server.service.annotations | indent 4 }} +{{ tpl .Values.server.service.annotations . | indent 4 }} {{- end }} spec: {{- if .Values.server.service.type}} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 850ad4c..9f54e5c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -69,3 +69,15 @@ load _helpers yq -r '.metadata.labels.traffic' | tee /dev/stderr) [ "${actual}" = "external" ] } + +@test "server/ingress: annotations added to object" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.ingress.annotations=kubernetes.io/ingress.class: nginx' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr) + [ "${actual}" = "nginx" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 059a1d3..e3ae0f2 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -173,7 +173,7 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-service.yaml \ - --set 'server.service.annotations.vaultIsAwesome=true' \ + --set 'server.service.annotations=vaultIsAwesome: true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index d72de5d..5b8744a 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -7,7 +7,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ - --set 'server.serviceAccount.annotations.foo=bar' \ + --set 'server.serviceAccount.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -15,7 +15,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.serviceAccount.annotations.foo=bar' \ + --set 'server.serviceAccount.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 59f1818..46cfa88 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -190,7 +190,7 @@ load _helpers --set 'server.dev.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ - --set 'ui.annotations.foo=bar' \ + --set 'ui.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] @@ -200,7 +200,7 @@ load _helpers --set 'server.ha.enabled=true' \ --set 'ui.serviceType=LoadBalancer' \ --set 'ui.enabled=true' \ - --set 'ui.annotations.foo=bar' \ + --set 'ui.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] diff --git a/values.yaml b/values.yaml index 9e2c7f5..1616394 100644 --- a/values.yaml +++ b/values.yaml @@ -45,11 +45,11 @@ injector: revokeOnShutdown: false # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. This should be set to a multiline string. + # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector # for more details. # Example: - # namespaceSelector: | + # namespaceSelector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} @@ -134,6 +134,7 @@ server: labels: {} # traffic: external annotations: {} + # | # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: @@ -256,7 +257,8 @@ server: port: 8200 # Target port to which the service should be mapped to targetPort: 8200 - # Extra annotations for the service definition + # Extra annotations for the service definition. This should be a multi-line + # string formatted as a map of the annotations to apply to the service. annotations: {} # This configures the Vault Statefulset to create a PVC for data @@ -397,6 +399,9 @@ server: # Definition of the serviceAccount used to run Vault. serviceAccount: + # Extra annotations for the serviceAccount definition. This should be a + # multi-line string formatted as a map of the annotations to apply to the + # serviceAccount. annotations: {} # Vault UI -- GitLab From 04df47159d986c59510c775cafcac479f09051fb Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Fri, 20 Mar 2020 08:39:56 -0700 Subject: [PATCH 27/79] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49318fd..a4e8acb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ Improvements: * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] * Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)] * Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)] +* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)] ## 0.4.0 (February 21st, 2020) -- GitLab From 0550623c219dcd3ffc339fe3e1f16df78852d99b Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Fri, 20 Mar 2020 10:54:32 -0700 Subject: [PATCH 28/79] Fix server-headless-service annotations (#236) `Values.server.service.annotations` are now being treated as multi-line strings, to match the other annotations in the chart, and to support templating within the annotations. --- templates/server-headless-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index 80a94a3..b9069d8 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -15,7 +15,7 @@ metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" {{- if .Values.server.service.annotations }} -{{ toYaml .Values.server.service.annotations | indent 4 }} +{{ tpl .Values.server.service.annotations . | indent 4 }} {{- end }} spec: clusterIP: None -- GitLab From d57bd7cb6e93d8a441328ced9b3d265c7e2e5fd3 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 23 Mar 2020 12:10:47 -0400 Subject: [PATCH 29/79] Fix bug with api server env (#237) --- templates/server-statefulset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 5b4752b..d2b2ac1 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -71,7 +71,7 @@ spec: - name: VAULT_ADDR value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" - name: VAULT_API_ADDR - value: "{{ include "vault.scheme" . }}-internal://$(POD_IP):8200" + value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" - name: SKIP_CHOWN value: "true" - name: SKIP_SETCAP -- GitLab From ac64feb0eb4337343cec2411af8c911b9ae07bda Mon Sep 17 00:00:00 2001 From: Daniel Mittelman <daniel@monday.com> Date: Thu, 26 Mar 2020 16:15:08 +0200 Subject: [PATCH 30/79] Clarified documentation about Raft PV creation (#239) --- values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/values.yaml b/values.yaml index 1616394..9e0326a 100644 --- a/values.yaml +++ b/values.yaml @@ -262,7 +262,7 @@ server: annotations: {} # This configures the Vault Statefulset to create a PVC for data - # storage when using the file backend. + # storage when using the file or raft backend storage engines. # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more dataStorage: enabled: true @@ -341,8 +341,8 @@ server: # Enables Vault's integrated Raft storage. Unlike the typical HA modes where # Vault's persistence is external (such as Consul), enabling Raft mode will create - # persistent volumes for Vault to store data. The Vault cluster will coordinate leader - # elections and failovers internally. + # persistent volumes for Vault to store data according to the configuration under server.dataStorage. + # The Vault cluster will coordinate leader elections and failovers internally. raft: # Enables Raft integrated storage -- GitLab From e97f4a579f1bf44cc66d8295573bb01b7d1ff61f Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 26 Mar 2020 17:19:26 -0400 Subject: [PATCH 31/79] Fix hardcoded service name in raft enfv (#240) --- templates/_helpers.tpl | 2 +- test/unit/server-ha-statefulset.bats | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 866b826..9a22038 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -135,7 +135,7 @@ Set's additional environment variables based on the mode. {{ end }} {{ if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).vault-internal:8201" + value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" {{ end }} {{- end -}} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index db2ea6b..8e19ae0 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -403,6 +403,28 @@ load _helpers [ "${actual}" = "secret_key_1" ] } + +#-------------------------------------------------------------------- +# VAULT_CLUSTER_ADDR renders + +@test "server/ha-StatefulSet: cluster addr renders" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[7].name' | tee /dev/stderr) + [ "${actual}" = "VAULT_CLUSTER_ADDR" ] + + local actual=$(echo $object | + yq -r '.[7].value' | tee /dev/stderr) + [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] +} + #-------------------------------------------------------------------- # storage class -- GitLab From 2b137c95d2e04fb0ddabb0f94fdd58a7ecf0e5e0 Mon Sep 17 00:00:00 2001 From: Luiz Muller <contact@luizm.dev> Date: Fri, 3 Apr 2020 21:47:33 -0300 Subject: [PATCH 32/79] fix link to documentation (#247) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c6071b7..81409de 100644 --- a/README.md +++ b/README.md @@ -35,4 +35,4 @@ then be installed directly: Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the -[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html). +[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm). -- GitLab From 6d5a2174d85a8ce9790e786b7fc0e44283e93caf Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 9 Apr 2020 09:26:58 -0400 Subject: [PATCH 33/79] Add Vault Helm ent support, service discovery (#250) * Add Vault Helm ent support, service discovery * Fix unit test * Update test/acceptance/server-ha-enterprise-dr.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-dr.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-perf.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-perf.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update values.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> --- templates/_helpers.tpl | 4 - templates/server-discovery-role.yaml | 19 ++ templates/server-discovery-rolebinding.yaml | 23 +++ templates/server-ha-active-service.yaml | 35 ++++ templates/server-ha-standby-service.yaml | 35 ++++ templates/server-statefulset.yaml | 10 ++ test/acceptance/injector.bats | 17 +- test/acceptance/server-dev.bats | 11 +- test/acceptance/server-ha-enterprise-dr.bats | 167 ++++++++++++++++++ .../acceptance/server-ha-enterprise-perf.bats | 165 +++++++++++++++++ test/acceptance/server-ha-raft.bats | 11 +- test/acceptance/server-ha.bats | 11 +- test/acceptance/server.bats | 11 +- test/unit/server-dev-statefulset.bats | 20 +-- test/unit/server-ha-statefulset.bats | 32 ++-- test/unit/server-statefulset.bats | 16 +- values.yaml | 7 +- 17 files changed, 530 insertions(+), 64 deletions(-) create mode 100644 templates/server-discovery-role.yaml create mode 100644 templates/server-discovery-rolebinding.yaml create mode 100644 templates/server-ha-active-service.yaml create mode 100644 templates/server-ha-standby-service.yaml create mode 100644 test/acceptance/server-ha-enterprise-dr.bats create mode 100644 test/acceptance/server-ha-enterprise-perf.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9a22038..89d23d8 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -133,10 +133,6 @@ Set's additional environment variables based on the mode. - name: VAULT_DEV_ROOT_TOKEN_ID value: "root" {{ end }} - {{ if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" - {{ end }} {{- end -}} {{/* diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml new file mode 100644 index 0000000..4a39cec --- /dev/null +++ b/templates/server-discovery-role.yaml @@ -0,0 +1,19 @@ +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ .Release.Namespace }} + name: {{ template "vault.fullname" . }}-discovery-role + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "update", "patch"] +{{ end }} +{{ end }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml new file mode 100644 index 0000000..f9494b4 --- /dev/null +++ b/templates/server-discovery-rolebinding.yaml @@ -0,0 +1,23 @@ +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-discovery-rolebinding + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-discovery-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} +{{ end }} +{{ end }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml new file mode 100644 index 0000000..1af8520 --- /dev/null +++ b/templates/server-ha-active-service.yaml @@ -0,0 +1,35 @@ +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +# Service for active Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-active + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{- if .Values.server.service.annotations }} +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} +spec: + type: ClusterIP + publishNotReadyAddresses: true + ports: + - name: http + port: 8200 + targetPort: 8200 + - name: internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + vault-active: "true" +{{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml new file mode 100644 index 0000000..2dd7522 --- /dev/null +++ b/templates/server-ha-standby-service.yaml @@ -0,0 +1,35 @@ +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +# Service for active Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-standby + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{- if .Values.server.service.annotations }} +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} +spec: + type: ClusterIP + publishNotReadyAddresses: true + ports: + - name: http + port: 8200 + targetPort: 8200 + - name: internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + vault-active: "false" +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index d2b2ac1..255a844 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -68,6 +68,14 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: VAULT_ADDR value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" - name: VAULT_API_ADDR @@ -80,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: VAULT_CLUSTER_ADDR + value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index 2fdb7a5..e7fb393 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -45,11 +45,14 @@ load _helpers # Clean up teardown() { - echo "helm/pvc teardown" - helm delete vault - kubectl delete --all pvc - kubectl delete secret test - kubectl delete job pgdump - kubectl delete deployment postgres - kubectl delete namespace acceptance + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm delete vault + kubectl delete --all pvc + kubectl delete secret test + kubectl delete job pgdump + kubectl delete deployment postgres + kubectl delete namespace acceptance + fi } diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats index 05f3661..ffda946 100644 --- a/test/acceptance/server-dev.bats +++ b/test/acceptance/server-dev.bats @@ -54,8 +54,11 @@ load _helpers # Clean up teardown() { - echo "helm/pvc teardown" - helm delete vault - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm delete vault + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi } diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats new file mode 100644 index 0000000..35348e3 --- /dev/null +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -0,0 +1,167 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ha-enterprise-raft: testing DR deployment" { + cd `chart_dir` + + helm install "$(name_prefix)-east" \ + --set='server.image.repository=hashicorp/vault-enterprise' \ + --set='server.image.tag=1.4.0_ent' \ + --set='injector.enabled=false' \ + --set='server.ha.enabled=true' \ + --set='server.ha.raft.enabled=true' . + wait_for_running "$(name_prefix)-east-0" + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "true" ] + + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "false" ] + + # Vault Init + local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ + vault operator init -format=json -n 1 -t 1) + + local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') + [ "${primary_token}" != "" ] + + local primary_root=$(echo ${init} | jq -r '.root_token') + [ "${primary_root}" != "" ] + + kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} + wait_for_ready "$(name_prefix)-east-0" + + sleep 10 + + # Vault Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + if [[ ${pod?} != "$(name_prefix)-east-0" ]] + then + kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 + kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + wait_for_ready "${pod}" + fi + done + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] + + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] + + kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} + + local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | + jq -r '.data.config.servers | length') + [ "${raft_status}" == "3" ] + + kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 + + local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json) + [ "${secondary}" != "" ] + + local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') + [ "${secondary_replica_token}" != "" ] + + # Install vault-west + helm install "$(name_prefix)-west" \ + --set='injector.enabled=false' \ + --set='server.image.repository=hashicorp/vault-enterprise' \ + --set='server.image.tag=1.4.0_ent' \ + --set='server.ha.enabled=true' \ + --set='server.ha.raft.enabled=true' . + wait_for_running "$(name_prefix)-west-0" + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "true" ] + + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "false" ] + + # Vault Init + local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ + vault operator init -format=json -n 1 -t 1) + + local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') + [ "${secondary_token}" != "" ] + + local secondary_root=$(echo ${init} | jq -r '.root_token') + [ "${secondary_root}" != "" ] + + kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} + wait_for_ready "$(name_prefix)-west-0" + + sleep 10 + + # Vault Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + if [[ ${pod?} != "$(name_prefix)-west-0" ]] + then + kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 + kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} + wait_for_ready "${pod}" + fi + done + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] + + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] + + kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} + + local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | + jq -r '.data.config.servers | length') + [ "${raft_status}" == "3" ] + + kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token} + + sleep 10 + + local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + if [[ ${pod?} != "$(name_prefix)-west-0" ]] + then + kubectl delete pod "${pod?}" + wait_for_running "${pod?}" + kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + wait_for_ready "${pod}" + fi + done +} + +setup() { + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance +} + +#cleanup +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + helm delete vault-east + helm delete vault-west + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats new file mode 100644 index 0000000..6543663 --- /dev/null +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -0,0 +1,165 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ha-enterprise-raft: testing performance replica deployment" { + cd `chart_dir` + + helm install "$(name_prefix)-east" \ + --set='injector.enabled=false' \ + --set='server.image.repository=hashicorp/vault-enterprise' \ + --set='server.image.tag=1.4.0_ent' \ + --set='server.ha.enabled=true' \ + --set='server.ha.raft.enabled=true' . + wait_for_running "$(name_prefix)-east-0" + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "true" ] + + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "false" ] + + # Vault Init + local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ + vault operator init -format=json -n 1 -t 1) + + local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') + [ "${primary_token}" != "" ] + + local primary_root=$(echo ${init} | jq -r '.root_token') + [ "${primary_root}" != "" ] + + kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} + wait_for_ready "$(name_prefix)-east-0" + + sleep 10 + + # Vault Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + if [[ ${pod?} != "$(name_prefix)-east-0" ]] + then + kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 + kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + wait_for_ready "${pod}" + fi + done + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] + + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] + + kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} + + local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | + jq -r '.data.config.servers | length') + [ "${raft_status}" == "3" ] + + kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 + + local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json) + [ "${secondary}" != "" ] + + local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') + [ "${secondary_replica_token}" != "" ] + + # Install vault-west + helm install "$(name_prefix)-west" \ + --set='injector.enabled=false' \ + --set='server.image.repository=hashicorp/vault-enterprise' \ + --set='server.image.tag=1.4.0_ent' \ + --set='server.ha.enabled=true' \ + --set='server.ha.raft.enabled=true' . + wait_for_running "$(name_prefix)-west-0" + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "true" ] + + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "false" ] + + # Vault Init + local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ + vault operator init -format=json -n 1 -t 1) + + local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') + [ "${secondary_token}" != "" ] + + local secondary_root=$(echo ${init} | jq -r '.root_token') + [ "${secondary_root}" != "" ] + + kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} + wait_for_ready "$(name_prefix)-west-0" + + sleep 10 + + # Vault Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + if [[ ${pod?} != "$(name_prefix)-west-0" ]] + then + kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 + kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} + wait_for_ready "${pod}" + fi + done + + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] + + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] + + kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} + + local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | + jq -r '.data.config.servers | length') + [ "${raft_status}" == "3" ] + + kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token} + + sleep 10 + + local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) + for pod in "${pods[@]}" + do + if [[ ${pod?} != "$(name_prefix)-west-0" ]] + then + kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + wait_for_ready "${pod}" + fi + done +} + +setup() { + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance +} + +#cleanup +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + helm delete vault-east + helm delete vault-west + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index 17951b8..a411f3c 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -102,7 +102,7 @@ load _helpers kubectl exec "$(name_prefix)-0" -- vault login ${root} - local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft configuration -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] } @@ -115,7 +115,10 @@ setup() { #cleanup teardown() { - helm delete vault - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true + if [[ ${CLEANUP:-true} == "true" ]] + then + helm delete vault + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi } diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index f29e31f..74a3c11 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -103,8 +103,11 @@ setup() { #cleanup teardown() { - helm delete vault - helm delete consul - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true + if [[ ${CLEANUP:-true} == "true" ]] + then + helm delete vault + helm delete consul + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi } diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index d8edbd5..beb2fa2 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -111,8 +111,11 @@ load _helpers # Clean up teardown() { - echo "helm/pvc teardown" - helm delete vault - kubectl delete --all pvc - kubectl delete namespace acceptance --ignore-not-found=true + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm delete vault + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi } diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 5ce3405..3b38eab 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -249,19 +249,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[9].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[9].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -282,23 +282,23 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[10].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] local actual=$(echo $object | - yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] local actual=$(echo $object | - yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 8e19ae0..e93bf31 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -71,11 +71,11 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) + yq -r '.[4].name' | tee /dev/stderr) [ "${actual}" = "VAULT_ADDR" ] local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) + yq -r '.[4].value' | tee /dev/stderr) [ "${actual}" = "http://127.0.0.1:8200" ] } @test "server/ha-StatefulSet: tls enabled" { @@ -87,11 +87,11 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[2].name' | tee /dev/stderr) + yq -r '.[4].name' | tee /dev/stderr) [ "${actual}" = "VAULT_ADDR" ] local actual=$(echo $object | - yq -r '.[2].value' | tee /dev/stderr) + yq -r '.[4].value' | tee /dev/stderr) [ "${actual}" = "https://127.0.0.1:8200" ] } @@ -349,19 +349,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[10].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[10].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -383,23 +383,23 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[10].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] local actual=$(echo $object | - yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] local actual=$(echo $object | - yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } @@ -417,11 +417,11 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[9].name' | tee /dev/stderr) [ "${actual}" = "VAULT_CLUSTER_ADDR" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[9].value' | tee /dev/stderr) [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] } diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 35ebf21..b0dc6fb 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -384,19 +384,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[10].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[10].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] local object=$(helm template \ @@ -407,19 +407,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[7].name' | tee /dev/stderr) + yq -r '.[10].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[7].value' | tee /dev/stderr) + yq -r '.[10].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[8].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[8].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } diff --git a/values.yaml b/values.yaml index 9e0326a..a7d7b92 100644 --- a/values.yaml +++ b/values.yaml @@ -110,7 +110,7 @@ server: image: repository: "vault" - tag: "1.3.3" + tag: "1.4.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -349,7 +349,6 @@ server: enabled: false config: | ui = true - cluster_addr = "https://POD_IP:8201" listener "tcp" { tls_disable = 1 @@ -361,12 +360,12 @@ server: path = "/vault/data" } + service_registration "kubernetes" {} # config is a raw string of default configuration when using a Stateful # deployment. Default is to use a Consul for its HA storage backend. # This should be HCL. config: | ui = true - cluster_addr = "https://POD_IP:8201" listener "tcp" { tls_disable = 1 @@ -378,6 +377,8 @@ server: address = "HOST_IP:8500" } + service_registration "kubernetes" {} + # Example configuration for using auto-unseal, using Google Cloud KMS. The # GKMS keys must already exist, and the cluster must have a service account # that is authorized to access GCP KMS. -- GitLab From 13f6df4e6af605be7c14bca1e78244b16e5ad8bb Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 9 Apr 2020 09:51:37 -0400 Subject: [PATCH 34/79] Update to 0.5.0 (#253) * Update to 0.5.0 * Add changelog for k8s service discovery --- CHANGELOG.md | 6 ++++-- Chart.yaml | 2 +- values.yaml | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4e8acb..8109c85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,12 @@ ## Unreleased +## 0.5.0 (April 9th, 2020) + Features: * Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)] - -Improvements: +* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] +* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] diff --git a/Chart.yaml b/Chart.yaml index a41283c..3469359 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.4.0 +version: 0.5.0 description: Install and configure Vault on Kubernetes. home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/values.yaml b/values.yaml index a7d7b92..54ca6d0 100644 --- a/values.yaml +++ b/values.yaml @@ -30,7 +30,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.3.3" + tag: "1.4.0" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" -- GitLab From 497daa5f60f434f90cec2a736ed7e5dbd6bfc26c Mon Sep 17 00:00:00 2001 From: Petter Abrahamsson <petter@jebus.nu> Date: Thu, 9 Apr 2020 12:47:17 -0400 Subject: [PATCH 35/79] Remove IPC_LOCK capability (#198) * Remove IPC_LOCK capability * Remove tests for IPC_LOCK --- templates/server-statefulset.yaml | 3 --- test/acceptance/server-ha.bats | 5 ----- test/acceptance/server.bats | 5 ----- 3 files changed, 13 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 255a844..1497889 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -52,9 +52,6 @@ spec: containers: - name: vault {{ template "vault.resources" . }} - securityContext: - capabilities: - add: ["IPC_LOCK"] image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} imagePullPolicy: {{ .Values.server.image.pullPolicy }} command: {{ template "vault.command" . }} diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 74a3c11..4cb4a75 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -18,11 +18,6 @@ load _helpers jq -r '.initialized') [ "${init_status}" == "false" ] - # Security - local ipc=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]') - [ "${ipc}" == "IPC_LOCK" ] - # Replicas local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.replicas') diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index beb2fa2..ce7843f 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -21,11 +21,6 @@ load _helpers jq -r '.initialized') [ "${init_status}" == "false" ] - # Security - local ipc=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]') - [ "${ipc}" == "IPC_LOCK" ] - # Replicas local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.replicas') -- GitLab From 27a3a765138e95d22f725031ac501f52e402e755 Mon Sep 17 00:00:00 2001 From: Jared Allard <jaredallard@users.noreply.github.com> Date: Thu, 9 Apr 2020 09:48:42 -0700 Subject: [PATCH 36/79] fix(templates/server): ingress has default paths of / (#224) * fix(templates/server): ingress has default paths of / * fix: array -> list It's been awhile since I wrote Helm templates :/ --- templates/server-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 32755f3..fd9662d 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -33,7 +33,7 @@ spec: - host: {{ .host | quote }} http: paths: - {{- range .paths }} + {{- range (.paths | default (list "/")) }} - path: {{ . }} backend: serviceName: {{ $serviceName }} -- GitLab From c869fa86517bffc68f5827b9995dbe17fd35d197 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 9 Apr 2020 12:51:35 -0400 Subject: [PATCH 37/79] changelog++ --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8109c85..0e7e732 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ ## Unreleased +Features: + +Improvements: +* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] + +Bugs: +* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] + ## 0.5.0 (April 9th, 2020) Features: -- GitLab From 0e115513c2740ca8e467006df6b5354c01af7852 Mon Sep 17 00:00:00 2001 From: Denys Vitali <denys@denv.it> Date: Fri, 10 Apr 2020 14:43:14 +0000 Subject: [PATCH 38/79] docs(REAMDE): Fix Vault K8s dead link (#256) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 81409de..b049825 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ cases of Vault on Kubernetes depending on the values provided. For full documentation on this Helm chart along with all the ways you can use Vault with Kubernetes, please see the -[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/index.html). +[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/). ## Prerequisites -- GitLab From 374ea22c02957aff7811d9875c2c2666e91acfaa Mon Sep 17 00:00:00 2001 From: Javad Karabi <karabijavad@gmail.com> Date: Mon, 13 Apr 2020 10:48:23 -0500 Subject: [PATCH 39/79] use port names that map to vault.scheme (#223) * use port names that map to vault.scheme * prefix internal/replication port names with vault.scheme * port names must be 'no more than 15 characters' * test vault server service port names are prefixed with vault scheme * test vault server statefulset port names are prefixed with vault scheme * test vault ui service port names are prefixed with vault scheme * formatting: replace double quote with single quote * uncomment accidentally-commented lines * always set internal port name to https-internal, since it is always https * prefix headless service internal port name with https --- templates/server-headless-service.yaml | 2 +- templates/server-service.yaml | 4 +-- templates/server-statefulset.yaml | 6 ++-- templates/ui-service.yaml | 2 +- test/unit/server-service.bats | 22 +++++++++++++ test/unit/server-statefulset.bats | 44 ++++++++++++++++++++++++++ test/unit/ui-service.bats | 24 ++++++++++++++ 7 files changed, 97 insertions(+), 7 deletions(-) diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index b9069d8..cced609 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -24,7 +24,7 @@ spec: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - - name: internal + - name: https-internal port: 8201 targetPort: 8201 selector: diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 68a06fb..4d0e289 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -31,13 +31,13 @@ spec: # since this DNS is also used for join operations. publishNotReadyAddresses: true ports: - - name: http + - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} nodePort: {{ .Values.server.service.nodePort }} {{- end }} - - name: internal + - name: https-internal port: 8201 targetPort: 8201 selector: diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 1497889..3b51a62 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -94,11 +94,11 @@ spec: {{ template "vault.mounts" . }} ports: - containerPort: 8200 - name: http + name: {{ include "vault.scheme" . }} - containerPort: 8201 - name: internal + name: https-internal - containerPort: 8202 - name: replication + name: {{ include "vault.scheme" . }}-rep {{- if .Values.server.readinessProbe.enabled }} readinessProbe: {{- if .Values.server.readinessProbe.path }} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 6d89264..8b8a2c9 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -25,7 +25,7 @@ spec: component: server publishNotReadyAddresses: true ports: - - name: http + - name: {{ include "vault.scheme" . }} port: {{ .Values.ui.externalPort }} targetPort: 8200 {{- if .Values.ui.serviceNodePort }} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index e3ae0f2..5821b91 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -388,3 +388,25 @@ load _helpers yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "server/Service: vault port name is http, when tlsDisable is true" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'global.tlsDisable=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "http" ] +} + +@test "server/Service: vault port name is https, when tlsDisable is false" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'global.tlsDisable=false' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "https" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b0dc6fb..3d08925 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -892,3 +892,47 @@ load _helpers yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr) [[ "${actual}" = "sleep 10 &&"* ]] } + +@test "server/standalone-StatefulSet: vault port name is http, when tlsDisable is true" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.tlsDisable=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "http" ] +} + +@test "server/standalone-StatefulSet: vault replication port name is http-rep, when tlsDisable is true" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.tlsDisable=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8202)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "http-rep" ] +} + +@test "server/standalone-StatefulSet: vault port name is https, when tlsDisable is false" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.tlsDisable=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "https" ] +} + +@test "server/standalone-StatefulSet: vault replication port name is https-rep, when tlsDisable is false" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.tlsDisable=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8202)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "https-rep" ] +} diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 46cfa88..042e141 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -214,3 +214,27 @@ load _helpers yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "ui/Service: port name is http, when tlsDisable is true" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'global.tlsDisable=true' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].name' | tee /dev/stderr) + [ "${actual}" = "http" ] +} + +@test "ui/Service: port name is https, when tlsDisable is false" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'global.tlsDisable=false' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].name' | tee /dev/stderr) + [ "${actual}" = "https" ] +} -- GitLab From 39631aad6be443941c4a8cfb8ac033ad141ed366 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Mon, 13 Apr 2020 10:17:49 -0700 Subject: [PATCH 40/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e7e732..3f808fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: Improvements: * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] +* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] -- GitLab From 2072bf2dcd0babe260654932f40a4d5fa13569df Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Tue, 21 Apr 2020 08:19:17 -0700 Subject: [PATCH 41/79] Fix ha standby and active service annotations (#268) * service: fix annotations for HA standby/active services * added unit tests Co-authored-by: yotsub <63680950+yotsub@users.noreply.github.com> --- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 2 +- test/unit/server-ha-active-service.bats | 14 ++++++++++++++ test/unit/server-ha-standby-service.bats | 14 ++++++++++++++ 4 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 test/unit/server-ha-active-service.bats create mode 100644 test/unit/server-ha-standby-service.bats diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 1af8520..0333df1 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -14,7 +14,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: {{- if .Values.server.service.annotations }} -{{ toYaml .Values.server.service.annotations | indent 4 }} +{{ tpl .Values.server.service.annotations . | indent 4 }} {{- end }} spec: type: ClusterIP diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 2dd7522..d8df9e7 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -14,7 +14,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: {{- if .Values.server.service.annotations }} -{{ toYaml .Values.server.service.annotations | indent 4 }} +{{ tpl .Values.server.service.annotations . | indent 4 }} {{- end }} spec: type: ClusterIP diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats new file mode 100644 index 0000000..4e6ad1a --- /dev/null +++ b/test/unit/server-ha-active-service.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ha-active-Service: generic annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats new file mode 100644 index 0000000..7630ac5 --- /dev/null +++ b/test/unit/server-ha-standby-service.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ha-standby-Service: generic annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} -- GitLab From 1be24460f3e8b2fa5ac0fa4b1794eaa271246d2f Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Tue, 21 Apr 2020 08:20:41 -0700 Subject: [PATCH 42/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f808fa..604bd71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Improvements: Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] +* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] ## 0.5.0 (April 9th, 2020) -- GitLab From 0f36ee3a5b536e7b3541a7353b21ef34c0e70ab2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Moreno=20Garc=C3=ADa?= <david.mogar@gmail.com> Date: Mon, 27 Apr 2020 16:45:56 +0200 Subject: [PATCH 43/79] Change config specification (#213) * Change config specification As it is right now, the specification of the config is done through an string. When using storage backends like PostgreSQL, the password for the database has to be included in the config variable of the values file. This change allows to specify the configuration through a map, making the chart GitOps friendly. Now, sensitive values can be stored in a different values file or passed on deployment time with --set. To have a very generic specification: - I've assumed that the combination stanza (eg. storage) name (eg. file) is unique. - Quoted values for all stanza parameters. I tested a generated configuration in a vault docker image and it seems to work just fine. * Change config format to json * Add conditional formatting * Add config for raft mode --- templates/_helpers.tpl | 4 ++-- templates/server-config-configmap.yaml | 13 ++++++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 89d23d8..12a006a 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -83,7 +83,7 @@ defined a custom configuration. Additionally iterates over any extra volumes the user may have specified (such as a secret with TLS). */}} {{- define "vault.volumes" -}} - {{- if and (ne .mode "dev") (or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "")) }} + {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config configMap: name: {{ template "vault.fullname" . }}-config @@ -150,7 +150,7 @@ based on the mode configured. mountPath: /vault/data {{ end }} {{ end }} - {{ if and (ne .mode "dev") (or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "")) }} + {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config mountPath: /vault/config {{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 6e05850..b8093ad 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} -{{ if or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "") -}} +{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} apiVersion: v1 kind: ConfigMap metadata: @@ -14,6 +14,9 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} data: extraconfig-from-values.hcl: |- + {{- if or (eq .mode "ha") (eq .mode "standalone") }} + {{- $type := typeOf (index .Values.server .mode).config }} + {{- if eq $type "string" }} disable_mlock = true {{- if eq .mode "standalone" }} {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} @@ -22,6 +25,14 @@ data: {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} {{ end }} + {{- else }} + {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} + {{- else }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} + {{- end }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- end }} -- GitLab From 7880c3b973f39fc6119b0038c527f25617092d4d Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 27 Apr 2020 10:47:28 -0400 Subject: [PATCH 44/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 604bd71..b34f640 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: Improvements: +* Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] -- GitLab From e09de0dc636e8a8ee277d1e729a6f967867c62d8 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Mon, 27 Apr 2020 08:28:50 -0700 Subject: [PATCH 45/79] Allow both yaml and multi-line string annotations (#272) Changed/added helper functions to detect if the annotations value is a string or yaml, and apply `tpl` or `toYaml` accordingly. Defaults are left as `{}` since yaml is more likely to be used with helm on the command line. This means a warning will be shown when setting an annotation to a multi-line string (which has been the existing behavior). --- templates/_helpers.tpl | 42 +++++++++++++++-- templates/server-ha-active-service.yaml | 4 +- templates/server-ha-standby-service.yaml | 4 +- templates/server-headless-service.yaml | 4 +- templates/server-service.yaml | 4 +- test/acceptance/server-annotations.bats | 46 +++++++++++++++++++ .../server-test/annotations-overrides.yaml | 9 ++++ test/unit/server-ha-standby-service.bats | 13 +++++- test/unit/server-ingress.bats | 14 +++++- test/unit/server-serviceaccount.bats | 8 ++++ test/unit/server-statefulset.bats | 22 +++++++++ test/unit/ui-service.bats | 10 ++++ values.yaml | 22 +++++---- 13 files changed, 175 insertions(+), 27 deletions(-) create mode 100644 test/acceptance/server-annotations.bats create mode 100644 test/acceptance/server-test/annotations-overrides.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 12a006a..bab233b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -264,7 +264,12 @@ Sets extra pod annotations {{- define "vault.annotations" -}} {{- if and (ne .mode "dev") .Values.server.annotations }} annotations: - {{- tpl .Values.server.annotations . | nindent 8 }} + {{- $tp := typeOf .Values.server.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.annotations | nindent 8 }} + {{- end }} {{- end }} {{- end -}} @@ -274,7 +279,12 @@ Sets extra ui service annotations {{- define "vault.ui.annotations" -}} {{- if .Values.ui.annotations }} annotations: - {{- tpl .Values.ui.annotations . | nindent 4 }} + {{- $tp := typeOf .Values.ui.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.ui.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.ui.annotations | nindent 4 }} + {{- end }} {{- end }} {{- end -}} @@ -284,7 +294,12 @@ Sets extra service account annotations {{- define "vault.serviceAccount.annotations" -}} {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} annotations: - {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- $tp := typeOf .Values.server.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} + {{- end }} {{- end }} {{- end -}} @@ -294,7 +309,26 @@ Sets extra ingress annotations {{- define "vault.ingress.annotations" -}} {{- if .Values.server.ingress.annotations }} annotations: - {{- tpl .Values.server.ingress.annotations . | nindent 4 }} + {{- $tp := typeOf .Values.server.ingress.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.ingress.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.ingress.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.annotations" -}} + {{- if .Values.server.service.annotations }} + {{- $tp := typeOf .Values.server.service.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.annotations | nindent 4 }} + {{- end }} {{- end }} {{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 0333df1..01f962d 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -13,9 +13,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{- if .Values.server.service.annotations }} -{{ tpl .Values.server.service.annotations . | indent 4 }} -{{- end }} +{{ template "vault.service.annotations" .}} spec: type: ClusterIP publishNotReadyAddresses: true diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index d8df9e7..302627a 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -13,9 +13,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{- if .Values.server.service.annotations }} -{{ tpl .Values.server.service.annotations . | indent 4 }} -{{- end }} +{{ template "vault.service.annotations" .}} spec: type: ClusterIP publishNotReadyAddresses: true diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index cced609..4bb276b 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -14,9 +14,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -{{- if .Values.server.service.annotations }} -{{ tpl .Values.server.service.annotations . | indent 4 }} -{{- end }} +{{ template "vault.service.annotations" .}} spec: clusterIP: None publishNotReadyAddresses: true diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 4d0e289..6d50584 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -17,9 +17,7 @@ metadata: # to an open issue where it may not work: # https://github.com/kubernetes/kubernetes/issues/58662 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -{{- if .Values.server.service.annotations }} -{{ tpl .Values.server.service.annotations . | indent 4 }} -{{- end }} +{{ template "vault.service.annotations" .}} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} diff --git a/test/acceptance/server-annotations.bats b/test/acceptance/server-annotations.bats new file mode 100644 index 0000000..d382788 --- /dev/null +++ b/test/acceptance/server-annotations.bats @@ -0,0 +1,46 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/annotations: testing yaml and yaml-formatted string formats" { + cd `chart_dir` + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance + + helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml . + wait_for_running $(name_prefix)-0 + + # service annotations + local awesome=$(kubectl get service "$(name_prefix)" --output json | + jq -r '.metadata.annotations.active') + [ "${awesome}" == "sometimes" ] + + local pickMe=$(kubectl get service "$(name_prefix)" --output json | + jq -r '.metadata.annotations.pickMe') + [ "${pickMe}" == "please" ] + + local environment=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.template.metadata.annotations.environment') + [ "${environment}" == "production" ] + + local milk=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.template.metadata.annotations.milk') + [ "${milk}" == "oat" ] + + local myName=$(kubectl get statefulset "$(name_prefix)" --output json | + jq -r '.spec.template.metadata.annotations.myName') + [ "${myName}" == "$(name_prefix)" ] + +} + +# Clean up +teardown() { + if [[ ${CLEANUP:-true} == "true" ]] + then + echo "helm/pvc teardown" + helm delete $(name_prefix) + kubectl delete --all pvc + kubectl delete namespace acceptance --ignore-not-found=true + fi +} diff --git a/test/acceptance/server-test/annotations-overrides.yaml b/test/acceptance/server-test/annotations-overrides.yaml new file mode 100644 index 0000000..459576a --- /dev/null +++ b/test/acceptance/server-test/annotations-overrides.yaml @@ -0,0 +1,9 @@ +server: + annotations: | + environment: production + milk: oat + myName: "{{ .Release.Name }}" + service: + annotations: + active: sometimes + pickMe: please diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 7630ac5..f2f0043 100644 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -2,7 +2,7 @@ load _helpers -@test "server/ha-standby-Service: generic annotations" { +@test "server/ha-standby-Service: generic annotations string" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ @@ -12,3 +12,14 @@ load _helpers yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "server/ha-standby-Service: generic annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.annotations.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 9f54e5c..8660920 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -70,7 +70,7 @@ load _helpers [ "${actual}" = "external" ] } -@test "server/ingress: annotations added to object" { +@test "server/ingress: annotations added to object - string" { cd `chart_dir` local actual=$(helm template \ @@ -81,3 +81,15 @@ load _helpers yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr) [ "${actual}" = "nginx" ] } + +@test "server/ingress: annotations added to object - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.annotations."kubernetes\.io/ingress\.class"=nginx \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr) + [ "${actual}" = "nginx" ] +} diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 5b8744a..fe09c2a 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -20,6 +20,14 @@ load _helpers yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "bar" ] + local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 3d08925..8e80119 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -936,3 +936,25 @@ load _helpers yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8202)) | .[] .name' | tee /dev/stderr) [ "${actual}" = "https-rep" ] } + +#-------------------------------------------------------------------- +# annotations +@test "server/standalone-StatefulSet: generic annotations string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-standby-Service: generic annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.annotations.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 042e141..b92160b 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -205,6 +205,16 @@ load _helpers yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'ui.serviceType=LoadBalancer' \ + --set 'ui.enabled=true' \ + --set 'ui.annotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) + [ "${actual}" = "bar" ] + local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ diff --git a/values.yaml b/values.yaml index 54ca6d0..b0b303c 100644 --- a/values.yaml +++ b/values.yaml @@ -137,6 +137,9 @@ server: # | # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" + # or + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" hosts: - host: chart-example.local paths: [] @@ -230,8 +233,8 @@ server: extraLabels: {} # Extra annotations to attach to the server pods - # This should be a multi-line string mapping directly to the a map of - # the annotations to apply to the server pods + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the server pods annotations: {} # Enables a headless service to be used by the Vault Statefulset @@ -257,8 +260,9 @@ server: port: 8200 # Target port to which the service should be mapped to targetPort: 8200 - # Extra annotations for the service definition. This should be a multi-line - # string formatted as a map of the annotations to apply to the service. + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the service. annotations: {} # This configures the Vault Statefulset to create a PVC for data @@ -400,9 +404,9 @@ server: # Definition of the serviceAccount used to run Vault. serviceAccount: - # Extra annotations for the serviceAccount definition. This should be a - # multi-line string formatted as a map of the annotations to apply to the - # serviceAccount. + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. annotations: {} # Vault UI @@ -424,6 +428,6 @@ ui: # loadBalancerIP: # Extra annotations to attach to the ui service - # This should be a multi-line string mapping directly to the a map of - # the annotations to apply to the ui service + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the ui service annotations: {} -- GitLab From accbd222ecf8672d5de85f47f7d96f615b457ff7 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Mon, 27 Apr 2020 08:31:25 -0700 Subject: [PATCH 46/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b34f640..396a339 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Improvements: * Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] +* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] -- GitLab From 8cc3fdb167c3a3458deea1a6774f281016cb29ce Mon Sep 17 00:00:00 2001 From: Yong Wen Chua <lawliet89@users.noreply.github.com> Date: Mon, 27 Apr 2020 23:38:26 +0800 Subject: [PATCH 47/79] Add support for setting VAULT_RAFT_NODE_ID environment variable (#269) * Add support for setting VAULT_RAFT_NODE_ID environment variable * Update server-statefulset.yaml * Update server-ha-statefulset.bats --- templates/server-statefulset.yaml | 6 ++++++ test/unit/server-ha-statefulset.bats | 25 +++++++++++++++++++++++-- values.yaml | 12 +++++++----- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 3b51a62..545b3d6 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -87,6 +87,12 @@ spec: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} + - name: VAULT_RAFT_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- end }} {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index e93bf31..e6d0d58 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -403,7 +403,6 @@ load _helpers [ "${actual}" = "secret_key_1" ] } - #-------------------------------------------------------------------- # VAULT_CLUSTER_ADDR renders @@ -415,7 +414,7 @@ load _helpers --set 'server.ha.raft.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) - + local actual=$(echo $object | yq -r '.[9].name' | tee /dev/stderr) [ "${actual}" = "VAULT_CLUSTER_ADDR" ] @@ -425,6 +424,28 @@ load _helpers [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] } +#-------------------------------------------------------------------- +# VAULT_RAFT_NODE_ID renders + +@test "server/ha-StatefulSet: raft node ID renders" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.raft.setNodeId=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[10].name' | tee /dev/stderr) + [ "${actual}" = "VAULT_RAFT_NODE_ID" ] + + local actual=$(echo $object | + yq -r '.[10].valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + [ "${actual}" = 'metadata.name' ] +} + #-------------------------------------------------------------------- # storage class diff --git a/values.yaml b/values.yaml index b0b303c..305da7b 100644 --- a/values.yaml +++ b/values.yaml @@ -40,7 +40,7 @@ injector: # Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" - + # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false @@ -342,15 +342,17 @@ server: ha: enabled: false replicas: 3 - - # Enables Vault's integrated Raft storage. Unlike the typical HA modes where - # Vault's persistence is external (such as Consul), enabling Raft mode will create + + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where + # Vault's persistence is external (such as Consul), enabling Raft mode will create # persistent volumes for Vault to store data according to the configuration under server.dataStorage. # The Vault cluster will coordinate leader elections and failovers internally. raft: - + # Enables Raft integrated storage enabled: false + # Set the Node Raft ID to the name of the pod + setNodeId: false config: | ui = true -- GitLab From 138b9217a5ba2a16fc762f8235ffccdc27d4f039 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 27 Apr 2020 11:39:22 -0400 Subject: [PATCH 48/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 396a339..90ba23b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ Improvements: * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] +* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] -- GitLab From c045ad89aa2a320c7335949b77330e56c89ac8bd Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 27 Apr 2020 14:49:09 -0400 Subject: [PATCH 49/79] Fix raft acceptance test (#279) --- test/acceptance/server-ha-raft.bats | 5 ----- 1 file changed, 5 deletions(-) diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index a411f3c..b6f1f25 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -19,11 +19,6 @@ load _helpers jq -r '.initialized') [ "${init_status}" == "false" ] - # Security - local ipc=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]') - [ "${ipc}" == "IPC_LOCK" ] - # Replicas local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.replicas') -- GitLab From ee2827f710454997a75a0ecf0cd718a3ff213ea0 Mon Sep 17 00:00:00 2001 From: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Date: Wed, 29 Apr 2020 14:37:18 -0400 Subject: [PATCH 50/79] add API trigger for helm charts index (#281) --- .circleci/config.yml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 357aa40..9d497c0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,8 +6,30 @@ jobs: - checkout - run: make test-image - run: make test-unit + update-helm-charts-index: + docker: + - image: circleci/golang:latest + steps: + - run: + name: update helm-charts index + command: | + curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ + -X POST \ + -H 'Content-Type: application/json' \ + -H 'Accept: application/json' \ + -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" workflows: version: 2 build_and_test: jobs: - - bats-unit-test + - bats-unit-test + update-helm-charts-index: + jobs: + - update-helm-charts-index: + context: helm-charts-trigger + filters: + tags: + only: /^v.*/ + branches: + ignore: /.*/ -- GitLab From c8b18d1876a5f8ca708cd86f288a246b776a07c6 Mon Sep 17 00:00:00 2001 From: Yong Wen Chua <lawliet89@users.noreply.github.com> Date: Fri, 1 May 2020 09:37:27 +0800 Subject: [PATCH 51/79] Support setting priorityClassName on pods (#282) --- templates/injector-deployment.yaml | 3 +++ templates/server-statefulset.yaml | 3 +++ test/unit/injector-deployment.bats | 22 ++++++++++++++++++++++ test/unit/server-statefulset.bats | 26 ++++++++++++++++++++++++-- values.yaml | 6 ++++++ 5 files changed, 58 insertions(+), 2 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 4233726..1c5b951 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -27,6 +27,9 @@ spec: {{ template "injector.affinity" . }} {{ template "injector.tolerations" . }} {{ template "injector.nodeselector" . }} + {{- if .Values.injector.priorityClassName }} + priorityClassName: {{ .Values.injector.priorityClassName }} + {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" securityContext: runAsNonRoot: true diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 545b3d6..3f40709 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -37,6 +37,9 @@ spec: {{ template "vault.affinity" . }} {{ template "vault.tolerations" . }} {{ template "vault.nodeselector" . }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName }} + {{- end }} terminationGracePeriodSeconds: 10 serviceAccountName: {{ template "vault.fullname" . }} {{ if .Values.server.shareProcessNamespace }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 033ce7c..bd3f63a 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -425,3 +425,25 @@ load _helpers yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) [ "${actual}" = "testing" ] } + +#-------------------------------------------------------------------- +# priorityClassName + +@test "injector/deployment: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/deployment: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.priorityClassName=armaggeddon' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 8e80119..3fa7ba4 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -711,7 +711,7 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr) - [ "${actual}" = "null" ] + [ "${actual}" = "null" ] } @test "server/standalone-StatefulSet: shareProcessNamespace enabled" { @@ -724,7 +724,7 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "true" ] } # extra labels @@ -958,3 +958,25 @@ load _helpers yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# priorityClassName + +@test "server/standalone-StatefulSet: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.priorityClassName=armaggeddon' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.yaml b/values.yaml index 305da7b..2385dcc 100644 --- a/values.yaml +++ b/values.yaml @@ -103,6 +103,9 @@ injector: # beta.kubernetes.io/arch: amd64 nodeSelector: null + # Priority class for injector pods + priorityClassName: "" + server: # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. @@ -227,6 +230,9 @@ server: # beta.kubernetes.io/arch: amd64 nodeSelector: {} + # Priority class for server pods + priorityClassName: "" + # Extra labels to attach to the server pods # This should be a multi-line string mapping directly to the a map of # the labels to apply to the server pods -- GitLab From 24b13630f013b8be91b7befd2910c800648d8446 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 30 Apr 2020 18:38:42 -0700 Subject: [PATCH 52/79] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90ba23b..6eea47b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Improvements: * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] * Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] +* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)] Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] -- GitLab From 2af6f9b44f7cf6f4a5d6d4fd26c42b1b092ffc96 Mon Sep 17 00:00:00 2001 From: Brian Choy <bycEEE@gmail.com> Date: Tue, 5 May 2020 08:10:17 -0700 Subject: [PATCH 53/79] Add support for priorityClassName (#165) * Add support for priorityClassName * Add unit tests * Remove comment * Update comment, accidentally deleted comment * Remove whitespace --- templates/injector-deployment.yaml | 3 +++ templates/server-statefulset.yaml | 3 +++ test/unit/server-statefulset.bats | 23 +++++++++++++++++++++++ values.yaml | 11 +++++++++++ 4 files changed, 40 insertions(+) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 1c5b951..8c947ac 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -94,6 +94,9 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 + {{- if .Values.injector.priorityClassName }} + priorityClassName: {{ .Values.injector.priorityClassName }} + {{- end }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 3f40709..174feee 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -158,6 +158,9 @@ spec: {{- if .Values.server.extraContainers }} {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName }} + {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 3fa7ba4..1f3f2f0 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -872,6 +872,29 @@ load _helpers [[ "${actual}" = *"foobar"* ]] } +#-------------------------------------------------------------------- +# priorityClassName + +@test "server/standalone-StatefulSet: priorityClassName disabled by default" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) + + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: priorityClassName enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.priorityClassName=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) + + [ "${actual}" = "foo" ] + #-------------------------------------------------------------------- # preStop @test "server/standalone-StatefulSet: preStop sleep duration default" { diff --git a/values.yaml b/values.yaml index 2385dcc..851ef25 100644 --- a/values.yaml +++ b/values.yaml @@ -81,6 +81,11 @@ injector: # memory: 256Mi # cpu: 250m + # priorityClassName launches injector pods with a priority class. + # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + # for more details. + priorityClassName: null + # extraEnvironmentVars is a list of extra enviroment variables to set in the # injector deployment. extraEnvironmentVars: {} @@ -131,6 +136,12 @@ server: # cpu: 250m # Ingress allows ingress services to be created to allow external access + # priorityClassName launches server pods with a priority class. + # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + # for more details. + priorityClassName: null + + # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. ingress: enabled: false -- GitLab From 08a6f929b863cc78fa82dabdc1295fa8415b9c6b Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 5 May 2020 11:29:09 -0400 Subject: [PATCH 54/79] Revert "Add support for priorityClassName (#165)" (#287) This reverts commit 2af6f9b44f7cf6f4a5d6d4fd26c42b1b092ffc96. --- templates/injector-deployment.yaml | 3 --- templates/server-statefulset.yaml | 3 --- test/unit/server-statefulset.bats | 23 ----------------------- values.yaml | 11 ----------- 4 files changed, 40 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 8c947ac..1c5b951 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -94,9 +94,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 - {{- if .Values.injector.priorityClassName }} - priorityClassName: {{ .Values.injector.priorityClassName }} - {{- end }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 174feee..3f40709 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -158,9 +158,6 @@ spec: {{- if .Values.server.extraContainers }} {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} - {{- if .Values.server.priorityClassName }} - priorityClassName: {{ .Values.server.priorityClassName }} - {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 1f3f2f0..3fa7ba4 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -872,29 +872,6 @@ load _helpers [[ "${actual}" = *"foobar"* ]] } -#-------------------------------------------------------------------- -# priorityClassName - -@test "server/standalone-StatefulSet: priorityClassName disabled by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/server-statefulset.yaml \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) - - [ "${actual}" = "null" ] -} - -@test "server/standalone-StatefulSet: priorityClassName enabled" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/server-statefulset.yaml \ - --set 'server.priorityClassName=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) - - [ "${actual}" = "foo" ] - #-------------------------------------------------------------------- # preStop @test "server/standalone-StatefulSet: preStop sleep duration default" { diff --git a/values.yaml b/values.yaml index 851ef25..2385dcc 100644 --- a/values.yaml +++ b/values.yaml @@ -81,11 +81,6 @@ injector: # memory: 256Mi # cpu: 250m - # priorityClassName launches injector pods with a priority class. - # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ - # for more details. - priorityClassName: null - # extraEnvironmentVars is a list of extra enviroment variables to set in the # injector deployment. extraEnvironmentVars: {} @@ -136,12 +131,6 @@ server: # cpu: 250m # Ingress allows ingress services to be created to allow external access - # priorityClassName launches server pods with a priority class. - # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ - # for more details. - priorityClassName: null - - # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. ingress: enabled: false -- GitLab From 0cc1af18767f8874683baa85066395f72b0d4640 Mon Sep 17 00:00:00 2001 From: Adrienne Cohea <34219237+AdrienneCohea@users.noreply.github.com> Date: Fri, 8 May 2020 11:35:39 -0700 Subject: [PATCH 55/79] Add init containers to support TLS certificate introduction and other dynamic configuration use cases. (#258) --- templates/server-statefulset.yaml | 4 ++ test/unit/server-statefulset.bats | 68 +++++++++++++++++++++++++++++++ values.yaml | 5 +++ 3 files changed, 77 insertions(+) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 3f40709..96aaf75 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -52,6 +52,10 @@ spec: fsGroup: {{ .Values.server.gid | default 1000 }} volumes: {{ template "vault.volumes" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: + {{ toYaml .Values.server.extraInitContainers | nindent 8}} + {{- end }} containers: - name: vault {{ template "vault.resources" . }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 3fa7ba4..5bdc25f 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -618,6 +618,74 @@ load _helpers [ "${actual}" = "testing" ] } +#-------------------------------------------------------------------- +# extraInitContainers + +@test "server/standalone-StatefulSet: adds extra init containers" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.extraInitContainers[0].image=test-image' \ + --set 'server.extraInitContainers[0].name=test-container' \ + --set 'server.extraInitContainers[0].ports[0].name=test-port' \ + --set 'server.extraInitContainers[0].ports[0].containerPort=9410' \ + --set 'server.extraInitContainers[0].ports[0].protocol=TCP' \ + --set 'server.extraInitContainers[0].env[0].name=TEST_ENV' \ + --set 'server.extraInitContainers[0].env[0].value=test_env_value' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.initContainers[] | select(.name == "test-container")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.name' | tee /dev/stderr) + [ "${actual}" = "test-container" ] + + local actual=$(echo $object | + yq -r '.image' | tee /dev/stderr) + [ "${actual}" = "test-image" ] + + local actual=$(echo $object | + yq -r '.ports[0].name' | tee /dev/stderr) + [ "${actual}" = "test-port" ] + + local actual=$(echo $object | + yq -r '.ports[0].containerPort' | tee /dev/stderr) + [ "${actual}" = "9410" ] + + local actual=$(echo $object | + yq -r '.ports[0].protocol' | tee /dev/stderr) + [ "${actual}" = "TCP" ] + + local actual=$(echo $object | + yq -r '.env[0].name' | tee /dev/stderr) + [ "${actual}" = "TEST_ENV" ] + + local actual=$(echo $object | + yq -r '.env[0].value' | tee /dev/stderr) + [ "${actual}" = "test_env_value" ] + +} + +@test "server/standalone-StatefulSet: add two extra init containers" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.extraInitContainers[0].image=test-image' \ + --set 'server.extraInitContainers[0].name=test-container' \ + --set 'server.extraInitContainers[1].image=test-image' \ + --set 'server.extraInitContainers[1].name=test-container-2' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.initContainers' | tee /dev/stderr) + + local containers_count=$(echo $object | + yq -r 'length' | tee /dev/stderr) + [ "${containers_count}" = 2 ] + +} + #-------------------------------------------------------------------- # extraContainers diff --git a/values.yaml b/values.yaml index 2385dcc..f757d13 100644 --- a/values.yaml +++ b/values.yaml @@ -159,6 +159,11 @@ server: authDelegator: enabled: true + # extraInitContainers is a list of init containers. Specified as a raw YAML string. + # This is useful if you need to run a script to provision TLS certificates or + # write out configuration files in a dynamic way. + extraInitContainers: null + # extraContainers is a list of sidecar containers. Specified as a raw YAML string. extraContainers: null -- GitLab From ac6089c45ef66d4e1eed0e279364ccbb2f8a6eda Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 8 May 2020 14:36:56 -0400 Subject: [PATCH 56/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6eea47b..aff223c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ ## Unreleased Features: +* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) Improvements: * Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) -- GitLab From dd8e3a230cdb7e2f0bf934d430065d29ba176d1e Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Wed, 20 May 2020 09:15:55 -0700 Subject: [PATCH 57/79] updated readme with the helm repo info (#308) --- README.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index b049825..bbc9de3 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,9 @@ use Vault with Kubernetes, please see the ## Prerequisites -To use the charts here, [Helm](https://helm.sh/) must be installed in your -Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope -of this README. Please refer to the Kubernetes and Helm documentation. +To use the charts here, [Helm](https://helm.sh/) must be configured for your +Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope of +this README. Please refer to the Kubernetes and Helm documentation. The versions required are: @@ -24,15 +24,17 @@ The versions required are: ## Usage -For now, we do not host a chart repository. To use the charts, you must -download this repository and unpack it into a directory. Either -[download a tagged release](https://github.com/hashicorp/vault-helm/releases) or -use `git checkout` to a tagged release. -Assuming this repository was unpacked into the directory `vault-helm`, the chart can -then be installed directly: +To install the latest version of this chart, add the Hashicorp helm repository +and run `helm install`: - helm install ./vault-helm +```console +$ helm repo add hashicorp https://helm.releases.hashicorp.com +"hashicorp" has been added to your repositories -Please see the many options supported in the `values.yaml` -file. These are also fully documented directly on the -[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm). +$ helm install vault hashicorp/vault +``` + +Please see the many options supported in the `values.yaml` file. These are also +fully documented directly on the [Vault +website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more +detailed installation instructions. -- GitLab From 7b744295cfa6d5f6283965e09434f7c3af45ba73 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Wed, 20 May 2020 09:16:54 -0700 Subject: [PATCH 58/79] Update default values (#309) Updating some of the default values to match how they're used in the templates. --- values.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/values.yaml b/values.yaml index f757d13..d315c87 100644 --- a/values.yaml +++ b/values.yaml @@ -121,7 +121,7 @@ server: # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" - resources: + resources: {} # resources: # requests: # memory: 256Mi @@ -159,12 +159,12 @@ server: authDelegator: enabled: true - # extraInitContainers is a list of init containers. Specified as a raw YAML string. + # extraInitContainers is a list of init containers. Specified as a YAML list. # This is useful if you need to run a script to provision TLS certificates or # write out configuration files in a dynamic way. extraInitContainers: null - # extraContainers is a list of sidecar containers. Specified as a raw YAML string. + # extraContainers is a list of sidecar containers. Specified as a YAML list. extraContainers: null # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers @@ -226,21 +226,20 @@ server: # Toleration Settings for server pods # This should be a multi-line string matching the Toleration array # in a PodSpec. - tolerations: {} + tolerations: null # nodeSelector labels for server pod assignment, formatted as a muli-line string. # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # Example: # nodeSelector: | # beta.kubernetes.io/arch: amd64 - nodeSelector: {} + nodeSelector: null # Priority class for server pods priorityClassName: "" # Extra labels to attach to the server pods - # This should be a multi-line string mapping directly to the a map of - # the labels to apply to the server pods + # This should be a YAML map of the labels to apply to the server pods extraLabels: {} # Extra annotations to attach to the server pods -- GitLab From 7e5ed6bae9764d23acb0c43add21dfc47096779a Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Wed, 20 May 2020 09:18:54 -0700 Subject: [PATCH 59/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index aff223c..a69eba9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ Improvements: Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] * Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] +* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)] ## 0.5.0 (April 9th, 2020) -- GitLab From 9a835c40f1d2897c893abadb02b5b5c48ddc4d68 Mon Sep 17 00:00:00 2001 From: Josh Keife <jkeife@gmail.com> Date: Thu, 21 May 2020 09:58:53 -0600 Subject: [PATCH 60/79] Update comment in standby service (#299) --- templates/server-ha-standby-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 302627a..2def5f7 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} -# Service for active Vault pod +# Service for standby Vault pod apiVersion: v1 kind: Service metadata: -- GitLab From 6b77840e22faa67d3148fffd4199e662cc762569 Mon Sep 17 00:00:00 2001 From: Gorka Maiztegi <gmaiztegi@gmail.com> Date: Wed, 27 May 2020 04:28:15 +0200 Subject: [PATCH 61/79] Update ingress apiVersion (#310) The apiVersion `extensions/v1beta1` for ingresses has been removed in Kubernetes 1.16 and the new `networking.k8s.io/v1beta1` has to be used now. This conditional keeps compatibility with older Kubernetes versions while using the new apiVersion when available. --- templates/server-ingress.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index fd9662d..b17eb5c 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -3,7 +3,11 @@ {{- if .Values.server.ingress.enabled -}} {{- $serviceName := include "vault.fullname" . -}} {{- $servicePort := .Values.server.service.port -}} +{{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +apiVersion: networking.k8s.io/v1beta1 +{{ else }} apiVersion: extensions/v1beta1 +{{ end }} kind: Ingress metadata: name: {{ template "vault.fullname" . }} -- GitLab From 7cc905e00ece416507846159bb02bf66e594b35b Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Tue, 26 May 2020 19:31:06 -0700 Subject: [PATCH 62/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a69eba9..2561ab4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ Improvements: * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] * Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] * Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)] +* Add support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)] Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] -- GitLab From 7002cc664be17f955a3be9ff540a2f8ef754e8d8 Mon Sep 17 00:00:00 2001 From: Sarah Thompson <sthompson@hashicorp.com> Date: Wed, 27 May 2020 17:21:16 +0100 Subject: [PATCH 63/79] Get acceptance tests running against GKE in CI - merges to master only. (#291) * Get acceptance tests running against GKE in CI - merges to master only. * Adding README.md --- .circleci/config.yml | 36 +++++++++++-- Makefile | 54 +++++++++++++++++-- test/README.md | 10 ++++ test/acceptance/_helpers.bash | 8 +-- .../acceptance/server-ha-enterprise-perf.bats | 6 +-- test/docker/Test.dockerfile | 7 +++ test/terraform/main.tf | 17 ------ 7 files changed, 108 insertions(+), 30 deletions(-) create mode 100644 test/README.md diff --git a/.circleci/config.yml b/.circleci/config.yml index 9d497c0..ed2bf8a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,11 +1,35 @@ version: 2 jobs: bats-unit-test: - machine: true + docker: + # This image is built from test/docker/Test.dockerfile + - image: hashicorpdev/vault-helm-test:0.1.0 steps: - checkout - - run: make test-image - - run: make test-unit + - run: bats ./test/unit -t + acceptance: + docker: + # This image is build from test/docker/Test.dockerfile + - image: hashicorpdev/vault-helm-test:0.1.0 + + steps: + - checkout + - run: + name: terraform init & apply + command: | + echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json + export GOOGLE_CREDENTIALS=vault-helm-test.json + make provision-cluster + - run: + name: Run acceptance tests + command: bats ./test/acceptance -t + + - run: + name: terraform destroy + command: | + export GOOGLE_CREDENTIALS=vault-helm-test.json + make destroy-cluster + when: always update-helm-charts-index: docker: - image: circleci/golang:latest @@ -24,6 +48,12 @@ workflows: build_and_test: jobs: - bats-unit-test + - acceptance: + requires: + - bats-unit-test + filters: + branches: + only: master update-helm-charts-index: jobs: - update-helm-charts-index: diff --git a/Makefile b/Makefile index 4698fb9..8c9bf7f 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,8 @@ TEST_IMAGE?=vault-helm-test +GOOGLE_CREDENTIALS?=vault-helm-test.json +CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 +# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats +ACCEPTANCE_TESTS?=acceptance test-image: @docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) @@ -6,12 +10,56 @@ test-image: test-unit: @docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/unit -test-acceptance: - @docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/acceptance - test-bats: test-unit test-acceptance test: test-image test-bats +# run acceptance tests on GKE +# set google project/credential vars above +test-acceptance: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -w /helm-test \ + $(TEST_IMAGE) \ + make acceptance + +# destroy GKE cluster using terraform +test-destroy: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -w /helm-test \ + $(TEST_IMAGE) \ + make destroy-cluster + +# provision GKE cluster using terraform +test-provision: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -w /helm-test \ + $(TEST_IMAGE) \ + make provision-cluster + +# this target is for running the acceptance tests +# it is run in the docker container above when the test-acceptance target is invoked +acceptance: + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} + bats test/${ACCEPTANCE_TESTS} + +# this target is for provisioning the GKE cluster +# it is run in the docker container above when the test-provision target is invoked +provision-cluster: + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} + terraform init test/terraform + terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform + +# this target is for removing the GKE cluster +# it is run in the docker container above when the test-destroy target is invoked +destroy-cluster: + terraform destroy -auto-approve .PHONY: test-docker diff --git a/test/README.md b/test/README.md new file mode 100644 index 0000000..e4ce891 --- /dev/null +++ b/test/README.md @@ -0,0 +1,10 @@ +# Running Vault Helm Acceptance tests + +The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance. + +* Set the GOOGLE_CREDENTIALS and CLOUDSDK_CORE_PROJECT variables at the top of the file. GOOGLE_CREDENTIALS should contain the local path to your Google Cloud Platform account credentials in JSON format. CLOUDSDK_CORE_PROJECT should be set to the ID of your GCP project. +* Run `make test-image` to create the docker image (with dependencies installed) that will be re-used in the below steps. +* Run `make test-provision` to provision the GKE cluster using terraform. +* Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster. +* You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target. +* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. \ No newline at end of file diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index 031daf5..466a517 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -65,7 +65,7 @@ wait_for_running_consul() { done echo "consul clients never became ready." - exit 1 + return 1 } # wait for a pod to be ready @@ -96,7 +96,7 @@ wait_for_running() { done echo "${POD_NAME} never became ready." - exit 1 + return 1 } wait_for_ready() { @@ -126,7 +126,7 @@ wait_for_ready() { done echo "${POD_NAME} never became ready." - exit 1 + return 1 } wait_for_complete_job() { @@ -155,5 +155,5 @@ wait_for_complete_job() { done echo "${POD_NAME} never completed." - exit 1 + return 1 } diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 6543663..48f9887 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -35,7 +35,7 @@ load _helpers kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} wait_for_ready "$(name_prefix)-east-0" - sleep 10 + sleep 30 # Vault Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) @@ -103,7 +103,7 @@ load _helpers kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} wait_for_ready "$(name_prefix)-west-0" - sleep 10 + sleep 30 # Vault Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) @@ -134,7 +134,7 @@ load _helpers kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token} - sleep 10 + sleep 30 local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile index 003a06f..9bbe478 100644 --- a/test/docker/Test.dockerfile +++ b/test/docker/Test.dockerfile @@ -10,6 +10,7 @@ FROM alpine:latest WORKDIR /root ENV BATS_VERSION "1.1.0" +ENV TERRAFORM_VERSION "0.12.10" # base packages RUN apk update && apk add --no-cache --virtual .build-deps \ @@ -21,6 +22,7 @@ RUN apk update && apk add --no-cache --virtual .build-deps \ python \ py-pip \ git \ + make \ jq # yq @@ -31,6 +33,11 @@ RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_clo bash install_google_cloud_sdk.bash --disable-prompts --install-dir='/root/' && \ ln -s /root/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud +# terraform +RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o /tmp/tf.zip \ + && unzip /tmp/tf.zip \ + && ln -s /root/terraform /usr/local/bin/terraform + # kubectl RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \ chmod +x ./kubectl && \ diff --git a/test/terraform/main.tf b/test/terraform/main.tf index e3fc2ef..1c3f035 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -1,8 +1,5 @@ provider "google" { project = "${var.project}" - region = "us-central1" - - credentials = "${file("vault-helm-dev-creds.json")}" } resource "random_id" "suffix" { @@ -18,20 +15,6 @@ data "google_service_account" "gcpapi" { account_id = "${var.gcp_service_account}" } -resource "google_kms_key_ring" "keyring" { - name = "vault-helm-unseal-kr" - location = "global" -} - -resource "google_kms_crypto_key" "vault-helm-unseal-key" { - name = "vault-helm-unseal-key" - key_ring = "${google_kms_key_ring.keyring.self_link}" - - lifecycle { - prevent_destroy = true - } -} - resource "google_container_cluster" "cluster" { name = "vault-helm-dev-${random_id.suffix.dec}" project = "${var.project}" -- GitLab From d755ad1ba03c088ac2f2d481ddc8e0fca3b01fda Mon Sep 17 00:00:00 2001 From: georgekaz <egeorgekaz@gmail.com> Date: Thu, 28 May 2020 19:51:25 +0100 Subject: [PATCH 64/79] Use active service on ingress when ha (#270) Added some logic that points the ingress at the active server when in ha mode. There are times that pointing at the standby pods causes problems. --- templates/server-ingress.yaml | 3 +++ test/unit/server-ingress.bats | 28 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index b17eb5c..9b3d112 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -2,6 +2,9 @@ {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} {{- $serviceName := include "vault.fullname" . -}} +{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} {{- $servicePort := .Values.server.service.port -}} {{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} apiVersion: networking.k8s.io/v1beta1 diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 8660920..5af4938 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -93,3 +93,31 @@ load _helpers yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr) [ "${actual}" = "nginx" ] } + +@test "server/ingress: uses active service when ha - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.dev.enabled=false' \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-active" ] +} + +@test "server/ingress: uses regular service when not ha - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.dev.enabled=false' \ + --set 'server.ha.enabled=false' \ + --set 'server.service.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} \ No newline at end of file -- GitLab From 42153168182e6e8eb1aaa4873c39a42d46ea0159 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 28 May 2020 14:53:46 -0400 Subject: [PATCH 65/79] Add postStart lifecycle hook (#315) * Add postStart lifecycle hook * Update values.yaml Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> --- templates/server-statefulset.yaml | 8 ++++++++ test/unit/server-statefulset.bats | 21 +++++++++++++++++++++ values.yaml | 8 ++++++++ 3 files changed, 37 insertions(+) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 96aaf75..69a925f 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -159,6 +159,14 @@ spec: # to this pod while it's terminating "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", ] + {{- if .Values.server.postStart }} + postStart: + exec: + command: + {{- range (.Values.server.postStart) }} + - {{ . | quote }} + {{- end }} + {{- end }} {{- if .Values.server.extraContainers }} {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 5bdc25f..7e7678c 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1048,3 +1048,24 @@ load _helpers yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# postStart +@test "server/standalone-StatefulSet: postStart disabled by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].lifecycle.postStart' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: postStart can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set='server.postStart={/bin/sh,-c,sleep}' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].lifecycle.postStart.exec.command[0]' | tee /dev/stderr) + [ "${actual}" = "/bin/sh" ] +} diff --git a/values.yaml b/values.yaml index d315c87..d1bbaf4 100644 --- a/values.yaml +++ b/values.yaml @@ -188,6 +188,14 @@ server: # Used to set the sleep time during the preStop step preStopSleepSeconds: 5 + # Used to define commands to run after the pod is ready. + # This can be used to automate processes such as initialization + # or boostrapping auth methods. + postStart: [] + # - /bin/sh + # - -c + # - /vault/userconfig/myscript/run.sh + # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. extraEnvironmentVars: {} -- GitLab From e58051e3c6c51a8faeb16f409132ab157e51cae8 Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Thu, 28 May 2020 11:54:52 -0700 Subject: [PATCH 66/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2561ab4..944f28f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] * Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] * Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)] +* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)] ## 0.5.0 (April 9th, 2020) -- GitLab From cd7591b0f81de017f4c1cf3d0cd5d451fe3dd709 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 28 May 2020 14:55:47 -0400 Subject: [PATCH 67/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 944f28f..d0ff27c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Features: * Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) +* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315) Improvements: * Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) -- GitLab From 78ca71d2eb57be5a1811813c8028d8a9f1db76fa Mon Sep 17 00:00:00 2001 From: lukemassa <lukefrederickmassa@gmail.com> Date: Thu, 28 May 2020 22:47:41 -0400 Subject: [PATCH 68/79] Removing namespace from yaml of non-namespaced objects (#300) --- templates/injector-clusterrolebinding.yaml | 1 - templates/server-clusterrolebinding.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 9826693..35d30b3 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -3,7 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-binding - namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 733764f..37e06e9 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -5,7 +5,6 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: {{ template "vault.fullname" . }}-server-binding - namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} -- GitLab From 8e982a6c9d080182b6476f1caf5c426e17dd4e8b Mon Sep 17 00:00:00 2001 From: Theron Voran <tvoran@users.noreply.github.com> Date: Tue, 2 Jun 2020 07:06:50 -0700 Subject: [PATCH 69/79] Allow setting HA services type (#317) Making the types for active and standby services configurable (just like the main vault service). --- templates/server-ha-active-service.yaml | 18 ++- templates/server-ha-standby-service.yaml | 18 ++- test/unit/server-ha-active-service.bats | 145 +++++++++++++++++++++++ test/unit/server-ha-standby-service.bats | 145 +++++++++++++++++++++++ 4 files changed, 316 insertions(+), 10 deletions(-) diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 01f962d..b6366b0 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -15,13 +15,21 @@ metadata: annotations: {{ template "vault.service.annotations" .}} spec: - type: ClusterIP + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} publishNotReadyAddresses: true ports: - - name: http - port: 8200 - targetPort: 8200 - - name: internal + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + - name: https-internal port: 8201 targetPort: 8201 selector: diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 2def5f7..473de55 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -15,13 +15,21 @@ metadata: annotations: {{ template "vault.service.annotations" .}} spec: - type: ClusterIP + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} publishNotReadyAddresses: true ports: - - name: http - port: 8200 - targetPort: 8200 - - name: internal + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + - name: https-internal port: 8201 targetPort: 8201 selector: diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index 4e6ad1a..be3060d 100644 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -12,3 +12,148 @@ load _helpers yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "server/ha-active-Service: disable with ha.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=false' \ + --set 'server.service.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-active-Service: disable with server.service.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-active-Service: type empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-active-Service: type can set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "NodePort" ] +} + +@test "server/ha-active-Service: clusterIP empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.clusterIP' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-active-Service: clusterIP can set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.clusterIP=None' \ + . | tee /dev/stderr | + yq -r '.spec.clusterIP' | tee /dev/stderr) + [ "${actual}" = "None" ] +} + +@test "server/ha-active-Service: port and targetPort will be 8200 by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].port' | tee /dev/stderr) + [ "${actual}" = "8200" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + +@test "server/ha-active-Service: port and targetPort can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.port=8000' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].port' | tee /dev/stderr) + [ "${actual}" = "8000" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.targetPort=80' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "80" ] +} + +@test "server/ha-active-Service: nodeport can set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.nodePort=30009' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "30009" ] +} + +@test "server/ha-active-Service: nodeport can't set when type isn't NodePort" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.nodePort=30009' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-active-Service: vault port name is http, when tlsDisable is true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.tlsDisable=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "http" ] +} + +@test "server/ha-active-Service: vault port name is https, when tlsDisable is false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.tlsDisable=false' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "https" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index f2f0043..e164cde 100644 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -23,3 +23,148 @@ load _helpers yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "server/ha-standby-Service: disable with ha.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=false' \ + --set 'server.service.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-standby-Service: disable with server.service.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-standby-Service: type empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-standby-Service: type can set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "NodePort" ] +} + +@test "server/ha-standby-Service: clusterIP empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.clusterIP' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-standby-Service: clusterIP can set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.clusterIP=None' \ + . | tee /dev/stderr | + yq -r '.spec.clusterIP' | tee /dev/stderr) + [ "${actual}" = "None" ] +} + +@test "server/ha-standby-Service: port and targetPort will be 8200 by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].port' | tee /dev/stderr) + [ "${actual}" = "8200" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + +@test "server/ha-standby-Service: port and targetPort can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.port=8000' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].port' | tee /dev/stderr) + [ "${actual}" = "8000" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.targetPort=80' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "80" ] +} + +@test "server/ha-standby-Service: nodeport can set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.nodePort=30009' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "30009" ] +} + +@test "server/ha-standby-Service: nodeport can't set when type isn't NodePort" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.nodePort=30009' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-standby-Service: vault port name is http, when tlsDisable is true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.tlsDisable=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "http" ] +} + +@test "server/ha-standby-Service: vault port name is https, when tlsDisable is false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.tlsDisable=false' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "https" ] +} -- GitLab From 4f81ac070baf4f4ee68de1957c1abdd3b694aa1e Mon Sep 17 00:00:00 2001 From: ttinkr <34622932+ttinkr@users.noreply.github.com> Date: Tue, 2 Jun 2020 16:09:48 +0200 Subject: [PATCH 70/79] imagePullSecrets in injector-deployment (#298) Co-authored-by: ttinkr <thomas.fellinger@nts.eu> --- templates/injector-deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 1c5b951..9ab89f1 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -104,4 +104,8 @@ spec: secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end }} {{ end }} -- GitLab From d1ad4ff4032ff9b520fdec923befd1755a881ed2 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 2 Jun 2020 10:12:13 -0400 Subject: [PATCH 71/79] changelog++ --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0ff27c..a8c8d99 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,13 +11,15 @@ Improvements: * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] * Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] * Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)] -* Add support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)] +* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)] +* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317) Bugs: * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] * Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] * Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)] * Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)] +* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298) ## 0.5.0 (April 9th, 2020) -- GitLab From 7f7fb7bad01bb872c82eb934673f1fa8deb07e17 Mon Sep 17 00:00:00 2001 From: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Date: Tue, 2 Jun 2020 11:38:59 -0400 Subject: [PATCH 72/79] check that git tag == chart tag on tagged releases (#316) --- .circleci/config.yml | 70 ++++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 26 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ed2bf8a..0a9c31f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,39 +1,53 @@ -version: 2 +version: 2.1 +orbs: + slack: circleci/slack@3.4.2 + jobs: bats-unit-test: docker: - # This image is built from test/docker/Test.dockerfile - - image: hashicorpdev/vault-helm-test:0.1.0 + # This image is built from test/docker/Test.dockerfile + - image: hashicorpdev/vault-helm-test:0.1.0 steps: - checkout - run: bats ./test/unit -t acceptance: docker: - # This image is build from test/docker/Test.dockerfile - - image: hashicorpdev/vault-helm-test:0.1.0 + # This image is build from test/docker/Test.dockerfile + - image: hashicorpdev/vault-helm-test:0.1.0 steps: - - checkout - - run: - name: terraform init & apply - command: | - echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json - export GOOGLE_CREDENTIALS=vault-helm-test.json - make provision-cluster - - run: - name: Run acceptance tests - command: bats ./test/acceptance -t + - checkout + - run: + name: terraform init & apply + command: | + echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json + export GOOGLE_CREDENTIALS=vault-helm-test.json + make provision-cluster + - run: + name: Run acceptance tests + command: bats ./test/acceptance -t - - run: - name: terraform destroy - command: | - export GOOGLE_CREDENTIALS=vault-helm-test.json - make destroy-cluster - when: always + - run: + name: terraform destroy + command: | + export GOOGLE_CREDENTIALS=vault-helm-test.json + make destroy-cluster + when: always update-helm-charts-index: docker: - image: circleci/golang:latest steps: + - checkout + - run: + name: verify Chart version matches tag version + command: | + GO111MODULE=on go get github.com/mikefarah/yq/v2 + git_tag=$(echo "${CIRCLE_TAG#v}") + chart_tag=$(yq r Chart.yaml version) + if [ "${git_tag}" != "${chart_tag}" ]; then + echo "chart version (${chart_tag}) did not match git version (${git_tag})" + exit 1 + fi - run: name: update helm-charts index command: | @@ -43,17 +57,21 @@ jobs: -H 'Accept: application/json' \ -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" + - slack/status: + fail_only: true + failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" + workflows: version: 2 build_and_test: jobs: - bats-unit-test - acceptance: - requires: - - bats-unit-test - filters: - branches: - only: master + requires: + - bats-unit-test + filters: + branches: + only: master update-helm-charts-index: jobs: - update-helm-charts-index: -- GitLab From 853cb06842b015859cd82d50e96fd61c77247d56 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 2 Jun 2020 22:10:41 -0400 Subject: [PATCH 73/79] Add OpenShift beta support (#319) * Initial commit * Added openshift flag * added self signed certificate for service annotation * added OpenShift flag * Added OpenShift flag * cleanup * Cleanup * Further cleanup * Further cleanup * reverted security context on injector * Extra corrections * cleanup * Removed Raft config for OpenShift, removed generated certs for ha and standby services * Add openshift flag to global block, route disabled by default, condition for injector in network policy * Added Unit tests for OpenShift * Fixed unit test for HA statefulset for OpenShift * Removed debug log level from stateful set * Added port 8201 to networkpolicy * Updated injector image * Add openshift beta support * Add openshift beta support * Remove comments from configs * Remove vault-k8s note from values * Change route to use active service when HA Co-authored-by: Radu Domnu <radu.domnu@sixdx.com> Co-authored-by: Radu Domnu <radu.domnu@gmail.com> --- templates/_helpers.tpl | 15 +++ templates/injector-deployment.yaml | 6 + templates/injector-network-policy.yaml | 21 ++++ templates/server-ingress.yaml | 2 + templates/server-network-policy.yaml | 22 ++++ templates/server-route.yaml | 33 +++++ templates/server-statefulset.yaml | 8 ++ .../injector-test/pg-deployment.yaml | 2 +- test/acceptance/server-dev.bats | 2 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/acceptance/server-ha-raft.bats | 4 +- test/acceptance/server-ha.bats | 4 +- test/acceptance/server.bats | 9 +- test/unit/injector-deployment.bats | 35 ++++++ test/unit/server-dev-statefulset.bats | 22 ++-- test/unit/server-ha-active-service.bats | 0 test/unit/server-ha-standby-service.bats | 0 test/unit/server-ha-statefulset.bats | 43 +++++-- test/unit/server-network-policy.bats | 22 ++++ test/unit/server-route.bats | 116 ++++++++++++++++++ test/unit/server-statefulset.bats | 40 ++++-- values.yaml | 17 ++- 23 files changed, 382 insertions(+), 49 deletions(-) create mode 100644 templates/injector-network-policy.yaml create mode 100644 templates/server-network-policy.yaml create mode 100644 templates/server-route.yaml mode change 100644 => 100755 test/unit/server-ha-active-service.bats mode change 100644 => 100755 test/unit/server-ha-standby-service.bats create mode 100755 test/unit/server-network-policy.bats create mode 100755 test/unit/server-route.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index bab233b..5c88b18 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -318,6 +318,21 @@ Sets extra ingress annotations {{- end }} {{- end -}} +{{/* +Sets extra route annotations +*/}} +{{- define "vault.route.annotations" -}} + {{- if .Values.server.route.annotations }} + annotations: + {{- $tp := typeOf .Values.server.route.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.route.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.route.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra vault server Service annotations */}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 9ab89f1..8768f7d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -31,10 +31,12 @@ spec: priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{- if not .Values.global.openshift }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.injector.gid | default 1000 }} runAsUser: {{ .Values.injector.uid | default 100 }} + {{- end }} containers: - name: sidecar-injector {{ template "injector.resources" . }} @@ -70,6 +72,10 @@ spec: value: {{ .Values.injector.logFormat | default "standard" }} - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN value: "{{ .Values.injector.revokeOnShutdown | default false }}" + {{- if .Values.global.openshift }} + - name: AGENT_INJECT_SET_SECURITY_CONTEXT + value: "false" + {{- end }} {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml new file mode 100644 index 0000000..b727669 --- /dev/null +++ b/templates/injector-network-policy.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.openshift }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP +{{ end }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 9b3d112..7c19f5f 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.openshift }} {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} @@ -49,3 +50,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml new file mode 100644 index 0000000..0879d5b --- /dev/null +++ b/templates/server-network-policy.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.openshift }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP +{{ end }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml new file mode 100644 index 0000000..2fccf02 --- /dev/null +++ b/templates/server-route.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.openshift }} +{{- if ne .mode "external" }} +{{- if .Values.server.route.enabled -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- if eq .mode "ha" }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.route.annotations" . }} +spec: + host: {{ .Values.server.route.host }} + to: + kind: Service + name: {{ $serviceName }} + weight: 100 + port: + targetPort: 8200 + tls: + termination: passthrough +{{- end }} +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 69a925f..f8a0eb1 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -45,13 +45,17 @@ spec: {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} + {{- if not .Values.global.openshift }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.server.gid | default 1000 }} runAsUser: {{ .Values.server.uid | default 100 }} fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} volumes: {{ template "vault.volumes" . }} + - name: home + emptyDir: {} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | nindent 8}} @@ -100,11 +104,15 @@ spec: fieldRef: fieldPath: metadata.name {{- end }} + - name: HOME + value: "/home/vault" {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} volumeMounts: {{ template "vault.mounts" . }} + - name: home + mountPath: /home/vault ports: - containerPort: 8200 name: {{ include "vault.scheme" . }} diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index 13389ff..caf8605 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -41,7 +41,7 @@ spec: - name: POSTGRES_PASSWORD value: password volumeMounts: - - mountPath: "/var/lib/postgresql/data" + - mountPath: "/var/lib/postgresql" name: "pgdata" - mountPath: "/docker-entrypoint-initdb.d" name: "pgconf" diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats index ffda946..0619c28 100644 --- a/test/acceptance/server-dev.bats +++ b/test/acceptance/server-dev.bats @@ -19,7 +19,7 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "0" ] + [ "${volumeCount}" == "1" ] # Service local service=$(kubectl get service "$(name_prefix)" --output json | diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 35348e3..ea8a8db 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 48f9887..0d4c779 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-east-0" @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index b6f1f25..9f9f3de 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -27,12 +27,12 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "2" ] + [ "${volumeCount}" == "3" ] # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] local volume=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes[0].configMap.name') diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 4cb4a75..0945f12 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -26,12 +26,12 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] local volume=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes[0].configMap.name') diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index ce7843f..84a4e7d 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -34,7 +34,7 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "2" ] + [ "${volumeCount}" == "3" ] local mountName=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts[0].name') @@ -47,17 +47,12 @@ load _helpers # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] local volume=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes[0].configMap.name') [ "${volume}" == "$(name_prefix)-config" ] - # Security Context - local fsGroup=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.securityContext.fsGroup') - [ "${fsGroup}" == "1000" ] - # Service local service=$(kubectl get service "$(name_prefix)" --output json | jq -r '.spec.clusterIP') diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index bd3f63a..9e09e42 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -322,6 +322,19 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: disable security context when openshift enabled" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[9].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ] +} + #-------------------------------------------------------------------- # extraEnvironmentVars @@ -447,3 +460,25 @@ load _helpers yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# OpenShift + +@test "injector/deployment: OpenShift - runAsUser disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/deployment: OpenShift - runAsGroup disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 3b38eab..a44e243 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -249,19 +249,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) + yq -r '.[13].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) + yq -r '.[13].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -282,23 +282,25 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] + local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] + local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats old mode 100644 new mode 100755 diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats old mode 100644 new mode 100755 diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index e6d0d58..ff5c571 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -349,19 +349,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -383,23 +383,23 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } @@ -643,3 +643,26 @@ load _helpers yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) [ "${actual}" = "2000" ] } + +#-------------------------------------------------------------------- +# OpenShift + +@test "server/ha-statefulset: OpenShift - runAsUser disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-statefulset: OpenShift - runAsGroup disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats new file mode 100755 index 0000000..0df89fc --- /dev/null +++ b/test/unit/server-network-policy.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/network-policy: OpenShift - disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-network-policy.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/network-policy: OpenShift - enabled if OpenShift" { + cd `chart_dir` + local actual=$( (helm template \ + --set 'global.openshift=true' \ + --show-only templates/server-network-policy.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats new file mode 100755 index 0000000..f5830e6 --- /dev/null +++ b/test/unit/server-route.bats @@ -0,0 +1,116 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/route: OpenShift - disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --set 'global.openshift=true' \ + --show-only templates/server-route.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/route: OpenShift -disable by injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/route: OpenShift - checking host entry gets added and path is /" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.host=test.com' \ + . | tee /dev/stderr | + yq -r '.spec.host' | tee /dev/stderr) + [ "${actual}" = 'test.com' ] +} + +@test "server/route: OpenShift - vault backend should be added when I specify a path" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.host=test.com' \ + . | tee /dev/stderr | + yq -r '.spec.to.name | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + +} + +@test "server/route: OpenShift - labels gets added to object" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.labels.traffic=external' \ + --set 'server.route.labels.team=dev' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.traffic' | tee /dev/stderr) + [ "${actual}" = "external" ] +} + +@test "server/route: OpenShift - annotations added to object - string" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.annotations=kubernetes.io/route.class: haproxy' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr) + [ "${actual}" = "haproxy" ] +} + +@test "server/route: OpenShift - annotations added to object - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set server.route.annotations."kubernetes\.io/route\.class"=haproxy \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr) + [ "${actual}" = "haproxy" ] +} + +@test "server/route: OpenShift - route points to main service by default" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.to.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} + +@test "server/route: OpenShift - route points to active service by when HA" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.to.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-active" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7e7678c..65f4ce2 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -384,19 +384,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] local object=$(helm template \ @@ -407,19 +407,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -1049,7 +1049,6 @@ load _helpers [ "${actual}" = "true" ] } -#-------------------------------------------------------------------- # postStart @test "server/standalone-StatefulSet: postStart disabled by default" { cd `chart_dir` @@ -1069,3 +1068,26 @@ load _helpers yq -r '.spec.template.spec.containers[0].lifecycle.postStart.exec.command[0]' | tee /dev/stderr) [ "${actual}" = "/bin/sh" ] } + +#-------------------------------------------------------------------- +# OpenShift + +@test "server/standalone-StatefulSet: OpenShift - runAsUser disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-StatefulSet: OpenShift - runAsGroup disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/values.yaml b/values.yaml index d1bbaf4..8c6e4a3 100644 --- a/values.yaml +++ b/values.yaml @@ -10,6 +10,8 @@ global: # - name: image-pull-secret # TLS for end-to-end encrypted transport tlsDisable: true + # Beta Feature: If deploying to OpenShift + openshift: false injector: # True if you want to enable vault agent injection. @@ -22,7 +24,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.3.0" + tag: "0.4.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -30,7 +32,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.4.0" + tag: "1.4.2" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" @@ -113,7 +115,7 @@ server: image: repository: "vault" - tag: "1.4.0" + tag: "1.4.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -132,6 +134,8 @@ server: # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. + # If deployment is on OpenShift, the following block is ignored. + # In order to expose the service, use the route section below ingress: enabled: false labels: {} @@ -152,6 +156,13 @@ server: # hosts: # - chart-example.local + # OpenShift only - create a route to expose the service + # The created route will be of type passthrough + route: + enabled: false + labels: {} + annotations: {} + host: chart-example.local # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth -- GitLab From b42c0c53b5263e2088b052b63c9e1732abea914c Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 2 Jun 2020 22:12:02 -0400 Subject: [PATCH 74/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a8c8d99..27d5ef0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) * Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315) +* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319) Improvements: * Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) -- GitLab From e7736defa1e0bf01f40575a0578ded5215a2128b Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 3 Jun 2020 10:03:10 -0400 Subject: [PATCH 75/79] Update to v0.6.0 (#320) --- CHANGELOG.md | 8 ++++++++ Chart.yaml | 6 ++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27d5ef0..b18e123 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ ## Unreleased +Features: + +Improvements: + +Bugs: + +## 0.6.0 (June 3rd, 2020) + Features: * Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) * Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315) diff --git a/Chart.yaml b/Chart.yaml index 3469359..0668a83 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,9 +1,11 @@ apiVersion: v2 name: vault -version: 0.5.0 -description: Install and configure Vault on Kubernetes. +version: 0.6.0 +appVersion: 1.4.2 +description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png +keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"] sources: - https://github.com/hashicorp/vault - https://github.com/hashicorp/vault-helm -- GitLab From 62380cc24a65eb4a707eb45354666ac79e12c074 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 4 Jun 2020 13:37:31 -0400 Subject: [PATCH 76/79] Add note to config about sensitive configs (#323) * Add note to config about sensitive configs * Update README.md Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> --- README.md | 4 ++++ values.yaml | 16 ++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/README.md b/README.md index bbc9de3..29db848 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ # Vault Helm Chart +> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If +you believe you have found a security issue in Vault Helm, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + This repository contains the official HashiCorp Helm chart for installing and configuring Vault on Kubernetes. This chart supports multiple use cases of Vault on Kubernetes depending on the values provided. diff --git a/values.yaml b/values.yaml index 8c6e4a3..65ced07 100644 --- a/values.yaml +++ b/values.yaml @@ -341,6 +341,11 @@ server: # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data # and store data there. This is only used when using a Replica count of 1, and # using a stateful set. This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -382,6 +387,11 @@ server: enabled: false # Set the Node Raft ID to the name of the pod setNodeId: false + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -396,9 +406,15 @@ server: } service_registration "kubernetes" {} + # config is a raw string of default configuration when using a Stateful # deployment. Default is to use a Consul for its HA storage backend. # This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true -- GitLab From 5a7e10cf08e960b57a6c884c7c01dcdbda6969c8 Mon Sep 17 00:00:00 2001 From: Omer Levi Hevroni <omerlh@users.noreply.github.com> Date: Thu, 11 Jun 2020 17:50:16 +0300 Subject: [PATCH 77/79] allow to set extra volume mode (#321) --- templates/_helpers.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5c88b18..31872fc 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -96,6 +96,7 @@ extra volumes the user may have specified (such as a secret with TLS). {{- else if (eq .type "secret") }} secretName: {{ .name }} {{- end }} + defaultMode: {{ .defaultMode | default 420 }} {{- end }} {{- end -}} -- GitLab From ebed731222c85c3fd3777e3db7d1fac7393bb838 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 11 Jun 2020 10:51:44 -0400 Subject: [PATCH 78/79] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b18e123..9a4afd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: Improvements: +* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321) Bugs: -- GitLab From e4bfe2917d41920c8caa86040ef0db4fbb3c2677 Mon Sep 17 00:00:00 2001 From: Ricardo Rocha <rocha.porto@gmail.com> Date: Tue, 5 May 2020 09:34:01 +0200 Subject: [PATCH 79/79] Add gitlab-ci for cern registry --- .gitlab-ci.yml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..24c2a20 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,71 @@ +stages: + - build + - deploy + +before_script: + - mkdir -p .repo + - export REPO="cern" + - export CHART="vault" + +build: + stage: build + image: gitlab-registry.cern.ch/cloud/ciadm + script: + - curl -o helm.tar.gz https://kubernetes-helm.storage.googleapis.com/helm-v2.14.1-linux-amd64.tar.gz; mkdir -p helm; tar zxvf helm.tar.gz -C helm; cp helm/linux-amd64/helm /usr/local/bin; rm -rf helm* + - helm init --client-only + - helm repo add ${REPO} https://registry.cern.ch/chartrepo/${REPO} + - helm dep update .; helm lint .; helm package . + except: + - tags + +version-check: + stage: build + image: gitlab-registry.cern.ch/cloud/ciadm + script: + - | + VDIFF="$(echo "$(git diff origin/master -- Chart.yaml)" | grep "\-version:" || true)" + if [ "${VDIFF}" == "" ]; then + echo "${CHART} is a new chart, not checking version bump" + exit 0; + fi + OLD_CHART_VERSION="$(echo "${VDIFF}" | awk '{print $2}')" + # Check and accept if it's a new chart + if [ "${OLD_CHART_VERSION}" == "" ]; then + echo "${CHART} is a new chart, not checking version bump" + exit 0; + fi + NEW_CHART_VERSION="$(echo "$(git diff origin/master -- Chart.yaml)" | grep "+version:" | awk '{print $2}')" + fi + - | + if [ ${NEW_CHART_VERSION} = "" ] || \ + [ $(expr ${NEW_CHART_VERSION} \<= ${OLD_CHART_VERSION}) -eq 1 ]; then + echo "ERROR: Chart version must be higher than existent. Please fix before merging again." + exit 1 + fi + except: + - tags + +deploy: + stage: deploy + image: gitlab-registry.cern.ch/cloud/ciadm + script: + - helm init --client-only + - helm repo add ${REPO} https://registry.cern.ch/chartrepo/${REPO} + - helm repo update + # helm-push not possible for now as it lacks --sign to pass a provenance file + # - helm plugin install https://github.com/chartmuseum/helm-push + - echo "${HARBOR_SIGNKEY}" | base64 -d > secring.gpg + - | + # Get local and remote versions + LOCAL_VERSION=$(grep -R version Chart.yaml | awk '{print $2}') + REMOTE_LATEST_VERSION=$(helm search ${REPO}/${CHART} | grep ${REPO}/${CHART} | awk '{print $2}') + # Only push if chart version does not exists in remote + if [ ${REMOTE_LATEST_VERSION} = "" ] || \ + [ $(expr ${REMOTE_LATEST_VERSION} \< ${LOCAL_VERSION}) -eq 1 ]; then + helm dep update . + helm package --sign --key registry --keyring secring.gpg . + curl --fail -F "chart=@${CHART}-${LOCAL_VERSION}.tgz" -F "prov=@${CHART}-${LOCAL_VERSION}.tgz.prov" https://${HARBOR_USER}:${HARBOR_TOKEN}@registry.cern.ch/api/chartrepo/${REPO}/charts + fi + + only: + - tags -- GitLab