From 09f56da5482096c1e213d5a0f1b1463503def82e Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 23 Sep 2019 01:11:04 -0400
Subject: [PATCH] Remove privileged, add mlock configurable (#50)

---
 templates/server-config-configmap.yaml |  3 ++
 templates/server-statefulset.yaml      |  9 ++++-
 test/acceptance/_helpers.bash          |  4 +--
 test/acceptance/server-ha.bats         |  9 ++---
 test/acceptance/server.bats            |  9 ++---
 test/unit/server-configmap.bats        | 49 ++++++++++++++++++++++++++
 values.yaml                            |  5 +++
 7 files changed, 77 insertions(+), 11 deletions(-)

diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml
index 8a7900f..0a0df7c 100644
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@@ -13,6 +13,9 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 data:
   extraconfig-from-values.hcl: |-
+  {{- if eq (.Values.server.mlock.enabled | toString) "false" }}
+    disable_mlock = true
+  {{- end }}
   {{- if eq .mode "standalone" }}
     {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
   {{- else if eq .mode "ha" }}
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index ae9a284..3fe0b3d 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -44,8 +44,11 @@ spec:
       containers:
         - name: vault
           {{ template "vault.resources" . }}
+          {{- if eq (.Values.server.mlock.enabled | toString) "true" }}
           securityContext:
-            privileged: true
+            capabilities:
+              add: ["IPC_LOCK"]
+          {{- end }}
           image: "{{ .Values.global.image }}"
           command: {{ template "vault.command" . }}
           args: {{ template "vault.args" . }}
@@ -64,6 +67,10 @@ spec:
               value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
             - name: SKIP_CHOWN
               value: "true"
+            {{- if eq (.Values.server.mlock.enabled | toString) "false" }}
+            - name: SKIP_SETCAP
+              value: "true"
+            {{- end }}
             {{ template "vault.envs" . }}
             {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
             {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash
index 9826b9b..cee59a9 100644
--- a/test/acceptance/_helpers.bash
+++ b/test/acceptance/_helpers.bash
@@ -87,7 +87,7 @@ wait_for_running() {
     for i in $(seq 60); do
         if [ -n "$(check ${POD_NAME})" ]; then
             echo "${POD_NAME} is ready."
-            sleep 2
+            sleep 10
             return
         fi
 
@@ -117,7 +117,7 @@ wait_for_ready() {
     for i in $(seq 60); do
         if [ -n "$(check ${POD_NAME})" ]; then
             echo "${POD_NAME} is ready."
-            sleep 2
+            sleep 10
             return
         fi
 
diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats
index 372f8c5..9e4d27e 100644
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@@ -18,6 +18,11 @@ load _helpers
     jq -r '.initialized')
   [ "${init_status}" == "false" ]
 
+  # Security
+  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
+  [ "${ipc}" == "IPC_LOCK" ]
+
   # Replicas
   local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.replicas')
@@ -37,10 +42,6 @@ load _helpers
     jq -r '.spec.template.spec.volumes[0].configMap.name')
   [ "${volume}" == "$(name_prefix)-config" ]
 
-  local privileged=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.containers[0].securityContext.privileged')
-  [ "${privileged}" == "true" ]
-
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.clusterIP')
diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats
index 637be58..1ceef85 100644
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@@ -16,6 +16,11 @@ load _helpers
     jq -r '.initialized')
   [ "${init_status}" == "false" ]
 
+  # Security
+  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
+  [ "${ipc}" == "IPC_LOCK" ]
+
   # Replicas
   local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.replicas')
@@ -53,10 +58,6 @@ load _helpers
     jq -r '.spec.template.spec.securityContext.fsGroup')
   [ "${fsGroup}" == "1000" ]
 
-  local privileged=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.containers[0].securityContext.privileged')
-  [ "${privileged}" == "true" ]
-
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.clusterIP')
diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats
index 7a66c53..0629028 100755
--- a/test/unit/server-configmap.bats
+++ b/test/unit/server-configmap.bats
@@ -82,3 +82,52 @@ load _helpers
       yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
   [ ! -z "${actual}" ]
 }
+
+@test "server/ConfigMap: mlock by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-config-configmap.yaml \
+      . | tee /dev/stderr |
+      yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
+  [ -z "${actual}" ]
+
+  local actual=$(helm template \
+      -x templates/server-config-configmap.yaml \
+      --set 'server.standalone.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
+  [ -z "${actual}" ]
+
+  local actual=$(helm template \
+      -x templates/server-config-configmap.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
+  [ -z "${actual}" ]
+}
+
+@test "server/ConfigMap: disable mlock" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-config-configmap.yaml \
+      --set 'server.mlock.enabled=false' \
+      . | tee /dev/stderr |
+      yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
+  [ ! -z "${actual}" ]
+
+  local actual=$(helm template \
+      -x templates/server-config-configmap.yaml \
+      --set 'server.mlock.enabled=false' \
+      --set 'server.standalone.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
+  [ ! -z "${actual}" ]
+
+  local actual=$(helm template \
+      -x templates/server-config-configmap.yaml \
+      --set 'server.mlock.enabled=false' \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
+  [ ! -z "${actual}" ]
+}
diff --git a/values.yaml b/values.yaml
index 42393bf..1f3cb1f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -214,6 +214,11 @@ server:
   # Definition of the serviceaccount used to run Vault.
   serviceaccount:
     annotations: {}
+  
+  # mlock prevents memory from being swapped to disk.  If swap is enabled this should 
+  # be true.
+  mlock:
+    enabled: true
 
 # Vault UI
 ui: