Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove privileged, add mlock configurable (#50)

Browse source
This commit is contained in:
Jason O'Donnell 2019-09-23 01:11:04 -04:00 committed by GitHub
parent 8f382aab65
commit 09f56da548
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 77 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
templates/server-config-configmap.yaml
View file

@ -13,6 +13,9 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
data: data:
extraconfig-from-values.hcl: |- extraconfig-from-values.hcl: |-
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
disable_mlock = true
{{- end }}
{{- if eq .mode "standalone" }} {{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }} {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if eq .mode "ha" }} {{- else if eq .mode "ha" }}

9
templates/server-statefulset.yaml
View file

@ -44,8 +44,11 @@ spec:
containers: containers:
- name: vault - name: vault
{{ template "vault.resources" . }} {{ template "vault.resources" . }}
{{- if eq (.Values.server.mlock.enabled | toString) "true" }}
securityContext: securityContext:
privileged: true capabilities:
add: ["IPC_LOCK"]
{{- end }}
image: "{{ .Values.global.image }}" image: "{{ .Values.global.image }}"
command: {{ template "vault.command" . }} command: {{ template "vault.command" . }}
args: {{ template "vault.args" . }} args: {{ template "vault.args" . }}
@ -64,6 +67,10 @@ spec:
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
- name: SKIP_CHOWN - name: SKIP_CHOWN
value: "true" value: "true"
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
- name: SKIP_SETCAP
value: "true"
{{- end }}
{{ template "vault.envs" . }} {{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}

4
test/acceptance/_helpers.bash
View file

@ -87,7 +87,7 @@ wait_for_running() {
for i in $(seq 60); do for i in $(seq 60); do
if [ -n "$(check ${POD_NAME})" ]; then if [ -n "$(check ${POD_NAME})" ]; then
echo "${POD_NAME} is ready." echo "${POD_NAME} is ready."
sleep 2 sleep 10
return return
fi fi
@ -117,7 +117,7 @@ wait_for_ready() {
for i in $(seq 60); do for i in $(seq 60); do
if [ -n "$(check ${POD_NAME})" ]; then if [ -n "$(check ${POD_NAME})" ]; then
echo "${POD_NAME} is ready." echo "${POD_NAME} is ready."
sleep 2 sleep 10
return return
fi fi

9
test/acceptance/server-ha.bats
View file

@ -18,6 +18,11 @@ load _helpers
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Security
local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
[ "${ipc}" == "IPC_LOCK" ]
# Replicas # Replicas
local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.replicas') jq -r '.spec.replicas')
@ -37,10 +42,6 @@ load _helpers
jq -r '.spec.template.spec.volumes[0].configMap.name') jq -r '.spec.template.spec.volumes[0].configMap.name')
[ "${volume}" == "$(name_prefix)-config" ] [ "${volume}" == "$(name_prefix)-config" ]
local privileged=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].securityContext.privileged')
[ "${privileged}" == "true" ]
# Service # Service
local service=$(kubectl get service "$(name_prefix)" --output json | local service=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.clusterIP') jq -r '.spec.clusterIP')

9
test/acceptance/server.bats
View file

@ -16,6 +16,11 @@ load _helpers
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Security
local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
[ "${ipc}" == "IPC_LOCK" ]
# Replicas # Replicas
local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.replicas') jq -r '.spec.replicas')
@ -53,10 +58,6 @@ load _helpers
jq -r '.spec.template.spec.securityContext.fsGroup') jq -r '.spec.template.spec.securityContext.fsGroup')
[ "${fsGroup}" == "1000" ] [ "${fsGroup}" == "1000" ]
local privileged=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].securityContext.privileged')
[ "${privileged}" == "true" ]
# Service # Service
local service=$(kubectl get service "$(name_prefix)" --output json | local service=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.clusterIP') jq -r '.spec.clusterIP')

49
test/unit/server-configmap.bats
View file

@ -82,3 +82,52 @@ load _helpers
yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr) yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
[ ! -z "${actual}" ] [ ! -z "${actual}" ]
} }
@test "server/ConfigMap: mlock by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]
}
@test "server/ConfigMap: disable mlock" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]
}

5
values.yaml
View file

@ -215,6 +215,11 @@ server:
serviceaccount: serviceaccount:
annotations: {} annotations: {}
# mlock prevents memory from being swapped to disk. If swap is enabled this should
# be true.
mlock:
enabled: true
# Vault UI # Vault UI
ui: ui:
# True if you want to create a Service entry for the Vault UI. # True if you want to create a Service entry for the Vault UI.