Add clusterrolebinding, fix service, update Vault (#10)

* Add clusterrolebinding, fix service, update Vault

* Change authDelegator to false by default

* Clarify clusterIP comment

CHANGELOG.md

@@ -1,3 +1,16 @@
-## 0.1.0
+## 0.1.1 (August 7th, 2019)
+
+Features:
+
+* Added `authDelegator` Cluster Role Binding to Vault service account for 
+  bootstrapping Kube auth method
+
+Improvements:
+
+* Added `server.service.clusterIP` to `values.yml` so users can toggle 
+  the Vault service to headless by using the value `None`.
+* Upgraded Vault to 1.2.1
+
+## 0.1.0 (August 6th, 2019)
 
 Initial release

Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: vault
-version: 0.1.0
+version: 0.1.1
 description: Install and configure Vault on Kubernetes.
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png

templates/server-clusterrolebinding.yaml

@@ -0,0 +1,22 @@
+{{ template "vault.mode" . }}
+{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-server-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: {{ template "vault.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{ end }}

templates/server-service.yaml

@@ -1,8 +1,4 @@
-# Headless service for Vault server DNS entries. This service should only
+# Service for Vault cluster
-# point to Vault servers. For access to an agent, one should assume that
-# the agent is installed locally on the node and the NODE_IP should be used.
-# If the node can't run a Vault agent, then this service can be used to
-# communicate directly to a server agent.
 {{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
 apiVersion: v1
 kind: Service
@@ -20,7 +16,7 @@ metadata:
     # https://github.com/kubernetes/kubernetes/issues/58662
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
-  clusterIP: None
+  clusterIP: {{ .Values.server.service.clusterIP }}
   # We want the servers to become available even if they're not ready
   # since this DNS is also used for join operations.
   publishNotReadyAddresses: true
@@ -32,7 +28,7 @@ spec:
       port: 8201
       targetPort: 8201
   selector:
-    app: {{ template "vault.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
-    release: "{{ .Release.Name }}"
+    app.kubernetes.io/instance: {{ .Release.Name }}
     component: server
 {{- end }}

test/acceptance/server-dev.bats

@@ -20,7 +20,7 @@ load _helpers
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.clusterIP')
-  [ "${service}" == "None" ]
+  [ "${service}" != "None" ]
 
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.type')

test/acceptance/server-ha.bats

@@ -44,7 +44,7 @@ load _helpers
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.clusterIP')
-  [ "${service}" == "None" ]
+  [ "${service}" != "None" ]
 
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.type')

test/acceptance/server.bats

@@ -60,7 +60,7 @@ load _helpers
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.clusterIP')
-  [ "${service}" == "None" ]
+  [ "${service}" != "None" ]
 
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.type')

test/unit/server-clusterrolebinding.bats

@@ -0,0 +1,62 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ClusterRoleBinding: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-clusterrolebinding.yaml  \
+      --set 'server.dev.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$(helm template \
+      -x templates/server-clusterrolebinding.yaml  \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$(helm template \
+      -x templates/server-clusterrolebinding.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ClusterRoleBinding: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-clusterrolebinding.yaml  \
+      --set 'global.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ClusterRoleBinding: can enable with server.authDelegator" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-clusterrolebinding.yaml  \
+      --set 'server.authDelegator.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      -x templates/server-clusterrolebinding.yaml  \
+      --set 'server.authDelegator.enabled=true' \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      -x templates/server-clusterrolebinding.yaml  \
+      --set 'server.authDelegator.enabled=true' \
+      --set 'server.dev.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

test/unit/server-service.bats

@@ -163,3 +163,52 @@ load _helpers
       yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "server/Service: clusterIP empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-service.yaml \
+      --set 'server.dev.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+
+  local actual=$(helm template \
+      -x templates/server-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+
+  local actual=$(helm template \
+      -x templates/server-service.yaml \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/Service: clusterIP can set" { 
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-service.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'server.service.clusterIP=None' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "None" ]
+
+  local actual=$(helm template \
+      -x templates/server-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.clusterIP=None' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "None" ]
+
+  local actual=$(helm template \
+      -x templates/server-service.yaml \
+      --set 'server.service.clusterIP=None' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "None" ]
+}

values.yaml

@@ -6,7 +6,7 @@ global:
   enabled: true
 
   # Image is the name (and tag) of the Vault Docker image.
-  image: "vault:1.2.0"
+  image: "vault:1.2.1"
 
 server:
   # Resource requests, limits, etc. for the server cluster placement. This
@@ -21,6 +21,12 @@ server:
   #     memory: 256Mi
   #     cpu: 250m
 
+  # authDelegator enables a cluster role binding to be attached to the service 
+  # account.  This cluster role binding can be used to setup Kubernetes auth 
+  # method.  https://www.vaultproject.io/docs/auth/kubernetes.html
+  authDelegator:
+    enabled: false
+
   # extraEnvVars is a list of extra enviroment variables to set with the stateful set. These could be
   # used to include variables required for auto-unseal.
   extraEnvironmentVars: {}
@@ -69,6 +75,13 @@ server:
   # Enables a headless service to be used by the Vault Statefulset
   service:
     enabled: true
+    # clusterIP controls whether a Cluster IP address is attached to the 
+    # Vault service within Kubernetes.  By default the Vault service will 
+    # be given a Cluster IP address, set to None to disable.  When disabled 
+    # Kubernetes will create a "headless" service.  Headless services can be 
+    # used to communicate with pods directly through DNS instead of a round robin
+    # load balancer.
+    clusterIP: ""
 
   # This configures the Vault Statefulset to create a PVC for data 
   # storage when using the file backend.
@@ -119,10 +132,11 @@ server:
     # using a stateful set. This should be HCL.
     config: |
       ui = true
-      api_addr = "http://POD_IP:8200"
+
       listener "tcp" {
         tls_disable = 1
-        address     = "0.0.0.0:8200"
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
       }
       storage "file" {
         path = "/vault/data"
@@ -152,10 +166,10 @@ server:
     # This should be HCL.
     config: |
       ui = true
-      api_addr = "http://POD_IP:8200"
       listener "tcp" {
         tls_disable = 1
-        address     = "0.0.0.0:8200"
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
       }
       storage "consul" {
         path = "vault"