Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Target vault-csi-provider release 0.1.0 (#475)

Browse source
This commit is contained in:
Tom Proctor 2021-03-25 13:02:36 +00:00 committed by GitHub
parent 2ddac08c51
commit 102f9e49e2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 13 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
templates/csi-daemonset.yaml
View file

@ -47,7 +47,6 @@ spec:
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if .Values.csi.livenessProbe.enabled }}
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /health/ready path: /health/ready
@ -57,8 +56,6 @@ spec:
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.csi.readinessProbe.enabled }}
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /health/ready path: /health/ready
@ -68,7 +65,6 @@ spec:
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- end }}
volumes: volumes:
- name: providervol - name: providervol
hostPath: hostPath:

1
test/acceptance/csi-test/nginx.yaml
View file

@ -10,6 +10,7 @@ metadata:
name: nginx name: nginx
spec: spec:
terminationGracePeriodSeconds: 0 terminationGracePeriodSeconds: 0
serviceAccountName: nginx
containers: containers:
- image: docker.mirror.hashicorp.services/nginx - image: docker.mirror.hashicorp.services/nginx
name: nginx name: nginx

7
test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
View file

@ -9,7 +9,6 @@ spec:
roleName: "kv-role" roleName: "kv-role"
vaultAddress: http://vault:8200 vaultAddress: http://vault:8200
objects: | objects: |
array: - objectName: "bar"
- | secretPath: "secret/data/kv1"
objectName: "bar1" secretKey: "bar1"
objectPath: "v1/secret/kv1"

6
test/acceptance/csi-test/vault-policy.hcl
View file

@ -1,7 +1,3 @@
path "sys/mounts" { path "secret/data/kv1" {
capabilities = ["read"]
}
path "secret/*" {
capabilities = ["read"] capabilities = ["read"]
} }

12
test/acceptance/csi.bats
View file

@ -9,11 +9,10 @@ load _helpers
kubectl create namespace acceptance kubectl create namespace acceptance
# Install Secrets Store CSI driver # Install Secrets Store CSI driver
helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.19.tgz?raw=true \ helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.20.tgz?raw=true \
--wait --timeout=5m \ --wait --timeout=5m \
--namespace=acceptance \ --namespace=acceptance \
--set linux.image.pullPolicy="IfNotPresent" \ --set linux.image.pullPolicy="IfNotPresent"
--set grpcSupportedProviders="azure;gcp;vault"
# Install Vault and Vault provider # Install Vault and Vault provider
helm install vault \ helm install vault \
--wait --timeout=5m \ --wait --timeout=5m \
@ -30,9 +29,10 @@ load _helpers
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
disable_iss_validation=true'
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
bound_service_account_names=vault-csi-provider \ bound_service_account_names=nginx \
bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
policies=kv-policy \ policies=kv-policy \
ttl=20m ttl=20m
@ -42,7 +42,7 @@ load _helpers
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar1) result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
[[ "$result" == "hello1" ]] [[ "$result" == "hello1" ]]
} }

21
test/unit/csi-daemonset.bats
View file

@ -248,23 +248,6 @@ load _helpers
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# Readiness/liveness probes # Readiness/liveness probes
@test "csi/daemonset: csi.livenessProbe and csi.readinessProbe default to disabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
[ "${actual}" = "null" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "csi/daemonset: csi.livenessProbe is configurable" { @test "csi/daemonset: csi.livenessProbe is configurable" {
cd `chart_dir` cd `chart_dir`
@ -272,7 +255,6 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/csi-daemonset.yaml \ --show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \ --set 'csi.enabled=true' \
--set 'csi.livenessProbe.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
@ -296,7 +278,6 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/csi-daemonset.yaml \ --show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \ --set 'csi.enabled=true' \
--set 'csi.livenessProbe.enabled=true' \
--set 'csi.livenessProbe.failureThreshold=10' \ --set 'csi.livenessProbe.failureThreshold=10' \
--set 'csi.livenessProbe.initialDelaySeconds=11' \ --set 'csi.livenessProbe.initialDelaySeconds=11' \
--set 'csi.livenessProbe.periodSeconds=12' \ --set 'csi.livenessProbe.periodSeconds=12' \
@ -329,7 +310,6 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/csi-daemonset.yaml \ --show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \ --set 'csi.enabled=true' \
--set 'csi.readinessProbe.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
@ -353,7 +333,6 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/csi-daemonset.yaml \ --show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \ --set 'csi.enabled=true' \
--set 'csi.readinessProbe.enabled=true' \
--set 'csi.readinessProbe.failureThreshold=10' \ --set 'csi.readinessProbe.failureThreshold=10' \
--set 'csi.readinessProbe.initialDelaySeconds=11' \ --set 'csi.readinessProbe.initialDelaySeconds=11' \
--set 'csi.readinessProbe.periodSeconds=12' \ --set 'csi.readinessProbe.periodSeconds=12' \

8
values.yaml
View file

@ -652,8 +652,8 @@ csi:
enabled: false enabled: false
image: image:
repository: "hashicorp/secrets-store-csi-driver-provider-vault" repository: "hashicorp/vault-csi-provider"
tag: "0.0.7" tag: "0.1.0"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# extraVolumes is a list of extra volumes to mount. These will be exposed # extraVolumes is a list of extra volumes to mount. These will be exposed
@ -696,8 +696,6 @@ csi:
# Used to configure readinessProbe for the pods. # Used to configure readinessProbe for the pods.
readinessProbe: readinessProbe:
# Vault CSI provider does not support a readiness probe in versions <= 0.7.0
enabled: false
failureThreshold: 2 failureThreshold: 2
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
@ -705,8 +703,6 @@ csi:
timeoutSeconds: 3 timeoutSeconds: 3
# Used to configure livenessProbe for the pods. # Used to configure livenessProbe for the pods.
livenessProbe: livenessProbe:
# Vault CSI provider does not support a liveness probe in versions <= 0.7.0
enabled: false
failureThreshold: 2 failureThreshold: 2
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5