Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add optional long lived SA token (#923)

Browse source 
---------

Co-authored-by: Caleb Gill <cgill@stavvy.com>
This commit is contained in:
gillcaleb 2023-08-17 09:05:50 -04:00 committed by GitHub
parent ec964a33ea
commit 1e12d49d74
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 118 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
templates/_helpers.tpl
View file

@ -82,6 +82,17 @@ Compute if the server serviceaccount is enabled.
(eq (.Values.global.enabled | toString) "true"))) -}} (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}} {{- end -}}
{{/*
Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
*/}}
{{- define "vault.serverServiceAccountSecretCreationEnabled" -}}
{{- $_ := set . "serverServiceAccountSecretCreationEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true")
(eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}}
{{- end -}}
{{/* {{/*
Compute if the server auth delegator serviceaccount is enabled. Compute if the server auth delegator serviceaccount is enabled.
*/}} */}}

21
templates/server-serviceaccount-secret.yaml Normal file
View file

@ -0,0 +1,21 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "vault.serviceAccount.name" . }}-token
namespace: {{ include "vault.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token
{{ end }}

77
test/unit/server-serviceaccount-secret.bats Normal file
View file

@ -0,0 +1,77 @@
#!/usr/bin/env bats
load _helpers
@test "server/ServiceAccountSecret: verify service account name match" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-serviceaccount-secret.yaml \
--set 'server.dev.enabled=true' \
--set 'server.serviceAccount.create=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
--show-only templates/server-serviceaccount-secret.yaml \
--set 'server.dev.enabled=true' \
--set 'server.serviceAccount.name=user-defined-ksa' \
--set 'server.serviceAccount.createSecret=true' \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "user-defined-ksa-token" ]
local actual=$(helm template \
--show-only templates/server-serviceaccount-secret.yaml \
--set 'server.dev.enabled=true' \
--set 'server.serviceAccount.createSecret=true' \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-token" ]
}
@test "server/ServiceAccountSecret: annotation mapping to service account" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-serviceaccount-secret.yaml \
--set 'server.dev.enabled=true' \
--set 'server.serviceAccount.name=user-defined-ksa' \
--set 'server.serviceAccount.createSecret=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr)
[ "${actual}" = "user-defined-ksa" ]
local actual=$(helm template \
--show-only templates/server-serviceaccount-secret.yaml \
--set 'server.dev.enabled=true' \
--set 'server.serviceAccount.createSecret=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ]
}
@test "server/ServiceAccountSecret: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-serviceaccount-secret.yaml \
--set 'server.serviceAccount.create=true' \
--set 'server.serviceAccount.createSecret=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-serviceaccount-secret.yaml \
--set 'server.serviceAccount.create=true' \
--set 'server.serviceAccount.createSecret=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

3
values.schema.json
View file

@ -985,6 +985,9 @@
"extraLabels": { "extraLabels": {
"type": "object" "type": "object"
}, },
"createSecret": {
"type": "boolean"
},
"name": { "name": {
"type": "string" "type": "string"
}, },

6
values.yaml
View file

@ -917,6 +917,12 @@ server:
# The name of the service account to use. # The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template # If not set and create is true, a name is generated using the fullname template
name: "" name: ""
# Create a Secret API object to store a non-expiring token for the service account.
# Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
# Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
# For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
# serviceAccount.create must be equal to 'true' in order to use this feature.
createSecret: false
# Extra annotations for the serviceAccount definition. This can either be # Extra annotations for the serviceAccount definition. This can either be
# YAML or a YAML-formatted multi-line templated string map of the # YAML or a YAML-formatted multi-line templated string map of the
# annotations to apply to the serviceAccount. # annotations to apply to the serviceAccount.