Added support for external vault (#207)

Uses Values.injector.externalVaultAddr to control the vault address
env variable and server yaml rendering.

If injector.externalVaultAddr is empty, both the injector and vault
are deployed, with the injector using the local vault. If
injector.externalVaultAddr is not empty, only the injector is
deployed, and it uses the vault at the address specified in
injector.externalVaultAddr.

templates/_helpers.tpl

@@ -51,7 +51,9 @@ Set the variable 'mode' to the server mode requested by the user to simplify
 template logic.
 */}}
 {{- define "vault.mode" -}}
-  {{- if eq (.Values.server.dev.enabled | toString) "true" -}}
+  {{- if .Values.injector.externalVaultAddr -}}
+    {{- $_ := set . "mode" "external" -}}
+  {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
     {{- $_ := set . "mode" "dev" -}}
   {{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
     {{- $_ := set . "mode" "ha" -}}

templates/injector-deployment.yaml

@@ -40,7 +40,11 @@ spec:
             - name: AGENT_INJECT_LOG_LEVEL
               value: {{ .Values.injector.logLevel | default "info" }}
             - name: AGENT_INJECT_VAULT_ADDR
+            {{- if .Values.injector.externalVaultAddr }}
+              value: "{{ .Values.injector.externalVaultAddr }}"
+            {{- else }}
               value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
+            {{- end }}
             - name: AGENT_INJECT_VAULT_IMAGE
               value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
             {{- if .Values.injector.certs.secretName }}

templates/server-clusterrolebinding.yaml

@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@@ -19,3 +20,4 @@ subjects:
   name: {{ template "vault.fullname" . }}
   namespace: {{ .Release.Namespace }}
 {{ end }}
+{{ end }}

templates/server-config-configmap.yaml

@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
 {{ if or (ne .Values.server.standalone.config "")  (ne .Values.server.ha.config "") -}}
 apiVersion: v1
@@ -21,3 +22,4 @@ data:
   {{ end }}
 {{- end }}
 {{- end }}
+{{- end }}

templates/server-disruptionbudget.yaml

@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" -}}
 {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
 # PodDisruptionBudget to prevent degrading the server cluster through
 # voluntary cluster changes.
@@ -20,3 +21,4 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       component: server
 {{- end -}}
+{{- end -}}

templates/server-ingress.yaml

@@ -1,3 +1,5 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
 {{- $serviceName := include "vault.fullname" . -}}
 {{- $servicePort := .Values.server.service.port -}}
@@ -42,3 +44,4 @@ spec:
         {{- end }}
   {{- end }}
 {{- end }}
+{{- end }}

templates/server-service.yaml

@@ -1,3 +1,5 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
 # Service for Vault cluster
 apiVersion: v1
@@ -43,3 +45,4 @@ spec:
     app.kubernetes.io/instance: {{ .Release.Name }}
     component: server
 {{- end }}
+{{- end }}

templates/server-serviceaccount.yaml

@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
 apiVersion: v1
 kind: ServiceAccount
@@ -12,3 +13,4 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{ template "vault.serviceAccount.annotations" . }}
 {{ end }}
+{{ end }}

templates/server-statefulset.yaml

@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
 # StatefulSet to run the actual vault server cluster.
 apiVersion: apps/v1
@@ -143,3 +144,4 @@ spec:
       {{- end }}
   {{ template "vault.volumeclaims" . }}
 {{ end }}
+{{ end }}

templates/ui-service.yaml

@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
 {{- if eq (.Values.ui.enabled | toString) "true" }}
 # Headless service for Vault server DNS entries. This service should only
@@ -43,3 +44,4 @@ spec:
 {{- end -}}
 
 {{ end }}
+{{ end }}

test/unit/injector-deployment.bats

@@ -154,3 +154,37 @@ load _helpers
       yq -r '.[5].name' | tee /dev/stderr)
   [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ]
 }
+
+@test "injector/deployment: with externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+      yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "http://vault-outside" ]
+}
+
+@test "injector/deployment: without externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --release-name not-external-test  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+      yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ]
+}

test/unit/server-clusterrolebinding.bats

@@ -60,3 +60,13 @@ load _helpers
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
+
+@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/server-configmap.bats

@@ -82,3 +82,13 @@ load _helpers
       yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
   [ ! -z "${actual}" ]
 }
+
+@test "server/ConfigMap: disabled by injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-config-configmap.yaml \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/server-dev-statefulset.bats

@@ -23,6 +23,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/dev-StatefulSet: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.dev.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/dev-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \

test/unit/server-ha-disruptionbudget.bats

@@ -43,6 +43,16 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/DisruptionBudget: disable with injector.exernalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-disruptionbudget.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/DisruptionBudget: correct maxUnavailable with n=1" {
   cd `chart_dir`
   local actual=$(helm template \

test/unit/server-ha-statefulset.bats

@@ -23,6 +23,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/ha-StatefulSet: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.ha.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/ha-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \

test/unit/server-ingress.bats

@@ -11,6 +11,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/ingress: disable by injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-ingress.yaml  \
+      --set 'server.ingress.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/ingress: checking host entry gets added and path is /" {
   cd `chart_dir`
   local actual=$(helm template \

test/unit/server-service.bats

@@ -113,6 +113,36 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/Service: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 # This can be seen as testing just what we put into the YAML raw, but
 # this is such an important part of making everything work we verify it here.
 @test "server/Service: tolerates unready endpoints" {

test/unit/server-serviceaccount.bats

@@ -27,3 +27,57 @@ load _helpers
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 }
+
+@test "server/ServiceAccount: disable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ServiceAccount: disable by injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/server-statefulset.bats

@@ -32,6 +32,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/standalone-StatefulSet: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.standalone.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \

test/unit/ui-service.bats

@@ -53,6 +53,33 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "ui/Service: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "ui/Service: ClusterIP type by default" {
   cd `chart_dir`
   local actual=$(helm template \

values.yaml

@@ -15,6 +15,10 @@ injector:
   # True if you want to enable vault agent injection.
   enabled: true
 
+  # External vault server address for the injector to use. Setting this will
+  # disable deployment of a vault server along with the injector.
+  externalVaultAddr: ""
+
   # image sets the repo and tag of the vault-k8s image to use for the injector.
   image:
     repository: "hashicorp/vault-k8s"