Added support for external vault (#207)
Uses Values.injector.externalVaultAddr to control the vault address env variable and server yaml rendering. If injector.externalVaultAddr is empty, both the injector and vault are deployed, with the injector using the local vault. If injector.externalVaultAddr is not empty, only the injector is deployed, and it uses the vault at the address specified in injector.externalVaultAddr.
This commit is contained in:
parent
872ae7a48f
commit
2b2b0dd2fa
22 changed files with 248 additions and 1 deletions
|
@ -51,7 +51,9 @@ Set the variable 'mode' to the server mode requested by the user to simplify
|
|||
template logic.
|
||||
*/}}
|
||||
{{- define "vault.mode" -}}
|
||||
{{- if eq (.Values.server.dev.enabled | toString) "true" -}}
|
||||
{{- if .Values.injector.externalVaultAddr -}}
|
||||
{{- $_ := set . "mode" "external" -}}
|
||||
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
|
||||
{{- $_ := set . "mode" "dev" -}}
|
||||
{{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
|
||||
{{- $_ := set . "mode" "ha" -}}
|
||||
|
|
|
@ -40,7 +40,11 @@ spec:
|
|||
- name: AGENT_INJECT_LOG_LEVEL
|
||||
value: {{ .Values.injector.logLevel | default "info" }}
|
||||
- name: AGENT_INJECT_VAULT_ADDR
|
||||
{{- if .Values.injector.externalVaultAddr }}
|
||||
value: "{{ .Values.injector.externalVaultAddr }}"
|
||||
{{- else }}
|
||||
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
|
||||
{{- end }}
|
||||
- name: AGENT_INJECT_VAULT_IMAGE
|
||||
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
|
||||
{{- if .Values.injector.certs.secretName }}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" }}
|
||||
{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
|
@ -19,3 +20,4 @@ subjects:
|
|||
name: {{ template "vault.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" }}
|
||||
{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
|
||||
{{ if or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "") -}}
|
||||
apiVersion: v1
|
||||
|
@ -21,3 +22,4 @@ data:
|
|||
{{ end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" -}}
|
||||
{{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
|
||||
# PodDisruptionBudget to prevent degrading the server cluster through
|
||||
# voluntary cluster changes.
|
||||
|
@ -20,3 +21,4 @@ spec:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
component: server
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" }}
|
||||
{{- if .Values.server.ingress.enabled -}}
|
||||
{{- $serviceName := include "vault.fullname" . -}}
|
||||
{{- $servicePort := .Values.server.service.port -}}
|
||||
|
@ -42,3 +44,4 @@ spec:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" }}
|
||||
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
|
||||
# Service for Vault cluster
|
||||
apiVersion: v1
|
||||
|
@ -43,3 +45,4 @@ spec:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
component: server
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" }}
|
||||
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
@ -12,3 +13,4 @@ metadata:
|
|||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{ template "vault.serviceAccount.annotations" . }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" }}
|
||||
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
|
||||
# StatefulSet to run the actual vault server cluster.
|
||||
apiVersion: apps/v1
|
||||
|
@ -143,3 +144,4 @@ spec:
|
|||
{{- end }}
|
||||
{{ template "vault.volumeclaims" . }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if ne .mode "external" }}
|
||||
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
|
||||
{{- if eq (.Values.ui.enabled | toString) "true" }}
|
||||
# Headless service for Vault server DNS entries. This service should only
|
||||
|
@ -43,3 +44,4 @@ spec:
|
|||
{{- end -}}
|
||||
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
|
|
@ -154,3 +154,37 @@ load _helpers
|
|||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ]
|
||||
}
|
||||
|
||||
@test "injector/deployment: with externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local object=$(helm template \
|
||||
--show-only templates/injector-deployment.yaml \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[2].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[2].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "http://vault-outside" ]
|
||||
}
|
||||
|
||||
@test "injector/deployment: without externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local object=$(helm template \
|
||||
--show-only templates/injector-deployment.yaml \
|
||||
--release-name not-external-test \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[2].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[2].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "http://not-external-test-vault.default.svc:8200" ]
|
||||
}
|
||||
|
|
|
@ -60,3 +60,13 @@ load _helpers
|
|||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-clusterrolebinding.yaml \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
|
|
@ -82,3 +82,13 @@ load _helpers
|
|||
yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
|
||||
[ ! -z "${actual}" ]
|
||||
}
|
||||
|
||||
@test "server/ConfigMap: disabled by injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-config-configmap.yaml \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
|
|
@ -23,6 +23,17 @@ load _helpers
|
|||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/dev-StatefulSet: disable with injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-statefulset.yaml \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
--set 'server.dev.enabled=true' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/dev-StatefulSet: image defaults to server.image.repository:tag" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
|
|
|
@ -43,6 +43,16 @@ load _helpers
|
|||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/DisruptionBudget: disable with injector.exernalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-disruptionbudget.yaml \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/DisruptionBudget: correct maxUnavailable with n=1" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
|
|
|
@ -23,6 +23,17 @@ load _helpers
|
|||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/ha-StatefulSet: disable with injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-statefulset.yaml \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/ha-StatefulSet: image defaults to server.image.repository:tag" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
|
|
|
@ -11,6 +11,17 @@ load _helpers
|
|||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/ingress: disable by injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-ingress.yaml \
|
||||
--set 'server.ingress.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/ingress: checking host entry gets added and path is /" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
|
|
|
@ -113,6 +113,36 @@ load _helpers
|
|||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/Service: disable with injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.dev.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
--set 'server.service.enabled=true' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
--set 'server.service.enabled=true' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.standalone.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
--set 'server.service.enabled=true' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
# This can be seen as testing just what we put into the YAML raw, but
|
||||
# this is such an important part of making everything work we verify it here.
|
||||
@test "server/Service: tolerates unready endpoints" {
|
||||
|
|
|
@ -27,3 +27,57 @@ load _helpers
|
|||
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "server/ServiceAccount: disable with global.enabled false" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.dev.enabled=true' \
|
||||
--set 'global.enabled=false' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
--set 'global.enabled=false' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.standalone.enabled=true' \
|
||||
--set 'global.enabled=false' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/ServiceAccount: disable by injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.dev.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--set 'server.standalone.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
|
|
@ -32,6 +32,17 @@ load _helpers
|
|||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: disable with injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-statefulset.yaml \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
--set 'server.standalone.enabled=true' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
|
|
|
@ -53,6 +53,33 @@ load _helpers
|
|||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "ui/Service: disable with injector.externalVaultAddr" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/ui-service.yaml \
|
||||
--set 'server.dev.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/ui-service.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/ui-service.yaml \
|
||||
--set 'server.standalone.enabled=true' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "ui/Service: ClusterIP type by default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
|
|
|
@ -15,6 +15,10 @@ injector:
|
|||
# True if you want to enable vault agent injection.
|
||||
enabled: true
|
||||
|
||||
# External vault server address for the injector to use. Setting this will
|
||||
# disable deployment of a vault server along with the injector.
|
||||
externalVaultAddr: ""
|
||||
|
||||
# image sets the repo and tag of the vault-k8s image to use for the injector.
|
||||
image:
|
||||
repository: "hashicorp/vault-k8s"
|
||||
|
|
Loading…
Reference in a new issue