From 4209cbcc2d0de21f4eee61d04d7b5e450149f73f Mon Sep 17 00:00:00 2001
From: fischerman <privat@bjorn-fischer.de>
Date: Wed, 15 Jan 2020 11:06:54 +0100
Subject: [PATCH] make shareProcessNamespace configurable (#174)

* make shareProcessNamespace configurable

* add unit tests
---
 CHANGELOG.md                      |  4 ++++
 templates/server-statefulset.yaml |  3 +++
 test/unit/server-statefulset.bats | 27 +++++++++++++++++++++++++++
 values.yaml                       |  4 ++++
 4 files changed, 38 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49b506f..770935f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+Improvements:
+
+* Allow process namespace sharing between Vault and sidecar containers
+
 ## 0.3.3 (January 14th, 2020)
 
 Security:
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 985bf59..5ae60af 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -38,6 +38,9 @@ spec:
       {{ template "vault.nodeselector" . }}
       terminationGracePeriodSeconds: 10
       serviceAccountName: {{ template "vault.fullname" . }}
+      {{ if  .Values.server.shareProcessNamespace }}
+      shareProcessNamespace: true
+      {{ end }}
       securityContext:
         runAsNonRoot: true
         runAsGroup: {{ .Values.server.gid | default 1000 }}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 4ab9cb0..cfc0c4b 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -670,6 +670,33 @@ load _helpers
   [ "${containers_count}" = 1 ]  
 }
 
+# sharedProcessNamespace
+
+@test "server/standalone-StatefulSet: shareProcessNamespace disabled by default" {
+  cd `chart_dir`
+
+  # Test that it defines it
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
+
+  [ "${actual}" = "null" ]  
+}
+
+@test "server/standalone-StatefulSet: shareProcessNamespace enabled" {
+  cd `chart_dir`
+
+  # Test that it defines it
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'server.shareProcessNamespace=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
+
+  [ "${actual}" = "true" ]  
+}
+
 # extra labels
 
 @test "server/standalone-StatefulSet: specify extraLabels" {
diff --git a/values.yaml b/values.yaml
index d632113..2aac944 100644
--- a/values.yaml
+++ b/values.yaml
@@ -113,6 +113,10 @@ server:
   # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
   extraContainers: null
 
+  # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
+  # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
+  shareProcessNamespace: false
+  
   # extraArgs is a string containing additional Vault server arguments.
   extraArgs: ""