Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

make shareProcessNamespace configurable (#174)

Browse source 
* make shareProcessNamespace configurable

* add unit tests
This commit is contained in:
fischerman 2020-01-15 11:06:54 +01:00 committed by Jason O'Donnell
parent 1f68852dc2
commit 4209cbcc2d
4 changed files with 38 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -1,5 +1,9 @@
## Unreleased ## Unreleased
Improvements:
* Allow process namespace sharing between Vault and sidecar containers
## 0.3.3 (January 14th, 2020) ## 0.3.3 (January 14th, 2020)
Security: Security:

3
templates/server-statefulset.yaml
View file

@ -38,6 +38,9 @@ spec:
{{ template "vault.nodeselector" . }} {{ template "vault.nodeselector" . }}
terminationGracePeriodSeconds: 10 terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "vault.fullname" . }} serviceAccountName: {{ template "vault.fullname" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
{{ end }}
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }} runAsGroup: {{ .Values.server.gid | default 1000 }}

27
test/unit/server-statefulset.bats
View file

@ -670,6 +670,33 @@ load _helpers
[ "${containers_count}" = 1 ] [ "${containers_count}" = 1 ]
} }
# sharedProcessNamespace
@test "server/standalone-StatefulSet: shareProcessNamespace disabled by default" {
cd `chart_dir`
# Test that it defines it
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/standalone-StatefulSet: shareProcessNamespace enabled" {
cd `chart_dir`
# Test that it defines it
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.shareProcessNamespace=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
# extra labels # extra labels
@test "server/standalone-StatefulSet: specify extraLabels" { @test "server/standalone-StatefulSet: specify extraLabels" {

4
values.yaml
View file

@ -113,6 +113,10 @@ server:
# extraContainers is a list of sidecar containers. Specified as a raw YAML string. # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
extraContainers: null extraContainers: null
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
shareProcessNamespace: false
# extraArgs is a string containing additional Vault server arguments. # extraArgs is a string containing additional Vault server arguments.
extraArgs: "" extraArgs: ""