Set VAULT_ADDR env var for CSI Provider pods (#745)

2022-06-07 10:16:37 +01:00 · 2022-06-07 10:16:37 +01:00 · 44a07b8970
commit 44a07b8970
parent d78a292f47
8 changed files with 85 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,11 +1,13 @@
 ## Unreleased

 CHANGES:
-* Start testing against Kubernetes 1.24
+* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
+* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
+* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)

 ## 0.20.1 (May 25th, 2022)
 CHANGES:
-* `vault-k8s` updated to 0.16.1
+* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)

 Improvements:
 * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -122,7 +122,7 @@ template logic.
 */}}
 {{- define "vault.mode" -}}
  {{- template "vault.serverEnabled" . -}}
-  {{- if .Values.injector.externalVaultAddr -}}
+  {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
    {{- $_ := set . "mode" "external" -}}
  {{- else if not .serverEnabled -}}
    {{- $_ := set . "mode" "external" -}}
--- a/templates/csi-daemonset.yaml
+++ b/templates/csi-daemonset.yaml
@ -50,6 +50,13 @@ spec:
            {{- if .Values.csi.extraArgs }}
              {{- toYaml .Values.csi.extraArgs | nindent 12 }}
            {{- end }}
+          env:
+            - name: VAULT_ADDR
+            {{- if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else }}
+              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
+            {{- end }}
          volumeMounts:
            - name: providervol
              mountPath: "/provider"
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@ -60,7 +60,9 @@ spec:
            - name: AGENT_INJECT_LOG_LEVEL
              value: {{ .Values.injector.logLevel | default "info" }}
            - name: AGENT_INJECT_VAULT_ADDR
-            {{- if .Values.injector.externalVaultAddr }}
+            {{- if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else if .Values.injector.externalVaultAddr }}
              value: "{{ .Values.injector.externalVaultAddr }}"
            {{- else }}
              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
--- a/test/unit/csi-daemonset.bats
+++ b/test/unit/csi-daemonset.bats
@ -563,3 +563,32 @@ load _helpers
      yq -r '.timeoutSeconds' | tee /dev/stderr)
  [ "${actual}" = "14" ]
 }
+
+@test "csi/daemonset: with only injector.externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/csi-daemonset.yaml \
+      --set 'csi.enabled=true' \
+      --release-name not-external-test \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local value=$(echo $object |
+      yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
+  [ "${value}" = "http://not-external-test-vault.default.svc:8200" ]
+}
+
+@test "csi/daemonset: with global.externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/csi-daemonset.yaml \
+      --set 'csi.enabled=true' \
+      --set 'global.externalVaultAddr=http://vault-outside' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local value=$(echo $object |
+      yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
+  [ "${value}" = "http://vault-outside" ]
+}
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@ -209,6 +209,33 @@ load _helpers
  [ "${value}" = "http://vault-outside" ]
 }

+@test "injector/deployment: with global.externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.externalVaultAddr=http://vault-outside' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local value=$(echo $object |
+      yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
+  [ "${value}" = "http://vault-outside" ]
+}
+
+@test "injector/deployment: global.externalVaultAddr takes precendence over injector.externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.externalVaultAddr=http://global-vault-outside' \
+      --set 'injector.externalVaultAddr=http://injector-vault-outside' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local value=$(echo $object |
+      yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
+  [ "${value}" = "http://global-vault-outside" ]
+}
+
@test "injector/deployment: without externalVaultAddr" {
  cd `chart_dir`
  local object=$(helm template \
--- a/values.schema.json
+++ b/values.schema.json
@ -185,6 +185,9 @@
                },
                "tlsDisable": {
                    "type": "boolean"
+                },
+                "externalVaultAddr": {
+                    "type": "string"
                }
            }
        },
--- a/values.yaml
+++ b/values.yaml
@ -4,15 +4,23 @@ global:
  # enabled is the master enabled switch. Setting this to true or false
  # will enable or disable all the components within this chart by default.
  enabled: true
+
  # Image pull secret to use for registry authentication.
  # Alternatively, the value may be specified as an array of strings.
  imagePullSecrets: []
  # imagePullSecrets:
  #   - name: image-pull-secret
+
  # TLS for end-to-end encrypted transport
  tlsDisable: true
+
+  # External vault server address for the injector and CSI provider to use.
+  # Setting this will disable deployment of a vault server.
+  externalVaultAddr: ""
+
  # If deploying to OpenShift
  openshift: false
+
  # Create PodSecurityPolicy for pods
  psp:
    enable: false
@ -43,8 +51,7 @@ injector:
  metrics:
    enabled: false

-  # External vault server address for the injector to use. Setting this will
-  # disable deployment of a vault server along with the injector.
+  # Deprecated: Please use global.externalVaultAddr instead.
  externalVaultAddr: ""

  # image sets the repo and tag of the vault-k8s image to use for the injector.
@ -946,4 +953,6 @@ csi:
  debug: false

  # Pass arbitrary additional arguments to vault-csi-provider.
+  # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments
+  # for the available command line flags.
  extraArgs: []