Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Address K8s Deprecation of Kubelet security controls. Remove Whitespaces. (#24)

Browse source
This commit is contained in:
Miroslav E. Hadzhiev 2019-08-22 18:05:31 +03:00 committed by Jason O'Donnell
parent 10046f8886
commit 4b12c39099
12 changed files with 61 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -31,12 +31,12 @@ Bugs:
Features: Features:
* Added `authDelegator` Cluster Role Binding to Vault service account for * Added `authDelegator` Cluster Role Binding to Vault service account for
bootstrapping Kube auth method bootstrapping Kube auth method
Improvements: Improvements:
* Added `server.service.clusterIP` to `values.yml` so users can toggle * Added `server.service.clusterIP` to `values.yml` so users can toggle
the Vault service to headless by using the value `None`. the Vault service to headless by using the value `None`.
* Upgraded Vault to 1.2.1 * Upgraded Vault to 1.2.1

4
CONTRIBUTING.md
View file

@ -8,7 +8,7 @@ disclose by contacting us at security@hashicorp.com.
issue or pull request anyways. You won't be yelled at for giving it your best issue or pull request anyways. You won't be yelled at for giving it your best
effort. The worst that can happen is that you'll be politely asked to change effort. The worst that can happen is that you'll be politely asked to change
something. We appreciate any sort of contributions, and don't want a wall of something. We appreciate any sort of contributions, and don't want a wall of
rules to get in the way of that. rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged, That said, if you want to ensure that a pull request is likely to be merged,
talk to us! You can find out our thoughts and ensure that your contribution talk to us! You can find out our thoughts and ensure that your contribution
@ -29,7 +29,7 @@ quickly merge or address your contributions.
against `master`, as bugs are fixed regularly but new versions are only against `master`, as bugs are fixed regularly but new versions are only
released every few months. released every few months.
* Provide steps to reproduce the issue, and if possible include the expected * Provide steps to reproduce the issue, and if possible include the expected
results as well as the actual results. Please provide text, not screen shots! results as well as the actual results. Please provide text, not screen shots!
* Respond as promptly as possible to any questions made by the Vault * Respond as promptly as possible to any questions made by the Vault

4
templates/NOTES.txt
View file

@ -1,8 +1,8 @@
Thank you for installing HashiCorp Vault! Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here: Vault with Kubernetes available here:
https://www.vaultproject.io/docs/ https://www.vaultproject.io/docs/

26
templates/_helpers.tpl
View file

@ -47,7 +47,7 @@ Add a special case for replicas=1, where it should default to 0 as well.
{{- end -}} {{- end -}}
{{/* {{/*
Set the variable 'mode' to the server mode requested by the user to simplify Set the variable 'mode' to the server mode requested by the user to simplify
template logic. template logic.
*/}} */}}
{{- define "vault.mode" -}} {{- define "vault.mode" -}}
@ -76,8 +76,8 @@ Set's the replica count based on the different modes configured by user
{{- end -}} {{- end -}}
{{/* {{/*
Set's fsGroup based on different modes. Standalone is the only mode Set's fsGroup based on different modes. Standalone is the only mode
that requires fsGroup at this time because it uses PVC for the file that requires fsGroup at this time because it uses PVC for the file
storage backend. storage backend.
*/}} */}}
{{- define "vault.fsgroup" -}} {{- define "vault.fsgroup" -}}
@ -87,8 +87,8 @@ storage backend.
{{- end -}} {{- end -}}
{{/* {{/*
Set's up configmap mounts if this isn't a dev deployment and the user Set's up configmap mounts if this isn't a dev deployment and the user
defined a custom configuration. Additionally iterates over any defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS). extra volumes the user may have specified (such as a secret with TLS).
*/}} */}}
{{- define "vault.volumes" -}} {{- define "vault.volumes" -}}
@ -109,8 +109,8 @@ extra volumes the user may have specified (such as a secret with TLS).
{{- end -}} {{- end -}}
{{/* {{/*
Set's a command to override the entrypoint defined in the image Set's a command to override the entrypoint defined in the image
so we can make the user experience nicer. This works in with so we can make the user experience nicer. This works in with
"vault.args" to specify what commands /bin/sh should run. "vault.args" to specify what commands /bin/sh should run.
*/}} */}}
{{- define "vault.command" -}} {{- define "vault.command" -}}
@ -121,14 +121,14 @@ so we can make the user experience nicer. This works in with
{{- end -}} {{- end -}}
{{/* {{/*
Set's the args for custom command to render the Vault configuration Set's the args for custom command to render the Vault configuration
file with IP addresses to make the out of box experience easier file with IP addresses to make the out of box experience easier
for users looking to use this chart with Consul Helm. for users looking to use this chart with Consul Helm.
*/}} */}}
{{- define "vault.args" -}} {{- define "vault.args" -}}
{{ if or (eq .mode "standalone") (eq .mode "ha") }} {{ if or (eq .mode "standalone") (eq .mode "ha") }}
- | - |
sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl; sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl;
sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl; sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl;
chown vault:vault /tmp/storageconfig.hcl; chown vault:vault /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
@ -146,7 +146,7 @@ Set's additional environment variables based on the mode.
{{- end -}} {{- end -}}
{{/* {{/*
Set's which additional volumes should be mounted to the container Set's which additional volumes should be mounted to the container
based on the mode configured. based on the mode configured.
*/}} */}}
{{- define "vault.mounts" -}} {{- define "vault.mounts" -}}
@ -172,8 +172,8 @@ based on the mode configured.
{{- end -}} {{- end -}}
{{/* {{/*
Set's up the volumeClaimTemplates when data or audit storage is required. HA Set's up the volumeClaimTemplates when data or audit storage is required. HA
might not use data storage since Consul is likely it's backend, however, audit might not use data storage since Consul is likely it's backend, however, audit
storage might be desired by the user. storage might be desired by the user.
*/}} */}}
{{- define "vault.volumeclaims" -}} {{- define "vault.volumeclaims" -}}

2
templates/server-statefulset.yaml
View file

@ -44,7 +44,7 @@ spec:
- name: vault - name: vault
{{ template "vault.resources" . }} {{ template "vault.resources" . }}
securityContext: securityContext:
privileged: true allowPrivilegeEscalation: true
image: "{{ .Values.global.image }}" image: "{{ .Values.global.image }}"
command: {{ template "vault.command" . }} command: {{ template "vault.command" . }}
args: {{ template "vault.args" . }} args: {{ template "vault.args" . }}

2
test/acceptance/server-dev.bats
View file

@ -52,5 +52,5 @@ load _helpers
teardown() { teardown() {
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete --purge vault helm delete --purge vault
kubectl delete --all pvc kubectl delete --all pvc
} }

10
test/acceptance/server-ha.bats
View file

@ -4,7 +4,7 @@ load _helpers
@test "server/ha: testing deployment" { @test "server/ha: testing deployment" {
cd `chart_dir` cd `chart_dir`
helm install --name="$(name_prefix)" \ helm install --name="$(name_prefix)" \
--set='server.ha.enabled=true' . --set='server.ha.enabled=true' .
wait_for_running $(name_prefix)-0 wait_for_running $(name_prefix)-0
@ -71,7 +71,7 @@ load _helpers
# Vault Unseal # Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- vault operator unseal ${token}
done done
@ -95,12 +95,12 @@ setup() {
--name consul \ --name consul \
--set 'ui.enabled=false' \ --set 'ui.enabled=false' \
wait_for_running_consul wait_for_running_consul
} }
#cleanup #cleanup
teardown() { teardown() {
helm delete --purge vault helm delete --purge vault
helm delete --purge consul helm delete --purge consul
kubectl delete --all pvc kubectl delete --all pvc
} }

12
test/acceptance/server.bats
View file

@ -8,11 +8,11 @@ load _helpers
wait_for_running $(name_prefix)-0 wait_for_running $(name_prefix)-0
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "true" ] [ "${sealed_status}" == "true" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
@ -21,7 +21,7 @@ load _helpers
jq -r '.spec.replicas') jq -r '.spec.replicas')
[ "${replicas}" == "1" ] [ "${replicas}" == "1" ]
# Affinity # Affinity
local affinity=$(kubectl get statefulset "$(name_prefix)" --output json | local affinity=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.affinity') jq -r '.spec.template.spec.affinity')
[ "${affinity}" != "null" ] [ "${affinity}" != "null" ]
@ -34,7 +34,7 @@ load _helpers
local mountName=$(kubectl get statefulset "$(name_prefix)" --output json | local mountName=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts[0].name') jq -r '.spec.template.spec.containers[0].volumeMounts[0].name')
[ "${mountName}" == "data" ] [ "${mountName}" == "data" ]
local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json | local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath') jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
[ "${mountPath}" == "/vault/data" ] [ "${mountPath}" == "/vault/data" ]
@ -107,5 +107,5 @@ load _helpers
teardown() { teardown() {
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete --purge vault helm delete --purge vault
kubectl delete --all pvc kubectl delete --all pvc
} }

2
test/unit/server-dev-statefulset.bats
View file

@ -211,7 +211,7 @@ load _helpers
} }
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# extraEnvironmentVars # extraEnvironmentVars
@test "server/dev-StatefulSet: set extraEnvironmentVars" { @test "server/dev-StatefulSet: set extraEnvironmentVars" {
cd `chart_dir` cd `chart_dir`

4
test/unit/server-ha-statefulset.bats
View file

@ -91,7 +91,7 @@ load _helpers
} }
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# affinity # affinity
@test "server/ha-StatefulSet: default affinity" { @test "server/ha-StatefulSet: default affinity" {
cd `chart_dir` cd `chart_dir`
@ -136,7 +136,7 @@ load _helpers
} }
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# resources # resources
@test "server/ha-StatefulSet: default resources" { @test "server/ha-StatefulSet: default resources" {
cd `chart_dir` cd `chart_dir`

4
test/unit/server-service.bats
View file

@ -121,7 +121,7 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-service.yaml \ -x templates/server-service.yaml \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr) yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
@ -187,7 +187,7 @@ load _helpers
[ "${actual}" = "null" ] [ "${actual}" = "null" ]
} }
@test "server/Service: clusterIP can set" { @test "server/Service: clusterIP can set" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-service.yaml \ -x templates/server-service.yaml \

48
values.yaml
View file

@ -23,8 +23,8 @@ server:
# memory: 256Mi # memory: 256Mi
# cpu: 250m # cpu: 250m
# authDelegator enables a cluster role binding to be attached to the service # authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth # account. This cluster role binding can be used to setup Kubernetes auth
# method. https://www.vaultproject.io/docs/auth/kubernetes.html # method. https://www.vaultproject.io/docs/auth/kubernetes.html
authDelegator: authDelegator:
enabled: false enabled: false
@ -54,7 +54,7 @@ server:
# Affinity Settings # Affinity Settings
# Commenting out or setting as empty the affinity variable, will allow # Commenting out or setting as empty the affinity variable, will allow
# deployment to single node services such as Minikube # deployment to single node services such as Minikube
affinity: | affinity: |
podAntiAffinity: podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -81,41 +81,41 @@ server:
# This should be a multi-line string mapping directly to the a map of # This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the server pods # the annotations to apply to the server pods
annotations: {} annotations: {}
# Enables a headless service to be used by the Vault Statefulset # Enables a headless service to be used by the Vault Statefulset
service: service:
enabled: true enabled: true
# clusterIP controls whether a Cluster IP address is attached to the # clusterIP controls whether a Cluster IP address is attached to the
# Vault service within Kubernetes. By default the Vault service will # Vault service within Kubernetes. By default the Vault service will
# be given a Cluster IP address, set to None to disable. When disabled # be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be # Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round robin # used to communicate with pods directly through DNS instead of a round robin
# load balancer. # load balancer.
# clusterIP: None # clusterIP: None
# This configures the Vault Statefulset to create a PVC for data # This configures the Vault Statefulset to create a PVC for data
# storage when using the file backend. # storage when using the file backend.
# See https://www.vaultproject.io/docs/audit/index.html to know more # See https://www.vaultproject.io/docs/audit/index.html to know more
dataStorage: dataStorage:
enabled: true enabled: true
# Size of the PVC created # Size of the PVC created
size: 10Gi size: 10Gi
# Name of the storage class to use. If null it will use the # Name of the storage class to use. If null it will use the
# configured default Storage Class. # configured default Storage Class.
storageClass: null storageClass: null
# Access Mode of the storage device being used for the PVC # Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
# This configures the Vault Statefulset to create a PVC for audit # This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized and unseal, Vault must # logs. Once Vault is deployed, initialized and unseal, Vault must
# be configured to use this for audit logs. This will be mounted to # be configured to use this for audit logs. This will be mounted to
# /vault/audit # /vault/audit
# See https://www.vaultproject.io/docs/audit/index.html to know more # See https://www.vaultproject.io/docs/audit/index.html to know more
auditStorage: auditStorage:
enabled: false enabled: false
# Size of the PVC created # Size of the PVC created
size: 10Gi size: 10Gi
# Name of the storage class to use. If null it will use the # Name of the storage class to use. If null it will use the
# configured default Storage Class. # configured default Storage Class.
storageClass: null storageClass: null
# Access Mode of the storage device being used for the PVC # Access Mode of the storage device being used for the PVC
@ -129,9 +129,9 @@ server:
dev: dev:
enabled: false enabled: false
# Run Vault in "standalone" mode. This is the default mode that will deploy if # Run Vault in "standalone" mode. This is the default mode that will deploy if
# no arguments are given to helm. This requires a PVC for data storage to use # no arguments are given to helm. This requires a PVC for data storage to use
# the "file" backend. This mode is not highly available and should not be scaled # the "file" backend. This mode is not highly available and should not be scaled
# past a single replica. # past a single replica.
standalone: standalone:
enabled: "-" enabled: "-"
@ -162,10 +162,10 @@ server:
# crypto_key = "vault-helm-unseal-key" # crypto_key = "vault-helm-unseal-key"
#} #}
# Run Vault in "HA" mode. There are no storage requirements unless audit log # Run Vault in "HA" mode. There are no storage requirements unless audit log
# persistence is required. In HA mode Vault will configure itself to use Consul # persistence is required. In HA mode Vault will configure itself to use Consul
# for its storage backend. The default configuration provided will work the Consul # for its storage backend. The default configuration provided will work the Consul
# Helm project by default. It is possible to manually configure Vault to use a # Helm project by default. It is possible to manually configure Vault to use a
# different HA backend. # different HA backend.
ha: ha:
enabled: false enabled: false
@ -197,7 +197,7 @@ server:
# crypto_key = "vault-helm-unseal-key" # crypto_key = "vault-helm-unseal-key"
#} #}
# A disruption budget limits the number of pods of a replicated application # A disruption budget limits the number of pods of a replicated application
# that are down simultaneously from voluntary disruptions # that are down simultaneously from voluntary disruptions
disruptionBudget: disruptionBudget:
enabled: true enabled: true