Add CSI secrets store provider (#461)

This commit is contained in:
Tom Proctor 2021-03-19 14:14:38 +00:00 committed by GitHub
parent ff735774c4
commit 4c1d79f46e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 847 additions and 0 deletions

View file

@ -475,6 +475,61 @@ Sets the container resources if the user has set any.
{{ end }}
{{- end -}}
{{/*
Sets the container resources if the user has set any.
*/}}
{{- define "csi.resources" -}}
{{- if .Values.csi.resources -}}
resources:
{{ toYaml .Values.csi.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets extra CSI daemonset annotations
*/}}
{{- define "csi.daemonSet.annotations" -}}
{{- if .Values.csi.daemonSet.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.daemonSet.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra CSI provider pod annotations
*/}}
{{- define "csi.pod.annotations" -}}
{{- if .Values.csi.pod.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.pod.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.pod.annotations . | nindent 8 }}
{{- else }}
{{- toYaml .Values.csi.pod.annotations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra CSI service account annotations
*/}}
{{- define "csi.serviceAccount.annotations" -}}
{{- if .Values.csi.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Inject extra environment vars in the format key:value, if populated
*/}}

View file

@ -0,0 +1,17 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "vault.name" . }}-csi-provider-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
{{- end }}

View file

@ -0,0 +1,18 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
{{- end }}

View file

@ -0,0 +1,89 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
type: {{ .Values.csi.daemonSet.updateStrategy.type }}
{{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
rollingUpdate:
maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{ template "csi.pod.annotations" . }}
spec:
serviceAccountName: {{ include "vault.name" . }}-csi-provider
containers:
- name: {{ include "vault.name" . }}-csi-provider
{{ template "csi.resources" . }}
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
- --debug={{ .Values.csi.debug }}
volumeMounts:
- name: providervol
mountPath: "/provider"
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: HostToContainer
{{- range .Values.csi.extraVolumes }}
- name: userconfig-{{ .name }}
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
readOnly: true
{{- end }}
{{- if .Values.csi.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.csi.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- end }}
volumes:
- name: providervol
hostPath:
path: "/etc/kubernetes/secrets-store-csi-providers"
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
{{- range .Values.csi.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- end }}
defaultMode: {{ .defaultMode | default 420 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,12 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "csi.serviceAccount.annotations" . }}
{{- end }}

View file

@ -0,0 +1,26 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx
---
kind: Pod
apiVersion: v1
metadata:
name: nginx
spec:
terminationGracePeriodSeconds: 0
containers:
- image: docker.mirror.hashicorp.services/nginx
name: nginx
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-kv"

View file

@ -0,0 +1,15 @@
# The "Hello World" Vault SecretProviderClass
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: vault-kv
spec:
provider: vault
parameters:
roleName: "kv-role"
vaultAddress: http://vault:8200
objects: |
array:
- |
objectName: "bar1"
objectPath: "v1/secret/kv1"

View file

@ -0,0 +1,7 @@
path "sys/mounts" {
capabilities = ["read"]
}
path "secret/*" {
capabilities = ["read"]
}

59
test/acceptance/csi.bats Normal file
View file

@ -0,0 +1,59 @@
#!/usr/bin/env bats
load _helpers
@test "csi: testing deployment" {
cd `chart_dir`
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
# Install Secrets Store CSI driver
helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.19.tgz?raw=true \
--wait --timeout=5m \
--namespace=acceptance \
--set linux.image.pullPolicy="IfNotPresent" \
--set grpcSupportedProviders="azure;gcp;vault"
# Install Vault and Vault provider
helm install vault \
--wait --timeout=5m \
--namespace=acceptance \
--set="server.dev.enabled=true" \
--set="csi.enabled=true" \
--set="injector.enabled=false" .
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider
# Set up k8s auth and a kv secret.
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
bound_service_account_names=vault-csi-provider \
bound_service_account_namespaces=acceptance \
policies=kv-policy \
ttl=20m
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar1)
[[ "$result" == "hello1" ]]
}
# Clean up
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm --namespace=acceptance delete vault
helm --namespace=acceptance delete secrets-store-csi-driver
kubectl delete --all pvc
kubectl delete namespace acceptance
fi
}

View file

@ -0,0 +1,22 @@
#!/usr/bin/env bats
load _helpers
@test "csi/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/csi-clusterrole.yaml \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "csi/ClusterRole: enabled with csi.enabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-clusterrole.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

View file

@ -0,0 +1,22 @@
#!/usr/bin/env bats
load _helpers
@test "csi/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/csi-clusterrolebinding.yaml \
. || echo "---")| tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "csi/ClusterRoleBinding: enabled with csi.enabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-clusterrolebinding.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

View file

@ -0,0 +1,380 @@
#!/usr/bin/env bats
load _helpers
#--------------------------------------------------------------------
# Daemonset
# Enabled
@test "csi/daemonset: created only when enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/csi-daemonset.yaml \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$( (helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set "global.enabled=false" \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
# Image
@test "csi/daemonset: image is configurable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set "csi.image.repository=SomeOtherImage" \
--set "csi.image.tag=0.0.1" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "SomeOtherImage:0.0.1" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set "csi.image.pullPolicy=SomePullPolicy" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
[ "${actual}" = "SomePullPolicy" ]
}
# Debug arg
@test "csi/daemonset: debug arg is configurable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr)
[ "${actual}" = "--debug=false" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set "csi.debug=true" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr)
[ "${actual}" = "--debug=true" ]
}
# updateStrategy
@test "csi/daemonset: updateStrategy is configurable" {
cd `chart_dir`
# Default
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
[ "${actual}" = "RollingUpdate" ]
# OnDelete
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set "csi.daemonSet.updateStrategy.type=OnDelete" \
. | tee /dev/stderr |
yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
[ "${actual}" = "OnDelete" ]
# Max unavailable
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set "csi.daemonSet.updateStrategy.maxUnavailable=25%" \
. | tee /dev/stderr |
yq -r '.spec.updateStrategy.rollingUpdate.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "25%" ]
}
#--------------------------------------------------------------------
# Extra annotations
@test "csi/daemonset: default csi.daemonSet.annotations" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "csi/daemonset: specify csi.daemonSet.annotations yaml" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.daemonSet.annotations.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "csi/daemonset: specify csi.daemonSet.annotations yaml string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.daemonSet.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "csi/daemonset: default csi.pod.annotations" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "csi/daemonset: specify csi.pod.annotations yaml" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.pod.annotations.foo=bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "csi/daemonset: specify csi.pod.annotations yaml string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.pod.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# extraVolumes
@test "csi/daemonset: csi.extraVolumes adds extra volume" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.extraVolumes[0].type=configMap' \
--set 'csi.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.configMap.name' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(echo $object |
yq -r '.configMap.secretName' | tee /dev/stderr)
[ "${actual}" = "null" ]
# Test that it mounts it
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.extraVolumes[0].type=configMap' \
--set 'csi.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ]
}
@test "csi/daemonset: csi.extraVolumes adds extra secret volume" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.extraVolumes[0].type=secret' \
--set 'csi.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.secret.name' | tee /dev/stderr)
[ "${actual}" = "null" ]
local actual=$(echo $object |
yq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo" ]
# Test that it mounts it
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.extraVolumes[0].type=configMap' \
--set 'csi.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ]
}
#--------------------------------------------------------------------
# Readiness/liveness probes
@test "csi/daemonset: csi.livenessProbe and csi.readinessProbe default to disabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
[ "${actual}" = "null" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "csi/daemonset: csi.livenessProbe is configurable" {
cd `chart_dir`
# Test the defaults
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.livenessProbe.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.failureThreshold' | tee /dev/stderr)
[ "${actual}" = "2" ]
local actual=$(echo $object |
yq -r '.initialDelaySeconds' | tee /dev/stderr)
[ "${actual}" = "5" ]
local actual=$(echo $object |
yq -r '.periodSeconds' | tee /dev/stderr)
[ "${actual}" = "5" ]
local actual=$(echo $object |
yq -r '.successThreshold' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq -r '.timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "3" ]
# Test it is configurable
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.livenessProbe.enabled=true' \
--set 'csi.livenessProbe.failureThreshold=10' \
--set 'csi.livenessProbe.initialDelaySeconds=11' \
--set 'csi.livenessProbe.periodSeconds=12' \
--set 'csi.livenessProbe.successThreshold=13' \
--set 'csi.livenessProbe.timeoutSeconds=14' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.failureThreshold' | tee /dev/stderr)
[ "${actual}" = "10" ]
local actual=$(echo $object |
yq -r '.initialDelaySeconds' | tee /dev/stderr)
[ "${actual}" = "11" ]
local actual=$(echo $object |
yq -r '.periodSeconds' | tee /dev/stderr)
[ "${actual}" = "12" ]
local actual=$(echo $object |
yq -r '.successThreshold' | tee /dev/stderr)
[ "${actual}" = "13" ]
local actual=$(echo $object |
yq -r '.timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "14" ]
}
@test "csi/daemonset: csi.readinessProbe is configurable" {
cd `chart_dir`
# Test the defaults
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.readinessProbe.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.failureThreshold' | tee /dev/stderr)
[ "${actual}" = "2" ]
local actual=$(echo $object |
yq -r '.initialDelaySeconds' | tee /dev/stderr)
[ "${actual}" = "5" ]
local actual=$(echo $object |
yq -r '.periodSeconds' | tee /dev/stderr)
[ "${actual}" = "5" ]
local actual=$(echo $object |
yq -r '.successThreshold' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq -r '.timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "3" ]
# Test it is configurable
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.readinessProbe.enabled=true' \
--set 'csi.readinessProbe.failureThreshold=10' \
--set 'csi.readinessProbe.initialDelaySeconds=11' \
--set 'csi.readinessProbe.periodSeconds=12' \
--set 'csi.readinessProbe.successThreshold=13' \
--set 'csi.readinessProbe.timeoutSeconds=14' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.failureThreshold' | tee /dev/stderr)
[ "${actual}" = "10" ]
local actual=$(echo $object |
yq -r '.initialDelaySeconds' | tee /dev/stderr)
[ "${actual}" = "11" ]
local actual=$(echo $object |
yq -r '.periodSeconds' | tee /dev/stderr)
[ "${actual}" = "12" ]
local actual=$(echo $object |
yq -r '.successThreshold' | tee /dev/stderr)
[ "${actual}" = "13" ]
local actual=$(echo $object |
yq -r '.timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "14" ]
}

View file

@ -0,0 +1,48 @@
#!/usr/bin/env bats
load _helpers
@test "csi/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/csi-serviceaccount.yaml \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "csi/ServiceAccount: enable with csi.enabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-serviceaccount.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "csi/serviceAccount: specify annotations" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-serviceaccount.yaml \
--set 'csi.enabled=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
[ "${actual}" = "null" ]
local actual=$(helm template \
--show-only templates/server-serviceaccount.yaml \
--set 'csi.enabled=true' \
--set 'csi.serviceAccount.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
[ "${actual}" = "null" ]
local actual=$(helm template \
--show-only templates/server-serviceaccount.yaml \
--set 'csi.enabled=true' \
--set 'server.serviceAccount.annotations.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

View file

@ -638,3 +638,80 @@ ui:
# This can either be YAML or a YAML-formatted multi-line templated string map
# of the annotations to apply to the ui service
annotations: {}
# secrets-store-csi-driver-provider-vault
csi:
# True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
#
# Requires installing the secrets-store-csi-driver separately, see:
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
#
# With the driver and provider installed, you can mount Vault secrets into volumes
# similar to the Vault Agent injector, and you can also sync those secrets into
# Kubernetes secrets.
enabled: false
image:
repository: "hashicorp/secrets-store-csi-driver-provider-vault"
tag: "0.0.7"
pullPolicy: IfNotPresent
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# path: null # default is `/vault/userconfig`
resources: {}
# resources:
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 50m
# memory: 128Mi
# Settings for the daemonSet used to run the provider.
daemonSet:
updateStrategy:
type: RollingUpdate
maxUnavailable: ""
# Extra annotations for the daemonSet. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the daemonSet.
annotations: {}
pod:
# Extra annotations for the provider pods. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the pod.
annotations: {}
serviceAccount:
# Extra annotations for the serviceAccount definition. This can either be
# YAML or a YAML-formatted multi-line templated string map of the
# annotations to apply to the serviceAccount.
annotations: {}
# Used to configure readinessProbe for the pods.
readinessProbe:
# Vault CSI provider does not support a readiness probe in versions <= 0.7.0
enabled: false
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
# Used to configure livenessProbe for the pods.
livenessProbe:
# Vault CSI provider does not support a liveness probe in versions <= 0.7.0
enabled: false
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
# Enables debug logging.
debug: false