Add CSI secrets store provider (#461)
This commit is contained in:
parent
ff735774c4
commit
4c1d79f46e
14 changed files with 847 additions and 0 deletions
|
@ -475,6 +475,61 @@ Sets the container resources if the user has set any.
|
|||
{{ end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Sets the container resources if the user has set any.
|
||||
*/}}
|
||||
{{- define "csi.resources" -}}
|
||||
{{- if .Values.csi.resources -}}
|
||||
resources:
|
||||
{{ toYaml .Values.csi.resources | indent 12}}
|
||||
{{ end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Sets extra CSI daemonset annotations
|
||||
*/}}
|
||||
{{- define "csi.daemonSet.annotations" -}}
|
||||
{{- if .Values.csi.daemonSet.annotations }}
|
||||
annotations:
|
||||
{{- $tp := typeOf .Values.csi.daemonSet.annotations }}
|
||||
{{- if eq $tp "string" }}
|
||||
{{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }}
|
||||
{{- else }}
|
||||
{{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Sets extra CSI provider pod annotations
|
||||
*/}}
|
||||
{{- define "csi.pod.annotations" -}}
|
||||
{{- if .Values.csi.pod.annotations }}
|
||||
annotations:
|
||||
{{- $tp := typeOf .Values.csi.pod.annotations }}
|
||||
{{- if eq $tp "string" }}
|
||||
{{- tpl .Values.csi.pod.annotations . | nindent 8 }}
|
||||
{{- else }}
|
||||
{{- toYaml .Values.csi.pod.annotations | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Sets extra CSI service account annotations
|
||||
*/}}
|
||||
{{- define "csi.serviceAccount.annotations" -}}
|
||||
{{- if .Values.csi.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- $tp := typeOf .Values.csi.serviceAccount.annotations }}
|
||||
{{- if eq $tp "string" }}
|
||||
{{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }}
|
||||
{{- else }}
|
||||
{{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Inject extra environment vars in the format key:value, if populated
|
||||
*/}}
|
||||
|
|
17
templates/csi-clusterrole.yaml
Normal file
17
templates/csi-clusterrole.yaml
Normal file
|
@ -0,0 +1,17 @@
|
|||
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "vault.name" . }}-csi-provider-clusterrole
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts/token
|
||||
verbs:
|
||||
- create
|
||||
{{- end }}
|
18
templates/csi-clusterrolebinding.yaml
Normal file
18
templates/csi-clusterrolebinding.yaml
Normal file
|
@ -0,0 +1,18 @@
|
|||
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "vault.fullname" . }}-csi-provider
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
89
templates/csi-daemonset.yaml
Normal file
89
templates/csi-daemonset.yaml
Normal file
|
@ -0,0 +1,89 @@
|
|||
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: {{ template "vault.fullname" . }}-csi-provider
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{ template "csi.daemonSet.annotations" . }}
|
||||
spec:
|
||||
updateStrategy:
|
||||
type: {{ .Values.csi.daemonSet.updateStrategy.type }}
|
||||
{{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
|
||||
rollingUpdate:
|
||||
maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{ template "csi.pod.annotations" . }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "vault.name" . }}-csi-provider
|
||||
containers:
|
||||
- name: {{ include "vault.name" . }}-csi-provider
|
||||
{{ template "csi.resources" . }}
|
||||
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
|
||||
args:
|
||||
- --endpoint=/provider/vault.sock
|
||||
- --debug={{ .Values.csi.debug }}
|
||||
volumeMounts:
|
||||
- name: providervol
|
||||
mountPath: "/provider"
|
||||
- name: mountpoint-dir
|
||||
mountPath: /var/lib/kubelet/pods
|
||||
mountPropagation: HostToContainer
|
||||
{{- range .Values.csi.extraVolumes }}
|
||||
- name: userconfig-{{ .name }}
|
||||
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.csi.livenessProbe.enabled }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /health/ready
|
||||
port: 8080
|
||||
failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
|
||||
initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
|
||||
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
|
||||
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.csi.readinessProbe.enabled }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /health/ready
|
||||
port: 8080
|
||||
failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
|
||||
initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
|
||||
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
|
||||
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: providervol
|
||||
hostPath:
|
||||
path: "/etc/kubernetes/secrets-store-csi-providers"
|
||||
- name: mountpoint-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/pods
|
||||
{{- range .Values.csi.extraVolumes }}
|
||||
- name: userconfig-{{ .name }}
|
||||
{{ .type }}:
|
||||
{{- if (eq .type "configMap") }}
|
||||
name: {{ .name }}
|
||||
{{- else if (eq .type "secret") }}
|
||||
secretName: {{ .name }}
|
||||
{{- end }}
|
||||
defaultMode: {{ .defaultMode | default 420 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
12
templates/csi-serviceaccount.yaml
Normal file
12
templates/csi-serviceaccount.yaml
Normal file
|
@ -0,0 +1,12 @@
|
|||
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ template "vault.fullname" . }}-csi-provider
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{ template "csi.serviceAccount.annotations" . }}
|
||||
{{- end }}
|
26
test/acceptance/csi-test/nginx.yaml
Normal file
26
test/acceptance/csi-test/nginx.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: nginx
|
||||
---
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: nginx
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 0
|
||||
containers:
|
||||
- image: docker.mirror.hashicorp.services/nginx
|
||||
name: nginx
|
||||
volumeMounts:
|
||||
- name: secrets-store-inline
|
||||
mountPath: "/mnt/secrets-store"
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: secrets-store-inline
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: "vault-kv"
|
15
test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
Normal file
15
test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
Normal file
|
@ -0,0 +1,15 @@
|
|||
# The "Hello World" Vault SecretProviderClass
|
||||
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: vault-kv
|
||||
spec:
|
||||
provider: vault
|
||||
parameters:
|
||||
roleName: "kv-role"
|
||||
vaultAddress: http://vault:8200
|
||||
objects: |
|
||||
array:
|
||||
- |
|
||||
objectName: "bar1"
|
||||
objectPath: "v1/secret/kv1"
|
7
test/acceptance/csi-test/vault-policy.hcl
Normal file
7
test/acceptance/csi-test/vault-policy.hcl
Normal file
|
@ -0,0 +1,7 @@
|
|||
path "sys/mounts" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "secret/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
59
test/acceptance/csi.bats
Normal file
59
test/acceptance/csi.bats
Normal file
|
@ -0,0 +1,59 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
load _helpers
|
||||
|
||||
@test "csi: testing deployment" {
|
||||
cd `chart_dir`
|
||||
|
||||
kubectl delete namespace acceptance --ignore-not-found=true
|
||||
kubectl create namespace acceptance
|
||||
|
||||
# Install Secrets Store CSI driver
|
||||
helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.19.tgz?raw=true \
|
||||
--wait --timeout=5m \
|
||||
--namespace=acceptance \
|
||||
--set linux.image.pullPolicy="IfNotPresent" \
|
||||
--set grpcSupportedProviders="azure;gcp;vault"
|
||||
# Install Vault and Vault provider
|
||||
helm install vault \
|
||||
--wait --timeout=5m \
|
||||
--namespace=acceptance \
|
||||
--set="server.dev.enabled=true" \
|
||||
--set="csi.enabled=true" \
|
||||
--set="injector.enabled=false" .
|
||||
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
|
||||
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider
|
||||
|
||||
# Set up k8s auth and a kv secret.
|
||||
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
|
||||
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
|
||||
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
|
||||
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
|
||||
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
|
||||
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
|
||||
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
|
||||
bound_service_account_names=vault-csi-provider \
|
||||
bound_service_account_namespaces=acceptance \
|
||||
policies=kv-policy \
|
||||
ttl=20m
|
||||
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1
|
||||
|
||||
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
|
||||
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
|
||||
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
|
||||
|
||||
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar1)
|
||||
[[ "$result" == "hello1" ]]
|
||||
}
|
||||
|
||||
# Clean up
|
||||
teardown() {
|
||||
if [[ ${CLEANUP:-true} == "true" ]]
|
||||
then
|
||||
echo "helm/pvc teardown"
|
||||
helm --namespace=acceptance delete vault
|
||||
helm --namespace=acceptance delete secrets-store-csi-driver
|
||||
kubectl delete --all pvc
|
||||
kubectl delete namespace acceptance
|
||||
fi
|
||||
}
|
22
test/unit/csi-clusterrole.bats
Normal file
22
test/unit/csi-clusterrole.bats
Normal file
|
@ -0,0 +1,22 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
load _helpers
|
||||
|
||||
@test "csi/ClusterRole: disabled by default" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/csi-clusterrole.yaml \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "csi/ClusterRole: enabled with csi.enabled" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-clusterrole.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "true" ]
|
||||
}
|
22
test/unit/csi-clusterrolebinding.bats
Normal file
22
test/unit/csi-clusterrolebinding.bats
Normal file
|
@ -0,0 +1,22 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
load _helpers
|
||||
|
||||
@test "csi/ClusterRoleBinding: disabled by default" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/csi-clusterrolebinding.yaml \
|
||||
. || echo "---")| tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "csi/ClusterRoleBinding: enabled with csi.enabled" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-clusterrolebinding.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "true" ]
|
||||
}
|
380
test/unit/csi-daemonset.bats
Normal file
380
test/unit/csi-daemonset.bats
Normal file
|
@ -0,0 +1,380 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
load _helpers
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# Daemonset
|
||||
|
||||
# Enabled
|
||||
@test "csi/daemonset: created only when enabled" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
. | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "true" ]
|
||||
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
--set "global.enabled=false" \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
# Image
|
||||
@test "csi/daemonset: image is configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
--set "csi.image.repository=SomeOtherImage" \
|
||||
--set "csi.image.tag=0.0.1" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "SomeOtherImage:0.0.1" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
--set "csi.image.pullPolicy=SomePullPolicy" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "SomePullPolicy" ]
|
||||
}
|
||||
|
||||
# Debug arg
|
||||
@test "csi/daemonset: debug arg is configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr)
|
||||
[ "${actual}" = "--debug=false" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
--set "csi.debug=true" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].args[1]' | tee /dev/stderr)
|
||||
[ "${actual}" = "--debug=true" ]
|
||||
}
|
||||
|
||||
# updateStrategy
|
||||
@test "csi/daemonset: updateStrategy is configurable" {
|
||||
cd `chart_dir`
|
||||
# Default
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
|
||||
[ "${actual}" = "RollingUpdate" ]
|
||||
|
||||
# OnDelete
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
--set "csi.daemonSet.updateStrategy.type=OnDelete" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
|
||||
[ "${actual}" = "OnDelete" ]
|
||||
|
||||
# Max unavailable
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set "csi.enabled=true" \
|
||||
--set "csi.daemonSet.updateStrategy.maxUnavailable=25%" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.updateStrategy.rollingUpdate.maxUnavailable' | tee /dev/stderr)
|
||||
[ "${actual}" = "25%" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# Extra annotations
|
||||
@test "csi/daemonset: default csi.daemonSet.annotations" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.annotations' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: specify csi.daemonSet.annotations yaml" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.daemonSet.annotations.foo=bar' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: specify csi.daemonSet.annotations yaml string" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.daemonSet.annotations=foo: bar' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: default csi.pod.annotations" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.metadata.annotations' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: specify csi.pod.annotations yaml" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.pod.annotations.foo=bar' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: specify csi.pod.annotations yaml string" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.pod.annotations=foo: bar' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# extraVolumes
|
||||
|
||||
@test "csi/daemonset: csi.extraVolumes adds extra volume" {
|
||||
cd `chart_dir`
|
||||
|
||||
# Test that it defines it
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.extraVolumes[0].type=configMap' \
|
||||
--set 'csi.extraVolumes[0].name=foo' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.configMap.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.configMap.secretName' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
|
||||
# Test that it mounts it
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.extraVolumes[0].type=configMap' \
|
||||
--set 'csi.extraVolumes[0].name=foo' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.readOnly' | tee /dev/stderr)
|
||||
[ "${actual}" = "true" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.mountPath' | tee /dev/stderr)
|
||||
[ "${actual}" = "/vault/userconfig/foo" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: csi.extraVolumes adds extra secret volume" {
|
||||
cd `chart_dir`
|
||||
|
||||
# Test that it defines it
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.extraVolumes[0].type=secret' \
|
||||
--set 'csi.extraVolumes[0].name=foo' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.secret.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.secret.secretName' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo" ]
|
||||
|
||||
# Test that it mounts it
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.extraVolumes[0].type=configMap' \
|
||||
--set 'csi.extraVolumes[0].name=foo' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.readOnly' | tee /dev/stderr)
|
||||
[ "${actual}" = "true" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.mountPath' | tee /dev/stderr)
|
||||
[ "${actual}" = "/vault/userconfig/foo" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# Readiness/liveness probes
|
||||
|
||||
@test "csi/daemonset: csi.livenessProbe and csi.readinessProbe default to disabled" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: csi.livenessProbe is configurable" {
|
||||
cd `chart_dir`
|
||||
|
||||
# Test the defaults
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.livenessProbe.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.failureThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "2" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.initialDelaySeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "5" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.periodSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "5" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.successThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.timeoutSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "3" ]
|
||||
|
||||
# Test it is configurable
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.livenessProbe.enabled=true' \
|
||||
--set 'csi.livenessProbe.failureThreshold=10' \
|
||||
--set 'csi.livenessProbe.initialDelaySeconds=11' \
|
||||
--set 'csi.livenessProbe.periodSeconds=12' \
|
||||
--set 'csi.livenessProbe.successThreshold=13' \
|
||||
--set 'csi.livenessProbe.timeoutSeconds=14' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.failureThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "10" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.initialDelaySeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "11" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.periodSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "12" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.successThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "13" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.timeoutSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "14" ]
|
||||
}
|
||||
|
||||
@test "csi/daemonset: csi.readinessProbe is configurable" {
|
||||
cd `chart_dir`
|
||||
|
||||
# Test the defaults
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.readinessProbe.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.failureThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "2" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.initialDelaySeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "5" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.periodSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "5" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.successThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.timeoutSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "3" ]
|
||||
|
||||
# Test it is configurable
|
||||
local object=$(helm template \
|
||||
--show-only templates/csi-daemonset.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.readinessProbe.enabled=true' \
|
||||
--set 'csi.readinessProbe.failureThreshold=10' \
|
||||
--set 'csi.readinessProbe.initialDelaySeconds=11' \
|
||||
--set 'csi.readinessProbe.periodSeconds=12' \
|
||||
--set 'csi.readinessProbe.successThreshold=13' \
|
||||
--set 'csi.readinessProbe.timeoutSeconds=14' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.failureThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "10" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.initialDelaySeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "11" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.periodSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "12" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.successThreshold' | tee /dev/stderr)
|
||||
[ "${actual}" = "13" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.timeoutSeconds' | tee /dev/stderr)
|
||||
[ "${actual}" = "14" ]
|
||||
}
|
48
test/unit/csi-serviceaccount.bats
Normal file
48
test/unit/csi-serviceaccount.bats
Normal file
|
@ -0,0 +1,48 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
load _helpers
|
||||
|
||||
@test "csi/ServiceAccount: disabled by default" {
|
||||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/csi-serviceaccount.yaml \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
@test "csi/ServiceAccount: enable with csi.enabled" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/csi-serviceaccount.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
[ "${actual}" = "true" ]
|
||||
}
|
||||
|
||||
@test "csi/serviceAccount: specify annotations" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-serviceaccount.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-serviceaccount.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'csi.serviceAccount.annotations=foo: bar' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-serviceaccount.yaml \
|
||||
--set 'csi.enabled=true' \
|
||||
--set 'server.serviceAccount.annotations.foo=bar' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
77
values.yaml
77
values.yaml
|
@ -638,3 +638,80 @@ ui:
|
|||
# This can either be YAML or a YAML-formatted multi-line templated string map
|
||||
# of the annotations to apply to the ui service
|
||||
annotations: {}
|
||||
|
||||
# secrets-store-csi-driver-provider-vault
|
||||
csi:
|
||||
# True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
|
||||
#
|
||||
# Requires installing the secrets-store-csi-driver separately, see:
|
||||
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
|
||||
#
|
||||
# With the driver and provider installed, you can mount Vault secrets into volumes
|
||||
# similar to the Vault Agent injector, and you can also sync those secrets into
|
||||
# Kubernetes secrets.
|
||||
enabled: false
|
||||
|
||||
image:
|
||||
repository: "hashicorp/secrets-store-csi-driver-provider-vault"
|
||||
tag: "0.0.7"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# extraVolumes is a list of extra volumes to mount. These will be exposed
|
||||
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
|
||||
# an array of objects, examples are shown below.
|
||||
extraVolumes: []
|
||||
# - type: secret (or "configMap")
|
||||
# name: my-secret
|
||||
# path: null # default is `/vault/userconfig`
|
||||
|
||||
resources: {}
|
||||
# resources:
|
||||
# requests:
|
||||
# cpu: 50m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 50m
|
||||
# memory: 128Mi
|
||||
|
||||
# Settings for the daemonSet used to run the provider.
|
||||
daemonSet:
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
maxUnavailable: ""
|
||||
# Extra annotations for the daemonSet. This can either be YAML or a
|
||||
# YAML-formatted multi-line templated string map of the annotations to apply
|
||||
# to the daemonSet.
|
||||
annotations: {}
|
||||
pod:
|
||||
# Extra annotations for the provider pods. This can either be YAML or a
|
||||
# YAML-formatted multi-line templated string map of the annotations to apply
|
||||
# to the pod.
|
||||
annotations: {}
|
||||
|
||||
serviceAccount:
|
||||
# Extra annotations for the serviceAccount definition. This can either be
|
||||
# YAML or a YAML-formatted multi-line templated string map of the
|
||||
# annotations to apply to the serviceAccount.
|
||||
annotations: {}
|
||||
|
||||
# Used to configure readinessProbe for the pods.
|
||||
readinessProbe:
|
||||
# Vault CSI provider does not support a readiness probe in versions <= 0.7.0
|
||||
enabled: false
|
||||
failureThreshold: 2
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 3
|
||||
# Used to configure livenessProbe for the pods.
|
||||
livenessProbe:
|
||||
# Vault CSI provider does not support a liveness probe in versions <= 0.7.0
|
||||
enabled: false
|
||||
failureThreshold: 2
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 3
|
||||
|
||||
# Enables debug logging.
|
||||
debug: false
|
Loading…
Reference in a new issue