Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into topology

Browse source
This commit is contained in:
Christopher Swenson 2022-04-28 10:26:20 -07:00 committed by GitHub
commit 4c752a9f1d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
81 changed files with 1552 additions and 258 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.circleci/config.yml
View file

@ -77,7 +77,7 @@ jobs:
-X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
-d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
"${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
- slack/status:
fail_only: true
@ -85,16 +85,7 @@ jobs:
workflows:
version: 2
build_and_test:
jobs:
- bats-unit-test
- chart-verifier
- acceptance:
requires:
- bats-unit-test
filters:
branches:
only: main
# Note: unit and acceptance tests are now being run in GitHub Actions
update-helm-charts-index:
jobs:
- update-helm-charts-index:

34
.github/workflows/acceptance.yaml vendored Normal file
View file

@ -0,0 +1,34 @@
name: Acceptance Tests
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
kind:
strategy:
fail-fast: false
matrix:
kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup test tools
uses: ./.github/workflows/setup-test-tools
- name: Create K8s Kind Cluster
uses: helm/kind-action@v1.2.0
with:
config: test/kind/config.yaml
node_image: kindest/node:v${{ matrix.kind-k8s-version }}
# Skip CSI tests if K8s version < 1.16.x
- run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV
- if: ${{ env.K8S_MINOR < 16 }}
run: echo "SKIP_CSI=true" >> $GITHUB_ENV
- run: bats ./test/acceptance -t
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}

18
.github/workflows/setup-test-tools/action.yaml vendored Normal file
View file

@ -0,0 +1,18 @@
name: Setup common testing tools
description: Install bats and python-yq
runs:
using: "composite"
steps:
- uses: actions/setup-node@v2
with:
node-version: '14'
- run: npm install -g bats@${BATS_VERSION}
shell: bash
env:
BATS_VERSION: '1.5.0'
- run: bats -v
shell: bash
- uses: actions/setup-python@v2
- run: pip install yq
shell: bash

25
.github/workflows/tests.yaml vendored Normal file
View file

@ -0,0 +1,25 @@
name: Tests
on: [push, workflow_dispatch]
jobs:
bats-unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ./.github/workflows/setup-test-tools
- run: bats ./test/unit -t
chart-verifier:
runs-on: ubuntu-latest
env:
CHART_VERIFIER_VERSION: '1.2.1'
steps:
- uses: actions/checkout@v2
- name: Setup test tools
uses: ./.github/workflows/setup-test-tools
- uses: actions/setup-go@v2
with:
go-version: '1.17.4'
- run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
- run: bats ./test/chart -t

30
CHANGELOG.md
View file

@ -1,5 +1,35 @@
## Unreleased
CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.9.3
* CSI provider default image to 1.1.0
* Earliest Kubernetes version tested is now 1.16
Improvements:
* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
## 0.19.0 (January 20th, 2022)
CHANGES:
* Vault image default 1.9.2
* Vault K8s image default 0.14.2
Features:
* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653)
* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659)
* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661)
* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670)
Improvements:
* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)
## 0.18.0 (November 17th, 2021)
CHANGES:

12
CONTRIBUTING.md
View file

@ -13,13 +13,14 @@ rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged,
talk to us! You can find out our thoughts and ensure that your contribution
won't clash or be obviated by Vault's normal direction. A great way to do this
is via the [Vault Google Group][2]. Sometimes Vault devs are in `#vault-tool`
on Freenode, too.
is via the [Vault Discussion Forum][1].
This document will cover what we're looking for in terms of reporting issues.
By addressing all the points we're looking for, it raises the chances we can
quickly merge or address your contributions.
[1]: https://discuss.hashicorp.com/c/vault
## Issues
### Reporting an Issue
@ -237,3 +238,10 @@ Here are some examples of common test patterns:
```
Here we are check the length of the command output to see if the anything is rendered.
This style can easily be switched to check that a file is rendered instead.
## Contributor License Agreement
We require that all contributors sign our Contributor License Agreement ("CLA")
before we can accept the contribution.
[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla)

6
Chart.yaml
View file

@ -1,8 +1,8 @@
apiVersion: v2
name: vault
version: 0.18.0
appVersion: 1.9.0
kubeVersion: ">= 1.14.0-0"
version: 0.19.0
appVersion: 1.9.3
kubeVersion: ">= 1.16.0-0"
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png

2
README.md
View file

@ -22,7 +22,7 @@ The versions required are:
* **Helm 3.0+** - This is the earliest version of Helm tested. It is possible
it works with earlier versions but this chart is untested for those versions.
* **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested.
* **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is
untested.

70
templates/_helpers.tpl
View file

@ -31,6 +31,50 @@ Expand the name of the chart.
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- if .Values.injector.externalVaultAddr -}}
{{- $_ := set . "mode" "external" -}}
{{- else if ne (.Values.server.enabled | toString) "true" -}}
{{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}}
@ -339,6 +384,21 @@ Sets the injector node selector for pod placement
{{- end }}
{{- end -}}
{{/*
Sets the injector deployment update strategy
*/}}
{{- define "injector.strategy" -}}
{{- if .Values.injector.strategy }}
strategy:
{{- $tp := typeOf .Values.injector.strategy }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.strategy . | nindent 4 | trim }}
{{- else }}
{{- toYaml .Values.injector.strategy | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra pod annotations
*/}}
@ -388,13 +448,13 @@ Sets extra injector service annotations
Sets extra injector webhook annotations
*/}}
{{- define "injector.webhookAnnotations" -}}
{{- if .Values.injector.webhookAnnotations }}
{{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }}
annotations:
{{- $tp := typeOf .Values.injector.webhookAnnotations }}
{{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
{{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
{{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}

3
templates/csi-clusterrole.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:

3
templates/csi-clusterrolebinding.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:

12
templates/csi-daemonset.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -8,6 +9,9 @@ metadata:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
@ -25,8 +29,14 @@ spec:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
containers:

6
templates/csi-serviceaccount.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
@ -8,5 +9,8 @@ metadata:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}
{{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.serviceAccount.annotations" . }}
{{- end }}

6
templates/injector-certs-secret.yaml
View file

@ -1,10 +1,14 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}

3
templates/injector-clusterrole.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:

3
templates/injector-clusterrolebinding.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:

4
templates/injector-deployment.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
@ -17,6 +18,7 @@ spec:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{ template "injector.strategy" . }}
template:
metadata:
labels:

20
templates/injector-disruptionbudget.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.injector.podDisruptionBudget }}
apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
{{- end -}}

21
templates/injector-mutating-webhook.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
@ -14,10 +15,11 @@ metadata:
{{- template "injector.webhookAnnotations" . }}
webhooks:
- name: vault.hashicorp.com
failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
@ -29,15 +31,12 @@ webhooks:
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
{{- if .Values.injector.namespaceSelector }}
{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
namespaceSelector:
{{ toYaml .Values.injector.namespaceSelector | indent 6}}
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- if .Values.injector.objectSelector }}
{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }}
objectSelector:
{{ toYaml .Values.injector.objectSelector | indent 6}}
{{ end }}
{{- with .Values.injector.failurePolicy }}
failurePolicy: {{.}}
{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}}
{{ end }}
{{ end }}

5
templates/injector-network-policy.yaml
View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@ -19,3 +21,4 @@ spec:
- port: 8080
protocol: TCP
{{ end }}
{{ end }}

5
templates/injector-psp-role.yaml
View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@ -15,3 +17,4 @@ rules:
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

5
templates/injector-psp-rolebinding.yaml
View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
@ -16,3 +18,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

5
templates/injector-psp.yaml
View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
@ -41,3 +43,4 @@ spec:
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

6
templates/injector-role.yaml
View file

@ -1,8 +1,11 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
@ -23,3 +26,4 @@ rules:
- "patch"
- "delete"
{{- end }}
{{- end }}

6
templates/injector-rolebinding.yaml
View file

@ -1,8 +1,11 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
@ -16,3 +19,4 @@ subjects:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

3
templates/injector-service.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:

3
templates/injector-serviceaccount.yaml
View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:

4
templates/server-clusterrolebinding.yaml
View file

@ -1,5 +1,6 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
@ -22,3 +23,4 @@ subjects:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}

4
templates/server-config-configmap.yaml
View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
@ -36,3 +37,4 @@ data:
{{- end }}
{{- end }}
{{- end }}
{{- end }}

4
templates/server-discovery-role.yaml
View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@ -17,3 +18,4 @@ rules:
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}

4
templates/server-discovery-rolebinding.yaml
View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
@ -25,3 +26,4 @@ subjects:
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
{{ end }}

6
templates/server-disruptionbudget.yaml
View file

@ -1,9 +1,10 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: policy/v1beta1
apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}
@ -22,3 +23,4 @@ spec:
component: server
{{- end -}}
{{- end -}}
{{- end -}}

7
templates/server-ha-active-service.yaml
View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for active Vault pod
apiVersion: v1
kind: Service
@ -22,7 +24,7 @@ spec:
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: true
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
@ -40,3 +42,4 @@ spec:
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}

7
templates/server-ha-standby-service.yaml
View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for standby Vault pod
apiVersion: v1
kind: Service
@ -22,7 +24,7 @@ spec:
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: true
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
@ -40,3 +42,4 @@ spec:
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}

5
templates/server-headless-service.yaml
View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
@ -16,7 +17,7 @@ metadata:
{{ template "vault.service.annotations" .}}
spec:
clusterIP: None
publishNotReadyAddresses: true
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: "{{ include "vault.scheme" . }}"
port: {{ .Values.server.service.port }}

5
templates/server-ingress.yaml
View file

@ -4,7 +4,9 @@
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
{{- $servicePort := .Values.server.service.port -}}
@ -72,3 +74,4 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- end }}

4
templates/server-psp-role.yaml
View file

@ -1,5 +1,6 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@ -16,3 +17,4 @@ rules:
resourceNames:
- {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

4
templates/server-psp-rolebinding.yaml
View file

@ -1,5 +1,6 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
@ -17,3 +18,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

4
templates/server-psp.yaml
View file

@ -1,5 +1,6 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
@ -45,3 +46,4 @@ spec:
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

3
templates/server-route.yaml
View file

@ -9,6 +9,7 @@ kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
@ -27,7 +28,7 @@ spec:
port:
targetPort: 8200
tls:
termination: passthrough
{{- toYaml .Values.server.route.tls | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

5
templates/server-service.yaml
View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
@ -24,7 +25,7 @@ spec:
{{- include "service.externalTrafficPolicy" .Values.server.service }}
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: true
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}

2
templates/server-serviceaccount.yaml
View file

@ -1,5 +1,5 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if .serverEnabled -}}
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
apiVersion: v1
kind: ServiceAccount

10
templates/server-statefulset.yaml
View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if ne .mode "" }}
{{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
@ -42,7 +43,7 @@ spec:
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }}
terminationGracePeriodSeconds: 10
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
@ -109,7 +110,11 @@ spec:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr }}
{{- else }}
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
{{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: VAULT_RAFT_NODE_ID
valueFrom:
@ -207,3 +212,4 @@ spec:
{{ template "vault.volumeclaims" . }}
{{ end }}
{{ end }}
{{ end }}

15
templates/tests/server-test.yaml
View file

@ -1,4 +1,6 @@
{{- if .Values.server.enabled }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
apiVersion: v1
kind: Pod
metadata:
@ -15,6 +17,7 @@ spec:
env:
- name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh
- -c
@ -35,6 +38,14 @@ spec:
fi
exit 0
volumeMounts:
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 8}}
{{- end }}
volumes:
{{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 4}}
{{- end }}
restartPolicy: Never
{{- end }}
{{- end }}

6
templates/ui-service.yaml
View file

@ -1,7 +1,8 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if eq (.Values.ui.enabled | toString) "true" }}
{{- template "vault.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
@ -34,4 +35,3 @@ spec:
{{- include "service.loadBalancer" .Values.ui }}
{{- end -}}
{{- end }}
{{- end }}

32
test/acceptance/_helpers.bash
View file

@ -40,35 +40,37 @@ helm_install_ha() {
${BATS_TEST_DIRNAME}/../..
}
# wait for consul to be running
# wait for consul to be ready
wait_for_running_consul() {
kubectl wait --for=condition=Ready --timeout=5m pod -l app=consul,component=client
}
wait_for_sealed_vault() {
POD_NAME=$1
check() {
# This requests the pod and checks whether the status is running
# and the ready state is true. If so, it outputs the name. Otherwise
# it outputs empty. Therefore, to check for success, check for nonzero
# string length.
kubectl get pods -l component=client -o json | \
jq -r '.items[0] | select(
.status.phase == "Running" and
([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1
) | .metadata.name'
sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed')
if [ "$sealed_status" == "true" ]; then
return 0
fi
return 1
}
for i in $(seq 60); do
if [ -n "$(check ${POD_NAME})" ]; then
echo "consul clients are ready."
if check ${POD_NAME}; then
echo "Vault on ${POD_NAME} is running."
return
fi
echo "Waiting for ${POD_NAME} to be ready..."
echo "Waiting for Vault on ${POD_NAME} to be running..."
sleep 2
done
echo "consul clients never became ready."
echo "Vault on ${POD_NAME} never became running."
return 1
}
# wait for a pod to be ready
# wait for a pod to be running
wait_for_running() {
POD_NAME=$1

17
test/acceptance/csi.bats
View file

@ -2,18 +2,27 @@
load _helpers
check_skip_csi() {
if [ ! -z ${SKIP_CSI} ]; then
skip "Skipping CSI tests"
fi
}
@test "csi: testing deployment" {
check_skip_csi
cd `chart_dir`
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
# Install Secrets Store CSI driver
CSI_DRIVER_VERSION=0.2.0
helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/v${CSI_DRIVER_VERSION}/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \
CSI_DRIVER_VERSION=1.0.0
helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \
--wait --timeout=5m \
--namespace=acceptance \
--set linux.image.pullPolicy="IfNotPresent"
--set linux.image.pullPolicy="IfNotPresent" \
--set syncSecret.enabled=true
# Install Vault and Vault provider
helm install vault \
--wait --timeout=5m \
@ -49,6 +58,8 @@ load _helpers
# Clean up
teardown() {
check_skip_csi
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"

16
test/acceptance/server-ha-enterprise-dr.bats
View file

@ -7,7 +7,7 @@ load _helpers
helm install "$(name_prefix)-east" \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.9.0_ent' \
--set='server.image.tag=1.9.3-ent' \
--set='injector.enabled=false' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
@ -15,9 +15,7 @@ load _helpers
wait_for_running "$(name_prefix)-east-0"
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "true" ]
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
@ -50,7 +48,7 @@ load _helpers
fi
done
# Sealed, not initialized
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
@ -77,16 +75,14 @@ load _helpers
helm install "$(name_prefix)-west" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.9.0_ent' \
--set='server.image.tag=1.9.3-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-west-0"
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "true" ]
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
@ -119,7 +115,7 @@ load _helpers
fi
done
# Sealed, not initialized
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]

16
test/acceptance/server-ha-enterprise-perf.bats
View file

@ -8,16 +8,14 @@ load _helpers
helm install "$(name_prefix)-east" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.9.0_ent' \
--set='server.image.tag=1.9.3-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-east-0"
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "true" ]
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
@ -50,7 +48,7 @@ load _helpers
fi
done
# Sealed, not initialized
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
@ -77,16 +75,14 @@ load _helpers
helm install "$(name_prefix)-west" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.9.0_ent' \
--set='server.image.tag=1.9.3-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-west-0"
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "true" ]
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
@ -119,7 +115,7 @@ load _helpers
fi
done
# Sealed, not initialized
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]

8
test/acceptance/server-ha-raft.bats
View file

@ -11,9 +11,7 @@ load _helpers
wait_for_running $(name_prefix)-0
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "true" ]
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
@ -112,6 +110,10 @@ setup() {
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
# If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app.kubernetes.io/name=vault
fi
helm delete vault
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true

11
test/acceptance/server-ha.bats
View file

@ -10,9 +10,7 @@ load _helpers
wait_for_running $(name_prefix)-0
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "true" ]
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
@ -91,7 +89,7 @@ setup() {
helm install consul \
https://github.com/hashicorp/consul-helm/archive/v0.28.0.tar.gz \
--set 'ui.enabled=false' \
--set 'ui.enabled=false'
wait_for_running_consul
}
@ -100,6 +98,11 @@ setup() {
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
# If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app=consul
kubectl logs -l app.kubernetes.io/name=vault
fi
helm delete vault
helm delete consul
kubectl delete --all pvc

4
test/acceptance/server.bats
View file

@ -13,9 +13,7 @@ load _helpers
wait_for_running $(name_prefix)-0
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "true" ]
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')

13
test/kind/config.yaml
View file

@ -5,3 +5,16 @@ nodes:
- role: worker
- role: worker
- role: worker
# These apiServer settings are included for running the CSI provider on K8s
# prior to 1.21
kubeadmConfigPatches:
- |
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: config
apiServer:
extraArgs:
"service-account-issuer": "https://kubernetes.default.svc.cluster.local"
"service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
"service-account-api-audiences": "https://kubernetes.default.svc.cluster.local"

2
test/unit/csi-clusterrole.bats
View file

@ -29,5 +29,5 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ]
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
}

4
test/unit/csi-clusterrolebinding.bats
View file

@ -29,7 +29,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.roleRef.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ]
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
}
# ClusterRoleBinding service account name
@ -40,5 +40,5 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.subjects[0].name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault-csi-provider" ]
[ "${actual}" = "release-name-vault-csi-provider" ]
}

53
test/unit/csi-daemonset.bats
View file

@ -27,7 +27,30 @@ load _helpers
--set "global.enabled=false" \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
[ "${actual}" = "true" ]
}
# priorityClassName
@test "csi/daemonset: priorityClassName not set by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "csi/daemonset: priorityClassName can be set" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.priorityClassName=armaggeddon' \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
# serviceAccountName reference name
@ -38,7 +61,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault-csi-provider" ]
[ "${actual}" = "release-name-vault-csi-provider" ]
}
# Image
@ -295,6 +318,32 @@ load _helpers
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# Extra Labels
@test "csi/daemonset: specify csi.daemonSet.extraLabels" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.daemonSet.extraLabels.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.labels.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "csi/daemonset: specify csi.pod.extraLabels" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.pod.extraLabels.foo=bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# volumes

17
test/unit/csi-serviceaccount.bats
View file

@ -29,7 +29,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault-csi-provider" ]
[ "${actual}" = "release-name-vault-csi-provider" ]
}
@test "csi/serviceAccount: specify annotations" {
@ -57,3 +57,18 @@ load _helpers
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
# serviceAccount extraLabels
@test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-serviceaccount.yaml \
--set 'csi.enabled=true' \
--set 'csi.serviceAccount.extraLabels.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.labels.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

45
test/unit/injector-deployment.bats
View file

@ -26,12 +26,22 @@ load _helpers
local actual=$( (helm template \
--show-only templates/injector-deployment.yaml \
--set 'global.enabled=false' \
--set 'injector.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "injector/deployment: enable with injector.enabled true and global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/deployment: image defaults to injector.image" {
cd `chart_dir`
local actual=$(helm template \
@ -157,7 +167,7 @@ load _helpers
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ]
[ "${value}" = "release-name-vault-agent-injector-cfg" ]
# helm template does uses current context namespace and ignores namespace flags, so
# discover the targeted namespace so we can check the rendered value correctly.
@ -165,7 +175,7 @@ load _helpers
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ]
[ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ]
}
@test "injector/deployment: manual TLS adds volume mount" {
@ -742,3 +752,32 @@ load _helpers
yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "1m" ]
}
@test "injector/deployment: strategy default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
. | tee /dev/stderr |
yq -r '.spec.strategy' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/deployment: strategy set as string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set="injector.strategy=testing" \
. | tee /dev/stderr |
yq -r '.spec.strategy' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}
@test "injector/deployment: strategy can be set as YAML" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.strategy.rollingUpdate.maxUnavailable=1' \
. | tee /dev/stderr |
yq -r '.spec.strategy.rollingUpdate.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "1" ]
}

54
test/unit/injector-disruptionbudget.bats Executable file
View file

@ -0,0 +1,54 @@
#!/usr/bin/env bats
load _helpers
@test "injector/DisruptionBudget: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-disruptionbudget.yaml \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-disruptionbudget.yaml \
--set 'injector.podDisruptionBudget.minAvailable=2' \
. | tee /dev/stderr |
yq '.spec.minAvailable == 2' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-disruptionbudget.yaml \
--set 'injector.podDisruptionBudget.maxUnavailable=3' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable == 3' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-disruptionbudget.yaml \
--set 'injector.podDisruptionBudget.minAvailable=2' \
--kube-version 1.19.5 \
. | tee /dev/stderr |
yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-disruptionbudget.yaml \
--set 'injector.podDisruptionBudget.minAvailable=2' \
--kube-version 1.22.5 \
. | tee /dev/stderr |
yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

33
test/unit/injector-leader-elector.bats
View file

@ -87,6 +87,17 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/certs-secret: namespace is set" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-certs-secret.yaml \
--set "injector.replicas=2" \
--namespace foo \
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
}
@test "injector/role: created/skipped as appropriate" {
cd `chart_dir`
local actual=$( (helm template \
@ -127,6 +138,17 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/role: namespace is set" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-role.yaml \
--set "injector.replicas=2" \
--namespace foo \
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
}
@test "injector/rolebinding: created/skipped as appropriate" {
cd `chart_dir`
local actual=$( (helm template \
@ -166,3 +188,14 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/rolebinding: namespace is set" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-rolebinding.yaml \
--set "injector.replicas=2" \
--namespace foo \
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
}

291
test/unit/injector-mutating-webhook.bats
View file

@ -53,18 +53,191 @@ load _helpers
[ "${actual}" = "\"\"" ]
}
@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" {
@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Ignore\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.failurePolicy=Fail' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Fail\"" ]
}
@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.failurePolicy=Invalid' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Ignore\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.failurePolicy=Fail' \
--set 'injector.failurePolicy=Invalid' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Fail\"" ]
}
@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
. | tee /dev/stderr |
yq '.webhooks[0].matchPolicy' | tee /dev/stderr)
[ "${actual}" = "\"Exact\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.matchPolicy=Equivalent' \
. | tee /dev/stderr |
yq '.webhooks[0].matchPolicy' | tee /dev/stderr)
[ "${actual}" = "\"Equivalent\"" ]
}
@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
. | tee /dev/stderr |
yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "30" ]
}
@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.timeoutSeconds=50' \
. | tee /dev/stderr |
yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "50" ]
}
#--------------------------------------------------------------------
# annotations
@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.webhookAnnotations.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.webhookAnnotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: default webhook.annotations" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.annotations.foo=bar' \
--set 'injector.webhookAnnotations.invalid=invalid' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.annotations=foo: bar' \
--set 'injector.webhookAnnotations=invalid: invalid' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# namespaceSelector
@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].namespaceSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" {
@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
@ -76,7 +249,59 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" {
@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].namespaceSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \
--set 'injector.namespaceSelector.matchLabels.injector=false' \
. | tee /dev/stderr |
yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# objectSelector
@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].objectSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.objectSelector.matchLabels.injector=true' \
. | tee /dev/stderr |
yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
@ -87,69 +312,15 @@ load _helpers
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set objectSelector" {
@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.objectSelector.matchLabels.injector=true' \
--set 'injector.webhook.objectSelector.matchLabels.injector=true' \
--set 'injector.objectSelector.matchLabels.injector=false' \
. | tee /dev/stderr |
yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Ignore\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set failurePolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.failurePolicy=Fail' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Fail\"" ]
}
#--------------------------------------------------------------------
# annotations
@test "injector/MutatingWebhookConfiguration: default annotations" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: specify annotations yaml" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.webhookAnnotations.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.webhookAnnotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

4
test/unit/injector-psp-role.bats
View file

@ -22,7 +22,7 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy-Role: disable with global.enabled" {
@test "injector/PodSecurityPolicy-Role: ignore global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp-role.yaml \
@ -31,5 +31,5 @@ load _helpers
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
[ "${actual}" = "true" ]
}

4
test/unit/injector-psp-rolebinding.bats
View file

@ -22,7 +22,7 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" {
@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp-rolebinding.yaml \
@ -31,5 +31,5 @@ load _helpers
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
[ "${actual}" = "true" ]
}

4
test/unit/injector-psp.bats
View file

@ -22,7 +22,7 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy: disable with global.enabled" {
@test "injector/PodSecurityPolicy: ignore global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp.yaml \
@ -31,7 +31,7 @@ load _helpers
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy: annotations are templated correctly by default" {

2
test/unit/injector-service.bats
View file

@ -52,7 +52,7 @@ load _helpers
--set 'injector.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
[ "${actual}" = "true" ]
}
@test "injector/Service: generic annotations" {

16
test/unit/schema.bats
View file

@ -7,9 +7,9 @@ load _helpers
# schema, setting it as a string fails 'helm template'.
@test "schema: csi enabled datatype" {
cd `chart_dir`
run helm template . --set csi.enabled="nope"
run helm template . --set csi.enabled="123"
[ "$status" -eq 1 ]
[ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ]
[ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set csi.enabled=true
[ "$status" -eq 0 ]
@ -17,9 +17,9 @@ load _helpers
@test "schema: injector enabled datatype" {
cd `chart_dir`
run helm template . --set injector.enabled="nope"
run helm template . --set injector.enabled="123"
[ "$status" -eq 1 ]
[ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ]
[ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set injector.enabled=true
[ "$status" -eq 0 ]
@ -27,9 +27,9 @@ load _helpers
@test "schema: server enabled datatype" {
cd `chart_dir`
run helm template . --set server.enabled="nope"
run helm template . --set server.enabled="123"
[ "$status" -eq 1 ]
[ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ]
[ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set server.enabled=true
[ "$status" -eq 0 ]
@ -37,9 +37,9 @@ load _helpers
@test "schema: ui enabled datatype" {
cd `chart_dir`
run helm template . --set ui.enabled="nope"
run helm template . --set ui.enabled="123"
[ "$status" -eq 1 ]
[ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ]
[ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set ui.enabled=true
[ "$status" -eq 0 ]

17
test/unit/server-ha-active-service.bats
View file

@ -197,3 +197,20 @@ load _helpers
[ "${actual}" = "null" ]
}
@test "server/ha-active-Service: publishNotReadyAddresses can be changed" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.publishNotReadyAddresses=false' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

26
test/unit/server-ha-disruptionbudget.bats
View file

@ -16,7 +16,7 @@ load _helpers
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-disruptionbudget.yaml \
--set 'globa.enabled=false' \
--set 'global.enabled=false' \
--set 'server.ha.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
@ -97,3 +97,27 @@ load _helpers
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "2" ]
}
@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-disruptionbudget.yaml \
--set 'server.ha.enabled=true' \
--set 'server.ha.replicas=1' \
--kube-version 1.19.5 \
. | tee /dev/stderr |
yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-disruptionbudget.yaml \
--set 'server.ha.enabled=true' \
--set 'server.ha.replicas=1' \
--kube-version 1.22.5 \
. | tee /dev/stderr |
yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

17
test/unit/server-ha-standby-service.bats
View file

@ -208,3 +208,20 @@ load _helpers
[ "${actual}" = "null" ]
}
@test "server/ha-standby-Service: publishNotReadyAddresses can be changed" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.publishNotReadyAddresses=false' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

49
test/unit/server-ha-statefulset.bats
View file

@ -417,7 +417,7 @@ load _helpers
#--------------------------------------------------------------------
# VAULT_CLUSTER_ADDR renders
@test "server/ha-StatefulSet: cluster addr renders" {
@test "server/ha-StatefulSet: clusterAddr not set" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/server-statefulset.yaml \
@ -428,7 +428,52 @@ load _helpers
local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ]
[ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ]
}
@test "server/ha-StatefulSet: clusterAddr set to null" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
--set 'server.ha.raft.enabled=true' \
--set 'server.ha.clusterAddr=null' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ]
}
@test "server/ha-StatefulSet: clusterAddr set to custom url" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
--set 'server.ha.raft.enabled=true' \
--set 'server.ha.clusterAddr=https://test.example.com:8201' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://test.example.com:8201' ]
}
@test "server/ha-StatefulSet: clusterAddr set to custom url with environment variable" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
--set 'server.ha.raft.enabled=true' \
--set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ]
}
#--------------------------------------------------------------------

19
test/unit/server-headless-service.bats Normal file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env bats
load _helpers
@test "server/headless-Service: publishNotReadyAddresses can be changed" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-headless-service.yaml \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-headless-service.yaml \
--set 'server.service.publishNotReadyAddresses=false' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

10
test/unit/server-ingress.bats
View file

@ -165,7 +165,7 @@ load _helpers
--set 'server.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault-active" ]
[ "${actual}" = "release-name-vault-active" ]
}
@test "server/ingress: uses regular service when configured with ha - yaml" {
@ -180,7 +180,7 @@ load _helpers
--set 'server.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}
@test "server/ingress: uses regular service when not ha - yaml" {
@ -194,7 +194,7 @@ load _helpers
--set 'server.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}
@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" {
@ -209,7 +209,7 @@ load _helpers
--kube-version 1.18.3 \
. | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}
@test "server/ingress: uses regular service when not ha and activeService is true - yaml" {
@ -224,7 +224,7 @@ load _helpers
--set 'server.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}
@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" {

46
test/unit/server-route.bats
View file

@ -99,7 +99,7 @@ load _helpers
--set 'server.route.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}
@test "server/route: OpenShift - route points to main service when not ha and activeService is true" {
@ -112,7 +112,7 @@ load _helpers
--set 'server.route.activeService=true' \
. | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}
@test "server/route: OpenShift - route points to active service by when HA by default" {
@ -125,7 +125,7 @@ load _helpers
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault-active" ]
[ "${actual}" = "release-name-vault-active" ]
}
@test "server/route: OpenShift - route points to general service by when HA when configured" {
@ -139,5 +139,43 @@ load _helpers
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}
@test "server/route: OpenShift - route termination mode set to default passthrough" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-route.yaml \
--set 'global.openshift=true' \
--set 'server.route.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.tls.termination' | tee /dev/stderr)
[ "${actual}" = "passthrough" ]
}
@test "server/route: OpenShift - route termination mode set to edge" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-route.yaml \
--set 'global.openshift=true' \
--set 'server.route.enabled=true' \
--set 'server.route.tls.termination=edge' \
. | tee /dev/stderr |
yq -r '.spec.tls.termination' | tee /dev/stderr)
[ "${actual}" = "edge" ]
}
@test "server/route: OpenShift - route custom tls entry" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-route.yaml \
--set 'global.openshift=true' \
--set 'server.route.enabled=true' \
--set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \
. | tee /dev/stderr |
yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr)
[ "${actual}" = "Redirect" ]
}

7
test/unit/server-service.bats
View file

@ -175,6 +175,13 @@ load _helpers
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-service.yaml \
--set 'server.service.publishNotReadyAddresses=false' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/Service: type empty by default" {

2
test/unit/server-serviceaccount.bats
View file

@ -26,7 +26,7 @@ load _helpers
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}

25
test/unit/server-statefulset.bats
View file

@ -537,7 +537,7 @@ load _helpers
cd `chart_dir`
local object=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.stanadlone.enabled=true' \
--set 'server.standalone.enabled=true' \
--set 'server.extraEnvironmentVars.FOO=bar' \
--set 'server.extraEnvironmentVars.FOOBAR=foobar' \
. | tee /dev/stderr |
@ -1408,6 +1408,27 @@ load _helpers
[[ "${actual}" = *"foobar"* ]]
}
#--------------------------------------------------------------------
# terminationGracePeriodSeconds
@test "server/standalone-StatefulSet: terminationGracePeriodSeconds default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr)
[[ "${actual}" = "10" ]]
}
@test "server/standalone-StatefulSet: terminationGracePeriodSeconds 30" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.terminationGracePeriodSeconds=30' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr)
[[ "${actual}" = "30" ]]
}
#--------------------------------------------------------------------
# preStop
@test "server/standalone-StatefulSet: preStop sleep duration default" {
@ -1642,7 +1663,7 @@ load _helpers
--set 'server.serviceAccount.create=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
[ "${actual}" = "RELEASE-NAME-vault" ]
[ "${actual}" = "release-name-vault" ]
}

252
test/unit/server-test.bats Normal file
View file

@ -0,0 +1,252 @@
#!/usr/bin/env bats
load _helpers
#--------------------------------------------------------------------
# disable / enable server deployment
@test "server/server-test-Pod: disabled server.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/server-test-Pod: disabled server.enabled random string" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.enabled=blabla' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/server-test-Pod: enabled server.enabled explicit true" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
@test "server/standalone-server-test-Pod: default server.standalone.enabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/standalone-server-test-Pod: enable with server.standalone.enabled true" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ha-server-test-Pod: enable with server.ha.enabled true" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/standalone-server-test-Pod: not disabled with global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/standalone-server-test-Pod: disable with global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \
--set 'global.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/standalone-server-test-Pod: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/standalone-server-test-Pod: image defaults to server.image.repository:tag" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.image.repository=foo' \
--set 'server.image.tag=1.2.3' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "foo:1.2.3" ]
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.image.repository=foo' \
--set 'server.image.tag=1.2.3' \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "foo:1.2.3" ]
}
@test "server/standalone-server-test-Pod: image tag defaults to latest" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.image.repository=foo' \
--set 'server.image.tag=' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "foo:latest" ]
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.image.repository=foo' \
--set 'server.image.tag=' \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "foo:latest" ]
}
@test "server/standalone-server-test-Pod: default imagePullPolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
. | tee /dev/stderr |
yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
[ "${actual}" = "IfNotPresent" ]
}
@test "server/standalone-server-test-Pod: Custom imagePullPolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.image.pullPolicy=Always' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
[ "${actual}" = "Always" ]
}
#--------------------------------------------------------------------
# resources
@test "server/standalone-server-test-Pod: default resources" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].resources' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
#--------------------------------------------------------------------
# volumes
@test "server/standalone-server-test-Pod: server.volumes adds volume" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.volumes[0].name=plugins' \
--set 'server.volumes[0].emptyDir=\{\}' \
. | tee /dev/stderr |
yq -r '.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.emptyDir' | tee /dev/stderr)
[ "${actual}" = "{}" ]
}
#--------------------------------------------------------------------
# volumeMounts
@test "server/standalone-server-test-Pod: server.volumeMounts adds volumeMount" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.volumeMounts[0].name=plugins' \
--set 'server.volumeMounts[0].mountPath=/usr/local/libexec/vault' \
--set 'server.volumeMounts[0].readOnly=true' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/usr/local/libexec/vault" ]
local actual=$(echo $object |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# extraEnvironmentVars
@test "server/standalone-server-test-Pod: set extraEnvironmentVars" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.standalone.enabled=true' \
--set 'server.extraEnvironmentVars.FOO=bar' \
--set 'server.extraEnvironmentVars.FOOBAR=foobar' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].env' | tee /dev/stderr)
local name=$(echo $object |
yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr)
[ "${name}" = "bar" ]
local name=$(echo $object |
yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr)
[ "${name}" = "foobar" ]
local object=$(helm template \
--show-only templates/tests/server-test.yaml \
--set 'server.extraEnvironmentVars.FOO=bar' \
--set 'server.extraEnvironmentVars.FOOBAR=foobar' \
. | tee /dev/stderr |
yq -r '.spec.containers[0].env' | tee /dev/stderr)
local name=$(echo $object |
yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr)
[ "${name}" = "bar" ]
local name=$(echo $object |
yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr)
[ "${name}" = "foobar" ]
}

12
test/unit/ui-service.bats
View file

@ -53,6 +53,18 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "ui/Service: 'disable with global, enable with ui.enabled'" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
--set 'ui.enabled=true' \
. | tee /dev/stderr |
yq -r 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "ui/Service: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \

6
values.openshift.yaml
View file

@ -6,13 +6,13 @@ global:
injector:
image:
repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
tag: "0.14.1-ubi"
tag: "0.14.2-ubi"
agentImage:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.9.0-ubi"
tag: "1.9.3-ubi"
server:
image:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.9.0-ubi"
tag: "1.9.3-ubi"

109
values.schema.json
View file

@ -14,6 +14,15 @@
"string"
]
},
"extraLabels": {
"type": "object"
},
"kubeletRootDir": {
"type": "string"
},
"providersDir": {
"type": "string"
},
"updateStrategy": {
"type": "object",
"properties": {
@ -24,20 +33,20 @@
"type": "string"
}
}
},
"providersDir": {
"type": "string"
},
"kubeletRootDir": {
"type": "string"
}
}
},
"priorityClassName": {
"type": "string"
},
"debug": {
"type": "boolean"
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"extraArgs": {
"type": "array"
@ -85,6 +94,9 @@
"string"
]
},
"extraLabels": {
"type": "object"
},
"tolerations": {
"type": [
"null",
@ -125,6 +137,9 @@
"object",
"string"
]
},
"extraLabels": {
"type": "object"
}
}
},
@ -254,7 +269,10 @@
}
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"externalVaultAddr": {
"type": "string"
@ -320,6 +338,9 @@
"objectSelector": {
"type": "object"
},
"podDisruptionBudget": {
"type": "object"
},
"port": {
"type": "integer"
},
@ -346,6 +367,12 @@
}
}
},
"strategy": {
"type": [
"object",
"string"
]
},
"tolerations": {
"type": [
"null",
@ -360,6 +387,32 @@
"string"
]
},
"webhook": {
"type": "object",
"properties": {
"annotations": {
"type": [
"object",
"string"
]
},
"failurePolicy": {
"type": "string"
},
"matchPolicy": {
"type": "string"
},
"namespaceSelector": {
"type": "object"
},
"objectSelector": {
"type": "object"
},
"timeoutSeconds": {
"type": "integer"
}
}
},
"webhookAnnotations": {
"type": [
"object",
@ -467,7 +520,10 @@
}
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"enterpriseLicense": {
"type": "object",
@ -517,7 +573,10 @@
]
},
"config": {
"type": "string"
"type": [
"string",
"object"
]
},
"disruptionBudget": {
"type": "object",
@ -540,7 +599,10 @@
"type": "object",
"properties": {
"config": {
"type": "string"
"type": [
"string",
"object"
]
},
"enabled": {
"type": "boolean"
@ -607,6 +669,9 @@
"labels": {
"type": "object"
},
"pathType": {
"type": "string"
},
"tls": {
"type": "array"
}
@ -732,6 +797,12 @@
"enabled": {
"type": "boolean"
},
"publishNotReadyAddresses": {
"type": "boolean"
},
"externalTrafficPolicy": {
"type": "string"
},
"port": {
"type": "integer"
},
@ -764,7 +835,10 @@
"type": "object",
"properties": {
"config": {
"type": "string"
"type": [
"string",
"object"
]
},
"enabled": {
"type": [
@ -785,6 +859,9 @@
}
}
},
"terminationGracePeriodSeconds": {
"type": "integer"
},
"tolerations": {
"type": [
"null",
@ -822,11 +899,17 @@
]
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"externalPort": {
"type": "integer"
},
"externalTrafficPolicy": {
"type": "string"
},
"publishNotReadyAddresses": {
"type": "boolean"
},

133
values.yaml
View file

@ -26,7 +26,8 @@ global:
injector:
# True if you want to enable vault agent injection.
enabled: true
# @default: global.enabled
enabled: "-"
replicas: 1
@ -49,7 +50,7 @@ injector:
# image sets the repo and tag of the vault-k8s image to use for the injector.
image:
repository: "hashicorp/vault-k8s"
tag: "0.14.1"
tag: "0.14.2"
pullPolicy: IfNotPresent
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@ -57,7 +58,7 @@ injector:
# required.
agentImage:
repository: "hashicorp/vault"
tag: "1.9.0"
tag: "1.9.3"
# The default values for the injected Vault Agent containers.
agentDefaults:
@ -90,6 +91,61 @@ injector:
# Configures all Vault Agent sidecars to revoke their token when shutting down
revokeOnShutdown: false
webhook:
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# matchPolicy specifies the approach to accepting changes based on the rules of
# the MutatingWebhookConfiguration.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
# for more details.
#
matchPolicy: Exact
# timeoutSeconds is the amount of seconds before the webhook request will be ignored
# or fails.
# If it is ignored or fails depends on the failurePolicy
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
# for more details.
#
timeoutSeconds: 30
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
# for more details.
# Example:
# namespaceSelector:
# matchLabels:
# sidecar-injector: enabled
namespaceSelector: {}
# objectSelector is the selector for restricting the webhook to only
# specific labels.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
# for more details.
# Example:
# objectSelector:
# matchLabels:
# vault-sidecar-injector: enabled
objectSelector: {}
# Extra annotations to attach to the webhook
annotations: {}
# Deprecated: please use 'webhook.failurePolicy' instead
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# Deprecated: please use 'webhook.namespaceSelector' instead
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@ -99,6 +155,8 @@ injector:
# matchLabels:
# sidecar-injector: enabled
namespaceSelector: {}
# Deprecated: please use 'webhook.objectSelector' instead
# objectSelector is the selector for restricting the webhook to only
# specific labels.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
@ -109,13 +167,7 @@ injector:
# vault-sidecar-injector: enabled
objectSelector: {}
# Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# Deprecated: please use 'webhook.annotations' instead
# Extra annotations to attach to the webhook
webhookAnnotations: {}
@ -205,9 +257,25 @@ injector:
# Extra annotations to attach to the injector service
annotations: {}
# A disruption budget limits the number of pods of a replicated application
# that are down simultaneously from voluntary disruptions
podDisruptionBudget: {}
# podDisruptionBudget:
# maxUnavailable: 1
# strategy for updating the deployment. This can be a multi-line string or a
# YAML map.
strategy: {}
# strategy: |
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
server:
# If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
enabled: true
# If true, or "-" with global.enabled true, Vault server will be installed.
# See vault.mode in _helpers.tpl for implementation details.
enabled: "-"
# [Enterprise Only] This value refers to a Kubernetes secret that you have
# created that contains your enterprise license. If you are not using an
@ -227,7 +295,7 @@ server:
image:
repository: "hashicorp/vault"
tag: "1.9.0"
tag: "1.9.3"
# Overrides the default Image Pull Policy
pullPolicy: IfNotPresent
@ -296,7 +364,7 @@ server:
# - chart-example.local
# OpenShift only - create a route to expose the service
# The created route will be of type passthrough
# By default the created route will be of type passthrough
route:
enabled: false
@ -307,6 +375,11 @@ server:
labels: {}
annotations: {}
host: chart-example.local
# tls will be passed directly to the route's TLS config, which
# can be used to configure other termination methods that terminate
# TLS at the router
tls:
termination: passthrough
# authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth
@ -374,6 +447,10 @@ server:
# Number of seconds after which the probe times out.
timeoutSeconds: 3
# Optional duration in seconds the pod needs to terminate gracefully.
# See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
terminationGracePeriodSeconds: 10
# Used to set the sleep time during the preStop step
preStopSleepSeconds: 5
@ -494,6 +571,9 @@ server:
# or NodePort.
#type: ClusterIP
# Do not wait for pods to be ready
publishNotReadyAddresses: true
# The externalTrafficPolicy can be set to either Cluster or Local
# and is only valid for LoadBalancer and NodePort service types.
# The default value is Cluster.
@ -531,7 +611,7 @@ server:
annotations: {}
# This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized and unseal, Vault must
# logs. Once Vault is deployed, initialized and unsealed, Vault must
# be configured to use this for audit logs. This will be mounted to
# /vault/audit
# See https://www.vaultproject.io/docs/audit/index.html to know more
@ -612,6 +692,11 @@ server:
# If set to null, this will be set to the Pod IP Address
apiAddr: null
# Set the cluster_addr confuguration for Vault HA
# See https://www.vaultproject.io/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
clusterAddr: null
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where
# Vault's persistence is external (such as Consul), enabling Raft mode will create
# persistent volumes for Vault to store data according to the configuration under server.dataStorage.
@ -752,7 +837,7 @@ csi:
image:
repository: "hashicorp/vault-csi-provider"
tag: "0.3.0"
tag: "1.1.0"
pullPolicy: IfNotPresent
# volumes is a list of volumes made available to all containers. These are rendered
@ -793,6 +878,9 @@ csi:
providersDir: "/etc/kubernetes/secrets-store-csi-providers"
# Kubelet host path
kubeletRootDir: "/var/lib/kubelet"
# Extra labels to attach to the vault-csi-provider daemonSet
# This should be a YAML map of the labels to apply to the csi provider daemonSet
extraLabels: {}
pod:
# Extra annotations for the provider pods. This can either be YAML or a
@ -805,12 +893,25 @@ csi:
# in a PodSpec.
tolerations: []
# Extra labels to attach to the vault-csi-provider pod
# This should be a YAML map of the labels to apply to the csi provider pod
extraLabels: {}
# Priority class for csi pods
priorityClassName: ""
serviceAccount:
# Extra annotations for the serviceAccount definition. This can either be
# YAML or a YAML-formatted multi-line templated string map of the
# annotations to apply to the serviceAccount.
annotations: {}
# Extra labels to attach to the vault-csi-provider serviceAccount
# This should be a YAML map of the labels to apply to the csi provider serviceAccount
extraLabels: {}
# Used to configure readinessProbe for the pods.
readinessProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up