From 4d23074cd3eeb9f129418a5b75dd0b605eb7ae88 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 11 Jun 2021 13:29:30 -0700
Subject: [PATCH] Adding server.enterpriseLicense (#547)

Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.
---
 templates/_helpers.tpl                        | 11 ++++
 templates/server-statefulset.yaml             |  4 ++
 test/acceptance/server-ha-enterprise-dr.bats  |  7 ++-
 .../acceptance/server-ha-enterprise-perf.bats |  7 ++-
 test/unit/server-statefulset.bats             | 56 +++++++++++++++++++
 values.schema.json                            | 11 ++++
 values.yaml                                   | 12 ++++
 7 files changed, 104 insertions(+), 4 deletions(-)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 505275b..63011d3 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -103,6 +103,12 @@ extra volumes the user may have specified (such as a secret with TLS).
   {{- if .Values.server.volumes }}
     {{- toYaml .Values.server.volumes | nindent 8}}
   {{- end }}
+  {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+        - name: vault-license
+          secret:
+            secretName: {{ .Values.server.enterpriseLicense.secretName }}
+            defaultMode: 0440
+  {{- end }}
 {{- end -}}
 
 {{/*
@@ -166,6 +172,11 @@ based on the mode configured.
   {{- if .Values.server.volumeMounts }}
     {{- toYaml .Values.server.volumeMounts | nindent 12}}
   {{- end }}
+  {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+            - name: vault-license
+              mountPath: /vault/license
+              readOnly: true
+  {{- end }}
 {{- end -}}
 
 {{/*
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 69232ed..718c9a0 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -125,6 +125,10 @@ spec:
             - name: VAULT_LOG_FORMAT
               value: "{{ .Values.server.logFormat }}"
             {{- end }}
+            {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+            - name: VAULT_LICENSE_PATH
+              value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
+            {{- end }}
             {{ template "vault.envs" . }}
             {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
             {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats
index 5518244..c7119d5 100644
--- a/test/acceptance/server-ha-enterprise-dr.bats
+++ b/test/acceptance/server-ha-enterprise-dr.bats
@@ -10,7 +10,8 @@ load _helpers
     --set='server.image.tag=1.7.2_ent' \
     --set='injector.enabled=false' \
     --set='server.ha.enabled=true' \
-    --set='server.ha.raft.enabled=true' .
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
   wait_for_running "$(name_prefix)-east-0"
 
   # Sealed, not initialized
@@ -78,7 +79,8 @@ load _helpers
     --set='server.image.repository=hashicorp/vault-enterprise' \
     --set='server.image.tag=1.7.2_ent' \
     --set='server.ha.enabled=true' \
-    --set='server.ha.raft.enabled=true' .
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
   wait_for_running "$(name_prefix)-west-0"
 
   # Sealed, not initialized
@@ -153,6 +155,7 @@ setup() {
   kubectl delete namespace acceptance --ignore-not-found=true
   kubectl create namespace acceptance
   kubectl config set-context --current --namespace=acceptance
+  kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
 }
 
 #cleanup
diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats
index 7497dbc..eb08b31 100644
--- a/test/acceptance/server-ha-enterprise-perf.bats
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@@ -10,7 +10,8 @@ load _helpers
     --set='server.image.repository=hashicorp/vault-enterprise' \
     --set='server.image.tag=1.7.2_ent' \
     --set='server.ha.enabled=true' \
-    --set='server.ha.raft.enabled=true' .
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
   wait_for_running "$(name_prefix)-east-0"
 
   # Sealed, not initialized
@@ -78,7 +79,8 @@ load _helpers
     --set='server.image.repository=hashicorp/vault-enterprise' \
     --set='server.image.tag=1.7.2_ent' \
     --set='server.ha.enabled=true' \
-    --set='server.ha.raft.enabled=true' .
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
   wait_for_running "$(name_prefix)-west-0"
 
   # Sealed, not initialized
@@ -151,6 +153,7 @@ setup() {
   kubectl delete namespace acceptance --ignore-not-found=true
   kubectl create namespace acceptance
   kubectl config set-context --current --namespace=acceptance
+  kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
 }
 
 #cleanup
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 0c674d6..d7edb96 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -1566,3 +1566,59 @@ load _helpers
 
 
 }
+
+#--------------------------------------------------------------------
+# enterprise license autoload support
+@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr)
+      [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ]
+}
+
+@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr)
+      [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ]
+}
+
+@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
+      [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ]
+}
+
+@test "server/StatefulSet: blank secretName does not set env var" {
+  cd `chart_dir`
+
+  # setting secretName=null
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=null' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
+      [ "${actual}" = '' ]
+
+  # omitting secretName
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
+      [ "${actual}" = '' ]
+}
diff --git a/values.schema.json b/values.schema.json
index e2d0045..db3b806 100644
--- a/values.schema.json
+++ b/values.schema.json
@@ -438,6 +438,17 @@
                 "enabled": {
                     "type": "boolean"
                 },
+                "enterpriseLicense": {
+                    "type": "object",
+                    "properties": {
+                        "secretKey": {
+                            "type": "string"
+                        },
+                        "secretName": {
+                            "type": "string"
+                        }
+                    }
+                },
                 "extraArgs": {
                     "type": "string"
                 },
diff --git a/values.yaml b/values.yaml
index acab97a..a85514b 100644
--- a/values.yaml
+++ b/values.yaml
@@ -198,6 +198,18 @@ server:
   # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
   enabled: true
 
+  # [Enterprise Only] This value refers to a Kubernetes secret that you have
+  # created that contains your enterprise license. If you are not using an
+  # enterprise image or if you plan to introduce the license key via another
+  # route, then leave secretName blank ("") or set it to null.
+  # Requires Vault Enterprise 1.8 or later.
+  enterpriseLicense:
+    # The name of the Kubernetes secret that holds the enterprise license. The
+    # secret must be in the same namespace that Vault is installed into.
+    secretName: ""
+    # The key within the Kubernetes secret that holds the enterprise license.
+    secretKey: "license"
+
   # Resource requests, limits, etc. for the server cluster placement. This
   # should map directly to the value of the resources field for a PodSpec.
   # By default no direct resource request is made.