Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

replace vault command with bao and helm install/delete vault with openbao - part 1

Browse source 
Signed-off-by: jessebot <jessebot@linux.com>
This commit is contained in:
jessebot 2024-05-22 20:33:41 +02:00 committed by Nathan A Phelps
parent 7b8c26e1ce
commit 4f8924d1d7
14 changed files with 114 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
test/acceptance/_helpers.bash
View file

@ -52,7 +52,7 @@ wait_for_sealed_vault() {
POD_NAME=$1
check() {
sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed')
sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed')
if [ "$sealed_status" == "true" ]; then
return 0
fi

18
test/acceptance/csi.bats
View file

@ -22,7 +22,7 @@ load _helpers
--set enableSecretRotation=true \
--set rotationPollInterval=5s
# Install Vault and Vault provider
helm install vault \
helm install openbao \
--wait --timeout=5m \
--namespace=acceptance \
--set="server.dev.enabled=true" \
@ -31,20 +31,20 @@ load _helpers
--set="csi.agent.logLevel=debug" \
--set="injector.enabled=false" \
.
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
# Set up k8s auth and a kv secret.
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy -
kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
bound_service_account_names=nginx \
bound_service_account_namespaces=acceptance \
policies=kv-policy \
ttl=20m
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
@ -75,7 +75,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm --namespace=acceptance delete vault
helm --namespace=acceptance delete openbao
helm --namespace=acceptance delete secrets-store-csi-driver
kubectl delete --all pvc
kubectl delete namespace acceptance

2
test/acceptance/helm-test.bats
View file

@ -20,7 +20,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

2
test/acceptance/injector-leader-elector.bats
View file

@ -45,7 +45,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance
fi

24
test/acceptance/injector-test/bootstrap.sh
View file

@ -5,40 +5,40 @@
OUTPUT=/tmp/output.txt
vault operator init -n 1 -t 1 >> ${OUTPUT?}
bao operator init -n 1 -t 1 >> ${OUTPUT?}
unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
vault operator unseal ${unseal?}
bao operator unseal ${unseal?}
vault login -no-print ${root?}
bao login -no-print ${root?}
vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl
bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl
vault auth enable kubernetes
bao auth enable kubernetes
vault write auth/kubernetes/config \
bao write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/db-backup \
bao write auth/kubernetes/role/db-backup \
bound_service_account_names=pgdump \
bound_service_account_namespaces=acceptance \
policies=db-backup \
ttl=1h
vault secrets enable database
bao secrets enable database
vault write database/config/postgresql \
bao write database/config/postgresql \
plugin_name=postgresql-database-plugin \
allowed_roles="db-backup" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
username="vault" \
password="vault"
username="openbao" \
password="openbao"
vault write database/roles/db-backup \
bao write database/roles/db-backup \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \

16
test/acceptance/injector.bats
View file

@ -4,7 +4,7 @@ load _helpers
@test "injector: testing deployment" {
cd `chart_dir`
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
@ -15,7 +15,7 @@ load _helpers
kubectl create secret generic test \
--from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ./test/acceptance/injector-test/bootstrap.sh
--from-file ./test/acceptance/injector-test/bootstrap.sh
kubectl label secret test app=vault-agent-demo
@ -26,17 +26,17 @@ load _helpers
wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
sleep 5
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
[ "${init_status}" == "true" ]
kubectl create -f ./test/acceptance/injector-test/job.yaml
@ -48,9 +48,9 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete secret test
kubectl delete secret test
kubectl delete job pgdump
kubectl delete deployment postgres
kubectl delete namespace acceptance

6
test/acceptance/server-dev.bats
View file

@ -43,11 +43,11 @@ load _helpers
[ "${ports}" == "8201" ]
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
@ -57,7 +57,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

44
test/acceptance/server-ha-enterprise-dr.bats
View file

@ -17,13 +17,13 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1)
bao operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ]
@ -31,7 +31,7 @@ load _helpers
local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0"
sleep 10
@ -42,30 +42,30 @@ load _helpers
do
if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json)
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/dr/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
@ -84,13 +84,13 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1)
bao operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ]
@ -98,7 +98,7 @@ load _helpers
local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0"
sleep 10
@ -109,28 +109,28 @@ load _helpers
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token}
kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/dr/secondary/enable token=${secondary_replica_token}
sleep 10
@ -141,7 +141,7 @@ load _helpers
then
kubectl delete pod "${pod?}"
wait_for_running "${pod?}"
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done

44
test/acceptance/server-ha-enterprise-perf.bats
View file

@ -17,13 +17,13 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1)
bao operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ]
@ -31,7 +31,7 @@ load _helpers
local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0"
sleep 30
@ -42,30 +42,30 @@ load _helpers
do
if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json)
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/performance/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
@ -84,13 +84,13 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1)
bao operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ]
@ -98,7 +98,7 @@ load _helpers
local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0"
sleep 30
@ -109,28 +109,28 @@ load _helpers
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token}
kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/performance/secondary/enable token=${secondary_replica_token}
sleep 30
@ -139,7 +139,7 @@ load _helpers
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done

26
test/acceptance/server-ha-raft.bats
View file

@ -13,7 +13,7 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
@ -59,43 +59,43 @@ load _helpers
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1)
bao operator init -format=json -n 1 -t 1)
local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
local root=$(echo ${init} | jq -r '.root_token')
[ "${root}" != "" ]
kubectl exec -ti vault-0 -- vault operator unseal ${token}
kubectl exec -ti openbao-0 -- bao operator unseal ${token}
wait_for_ready "$(name_prefix)-0"
sleep 5
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${token}
kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- bao operator unseal ${token}
wait_for_ready "${pod}"
fi
done
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-0" -- vault login ${root}
kubectl exec "$(name_prefix)-0" -- bao login ${root}
local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json |
local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
}
@ -112,9 +112,9 @@ teardown() {
then
# If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app.kubernetes.io/name=vault
kubectl logs -l app.kubernetes.io/name=openbao
fi
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

12
test/acceptance/server-ha.bats
View file

@ -12,7 +12,7 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
@ -58,7 +58,7 @@ load _helpers
# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
@ -66,17 +66,17 @@ load _helpers
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
kubectl exec -ti ${pod} -- bao operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
@ -113,7 +113,7 @@ teardown() {
kubectl logs -l app=consul
kubectl logs -l app.kubernetes.io/name=vault
fi
helm delete vault
helm delete openbao
helm delete consul
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true

12
test/acceptance/server-telemetry.bats
View file

@ -29,29 +29,29 @@ load _helpers
# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
kubectl exec -ti ${pod} -- bao operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
# unfortunately it can take up to 2 minutes for the vault prometheus job to appear
# unfortunately it can take up to 2 minutes for the openbao prometheus job to appear
# TODO: investigate how reduce this.
local job_labels
local tries=0

18
test/acceptance/server.bats
View file

@ -15,7 +15,7 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
@ -40,7 +40,7 @@ load _helpers
local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
[ "${mountPath}" == "/vault/data" ]
[ "${mountPath}" == "/openbao/data" ]
# Volumes
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
@ -72,27 +72,27 @@ load _helpers
jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ]
# Vault Init
# OpenBao Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
kubectl exec -ti ${pod} -- bao operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
@ -102,7 +102,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

2
test/unit/server-statefulset.bats
View file

@ -1240,7 +1240,7 @@ load _helpers
--show-only templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr)
[ "${actual}" = "vault status -tls-skip-verify" ]
[ "${actual}" = "bao status -tls-skip-verify" ]
}
@test "server/standalone-StatefulSet: readinessProbe configurable" {