diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index deee438..def7d7c 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -52,7 +52,7 @@ wait_for_sealed_vault() { POD_NAME=$1 check() { - sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') + sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed') if [ "$sealed_status" == "true" ]; then return 0 fi diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index aa6edc4..7f18f33 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -22,7 +22,7 @@ load _helpers --set enableSecretRotation=true \ --set rotationPollInterval=5s # Install Vault and Vault provider - helm install vault \ + helm install openbao \ --wait --timeout=5m \ --namespace=acceptance \ --set="server.dev.enabled=true" \ @@ -31,20 +31,20 @@ load _helpers --set="csi.agent.logLevel=debug" \ --set="injector.enabled=false" \ . - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault - kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider # Set up k8s auth and a kv secret. - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - - kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes - kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ + cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - + kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes + kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' - kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ + kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ bound_service_account_names=nginx \ bound_service_account_namespaces=acceptance \ policies=kv-policy \ ttl=20m - kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 + kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml @@ -75,7 +75,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm --namespace=acceptance delete vault + helm --namespace=acceptance delete openbao helm --namespace=acceptance delete secrets-store-csi-driver kubectl delete --all pvc kubectl delete namespace acceptance diff --git a/test/acceptance/helm-test.bats b/test/acceptance/helm-test.bats index c5f9553..04717e5 100644 --- a/test/acceptance/helm-test.bats +++ b/test/acceptance/helm-test.bats @@ -20,7 +20,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 0f91e02..8605d17 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -45,7 +45,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance fi diff --git a/test/acceptance/injector-test/bootstrap.sh b/test/acceptance/injector-test/bootstrap.sh index 96f1617..0d844fe 100755 --- a/test/acceptance/injector-test/bootstrap.sh +++ b/test/acceptance/injector-test/bootstrap.sh @@ -5,40 +5,40 @@ OUTPUT=/tmp/output.txt -vault operator init -n 1 -t 1 >> ${OUTPUT?} +bao operator init -n 1 -t 1 >> ${OUTPUT?} unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g") root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g") -vault operator unseal ${unseal?} +bao operator unseal ${unseal?} -vault login -no-print ${root?} +bao login -no-print ${root?} -vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl +bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl -vault auth enable kubernetes +bao auth enable kubernetes -vault write auth/kubernetes/config \ +bao write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt -vault write auth/kubernetes/role/db-backup \ +bao write auth/kubernetes/role/db-backup \ bound_service_account_names=pgdump \ bound_service_account_namespaces=acceptance \ policies=db-backup \ ttl=1h -vault secrets enable database +bao secrets enable database -vault write database/config/postgresql \ +bao write database/config/postgresql \ plugin_name=postgresql-database-plugin \ allowed_roles="db-backup" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \ - username="vault" \ - password="vault" + username="openbao" \ + password="openbao" -vault write database/roles/db-backup \ +bao write database/roles/db-backup \ db_name=postgresql \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \ diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index e7fb393..a2e8a18 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -4,7 +4,7 @@ load _helpers @test "injector: testing deployment" { cd `chart_dir` - + kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance kubectl config set-context --current --namespace=acceptance @@ -15,7 +15,7 @@ load _helpers kubectl create secret generic test \ --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ - --from-file ./test/acceptance/injector-test/bootstrap.sh + --from-file ./test/acceptance/injector-test/bootstrap.sh kubectl label secret test app=vault-agent-demo @@ -26,17 +26,17 @@ load _helpers wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") - kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" + kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" sleep 5 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') - [ "${init_status}" == "true" ] + [ "${init_status}" == "true" ] kubectl create -f ./test/acceptance/injector-test/job.yaml @@ -48,9 +48,9 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc - kubectl delete secret test + kubectl delete secret test kubectl delete job pgdump kubectl delete deployment postgres kubectl delete namespace acceptance diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats index 0619c28..72002af 100644 --- a/test/acceptance/server-dev.bats +++ b/test/acceptance/server-dev.bats @@ -43,11 +43,11 @@ load _helpers [ "${ports}" == "8201" ] # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -57,7 +57,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 264be67..1fed7e6 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -17,13 +17,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-east-0 - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${primary_token}" != "" ] @@ -31,7 +31,7 @@ load _helpers local primary_root=$(echo ${init} | jq -r '.root_token') [ "${primary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} + kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token} wait_for_ready "$(name_prefix)-east-0" sleep 10 @@ -42,30 +42,30 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-east-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} + kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root} - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 + kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json) + local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/dr/primary/secondary-token id=secondary -format=json) [ "${secondary}" != "" ] local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') @@ -84,13 +84,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-west-0 - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${secondary_token}" != "" ] @@ -98,7 +98,7 @@ load _helpers local secondary_root=$(echo ${init} | jq -r '.root_token') [ "${secondary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token} wait_for_ready "$(name_prefix)-west-0" sleep 10 @@ -109,28 +109,28 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-west-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} + kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root} - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/dr/secondary/enable token=${secondary_replica_token} sleep 10 @@ -141,7 +141,7 @@ load _helpers then kubectl delete pod "${pod?}" wait_for_running "${pod?}" - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 15025c9..5d0742f 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -17,13 +17,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-east-0 - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${primary_token}" != "" ] @@ -31,7 +31,7 @@ load _helpers local primary_root=$(echo ${init} | jq -r '.root_token') [ "${primary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} + kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token} wait_for_ready "$(name_prefix)-east-0" sleep 30 @@ -42,30 +42,30 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-east-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} + kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root} - local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 + kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 - local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json) + local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/performance/primary/secondary-token id=secondary -format=json) [ "${secondary}" != "" ] local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') @@ -84,13 +84,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-west-0 - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${secondary_token}" != "" ] @@ -98,7 +98,7 @@ load _helpers local secondary_root=$(echo ${init} | jq -r '.root_token') [ "${secondary_root}" != "" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token} wait_for_ready "$(name_prefix)-west-0" sleep 30 @@ -109,28 +109,28 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-west-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token} wait_for_ready "${pod}" fi done # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} + kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root} - local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] - kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token} + kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/performance/secondary/enable token=${secondary_replica_token} sleep 30 @@ -139,7 +139,7 @@ load _helpers do if [[ ${pod?} != "$(name_prefix)-west-0" ]] then - kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} + kubectl exec -ti ${pod} -- bao operator unseal ${primary_token} wait_for_ready "${pod}" fi done diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index f06ca87..c6c1ef4 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -13,7 +13,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -59,43 +59,43 @@ load _helpers # Vault Init local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1) + bao operator init -format=json -n 1 -t 1) local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - + local root=$(echo ${init} | jq -r '.root_token') [ "${root}" != "" ] - kubectl exec -ti vault-0 -- vault operator unseal ${token} + kubectl exec -ti openbao-0 -- bao operator unseal ${token} wait_for_ready "$(name_prefix)-0" sleep 5 # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do if [[ ${pod?} != "$(name_prefix)-0" ]] then - kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 + kubectl exec -ti ${pod} -- bao operator unseal ${token} wait_for_ready "${pod}" fi done # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - kubectl exec "$(name_prefix)-0" -- vault login ${root} + kubectl exec "$(name_prefix)-0" -- bao login ${root} - local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | + local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json | jq -r '.data.config.servers | length') [ "${raft_status}" == "3" ] } @@ -112,9 +112,9 @@ teardown() { then # If the test failed, print some debug output if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then - kubectl logs -l app.kubernetes.io/name=vault + kubectl logs -l app.kubernetes.io/name=openbao fi - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 6876e0f..ecfcbce 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -12,7 +12,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -58,7 +58,7 @@ load _helpers # Vault Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] @@ -66,17 +66,17 @@ load _helpers local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -113,7 +113,7 @@ teardown() { kubectl logs -l app=consul kubectl logs -l app.kubernetes.io/name=vault fi - helm delete vault + helm delete openbao helm delete consul kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats index a7c4e0d..2251732 100644 --- a/test/acceptance/server-telemetry.bats +++ b/test/acceptance/server-telemetry.bats @@ -29,29 +29,29 @@ load _helpers # Vault Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] - # unfortunately it can take up to 2 minutes for the vault prometheus job to appear + # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear # TODO: investigate how reduce this. local job_labels local tries=0 diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 1e944a0..58639bf 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -15,7 +15,7 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "false" ] @@ -40,7 +40,7 @@ load _helpers local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath') - [ "${mountPath}" == "/vault/data" ] + [ "${mountPath}" == "/openbao/data" ] # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | @@ -72,27 +72,27 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ - vault operator init -format=json -n 1 -t 1 | \ + bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do - kubectl exec -ti ${pod} -- vault operator unseal ${token} + kubectl exec -ti ${pod} -- bao operator unseal ${token} done wait_for_ready "$(name_prefix)-0" # Unsealed, initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] - local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | jq -r '.initialized') [ "${init_status}" == "true" ] } @@ -102,7 +102,7 @@ teardown() { if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" - helm delete vault + helm delete openbao kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true fi diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b2b8efe..8b92c05 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1240,7 +1240,7 @@ load _helpers --show-only templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr) - [ "${actual}" = "vault status -tls-skip-verify" ] + [ "${actual}" = "bao status -tls-skip-verify" ] } @test "server/standalone-StatefulSet: readinessProbe configurable" {