Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

replace vault command with bao and helm install/delete vault with openbao - part 1

Browse source 
Signed-off-by: jessebot <jessebot@linux.com>
This commit is contained in:
jessebot 2024-05-22 20:33:41 +02:00 committed by Nathan A Phelps
parent 7b8c26e1ce
commit 4f8924d1d7
14 changed files with 114 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
test/acceptance/_helpers.bash
View file

@ -52,7 +52,7 @@ wait_for_sealed_vault() {
POD_NAME=$1 POD_NAME=$1
check() { check() {
sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed')
if [ "$sealed_status" == "true" ]; then if [ "$sealed_status" == "true" ]; then
return 0 return 0
fi fi

18
test/acceptance/csi.bats
View file

@ -22,7 +22,7 @@ load _helpers
--set enableSecretRotation=true \ --set enableSecretRotation=true \
--set rotationPollInterval=5s --set rotationPollInterval=5s
# Install Vault and Vault provider # Install Vault and Vault provider
helm install vault \ helm install openbao \
--wait --timeout=5m \ --wait --timeout=5m \
--namespace=acceptance \ --namespace=acceptance \
--set="server.dev.enabled=true" \ --set="server.dev.enabled=true" \
@ -31,20 +31,20 @@ load _helpers
--set="csi.agent.logLevel=debug" \ --set="csi.agent.logLevel=debug" \
--set="injector.enabled=false" \ --set="injector.enabled=false" \
. .
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
# Set up k8s auth and a kv secret. # Set up k8s auth and a kv secret.
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy -
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
bound_service_account_names=nginx \ bound_service_account_names=nginx \
bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
policies=kv-policy \ policies=kv-policy \
ttl=20m ttl=20m
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
@ -75,7 +75,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm --namespace=acceptance delete vault helm --namespace=acceptance delete openbao
helm --namespace=acceptance delete secrets-store-csi-driver helm --namespace=acceptance delete secrets-store-csi-driver
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance kubectl delete namespace acceptance

2
test/acceptance/helm-test.bats
View file

@ -20,7 +20,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

2
test/acceptance/injector-leader-elector.bats
View file

@ -45,7 +45,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance kubectl delete namespace acceptance
fi fi

24
test/acceptance/injector-test/bootstrap.sh
View file

@ -5,40 +5,40 @@
OUTPUT=/tmp/output.txt OUTPUT=/tmp/output.txt
vault operator init -n 1 -t 1 >> ${OUTPUT?} bao operator init -n 1 -t 1 >> ${OUTPUT?}
unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g") unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g") root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
vault operator unseal ${unseal?} bao operator unseal ${unseal?}
vault login -no-print ${root?} bao login -no-print ${root?}
vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl
vault auth enable kubernetes bao auth enable kubernetes
vault write auth/kubernetes/config \ bao write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/db-backup \ bao write auth/kubernetes/role/db-backup \
bound_service_account_names=pgdump \ bound_service_account_names=pgdump \
bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
policies=db-backup \ policies=db-backup \
ttl=1h ttl=1h
vault secrets enable database bao secrets enable database
vault write database/config/postgresql \ bao write database/config/postgresql \
plugin_name=postgresql-database-plugin \ plugin_name=postgresql-database-plugin \
allowed_roles="db-backup" \ allowed_roles="db-backup" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
username="vault" \ username="openbao" \
password="vault" password="openbao"
vault write database/roles/db-backup \ bao write database/roles/db-backup \
db_name=postgresql \ db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \ GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \

8
test/acceptance/injector.bats
View file

@ -26,15 +26,15 @@ load _helpers
wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
sleep 5 sleep 5
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
@ -48,7 +48,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete secret test kubectl delete secret test
kubectl delete job pgdump kubectl delete job pgdump

6
test/acceptance/server-dev.bats
View file

@ -43,11 +43,11 @@ load _helpers
[ "${ports}" == "8201" ] [ "${ports}" == "8201" ]
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
} }
@ -57,7 +57,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

44
test/acceptance/server-ha-enterprise-dr.bats
View file

@ -17,13 +17,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0 wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ] [ "${primary_token}" != "" ]
@ -31,7 +31,7 @@ load _helpers
local primary_root=$(echo ${init} | jq -r '.root_token') local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ] [ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0" wait_for_ready "$(name_prefix)-east-0"
sleep 10 sleep 10
@ -42,30 +42,30 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-east-0" ]] if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json) local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/dr/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ] [ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
@ -84,13 +84,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0 wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ] [ "${secondary_token}" != "" ]
@ -98,7 +98,7 @@ load _helpers
local secondary_root=$(echo ${init} | jq -r '.root_token') local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ] [ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0" wait_for_ready "$(name_prefix)-west-0"
sleep 10 sleep 10
@ -109,28 +109,28 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-west-0" ]] if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/dr/secondary/enable token=${secondary_replica_token}
sleep 10 sleep 10
@ -141,7 +141,7 @@ load _helpers
then then
kubectl delete pod "${pod?}" kubectl delete pod "${pod?}"
wait_for_running "${pod?}" wait_for_running "${pod?}"
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done

44
test/acceptance/server-ha-enterprise-perf.bats
View file

@ -17,13 +17,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0 wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ] [ "${primary_token}" != "" ]
@ -31,7 +31,7 @@ load _helpers
local primary_root=$(echo ${init} | jq -r '.root_token') local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ] [ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0" wait_for_ready "$(name_prefix)-east-0"
sleep 30 sleep 30
@ -42,30 +42,30 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-east-0" ]] if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json) local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/performance/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ] [ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
@ -84,13 +84,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0 wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ] [ "${secondary_token}" != "" ]
@ -98,7 +98,7 @@ load _helpers
local secondary_root=$(echo ${init} | jq -r '.root_token') local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ] [ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0" wait_for_ready "$(name_prefix)-west-0"
sleep 30 sleep 30
@ -109,28 +109,28 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-west-0" ]] if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/performance/secondary/enable token=${secondary_replica_token}
sleep 30 sleep 30
@ -139,7 +139,7 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-west-0" ]] if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done

24
test/acceptance/server-ha-raft.bats
View file

@ -13,7 +13,7 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0 wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
@ -59,7 +59,7 @@ load _helpers
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
@ -67,35 +67,35 @@ load _helpers
local root=$(echo ${init} | jq -r '.root_token') local root=$(echo ${init} | jq -r '.root_token')
[ "${root}" != "" ] [ "${root}" != "" ]
kubectl exec -ti vault-0 -- vault operator unseal ${token} kubectl exec -ti openbao-0 -- bao operator unseal ${token}
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
sleep 5 sleep 5
# Vault Unseal # Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
if [[ ${pod?} != "$(name_prefix)-0" ]] if [[ ${pod?} != "$(name_prefix)-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-0" -- vault login ${root} kubectl exec "$(name_prefix)-0" -- bao login ${root}
local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
} }
@ -112,9 +112,9 @@ teardown() {
then then
# If the test failed, print some debug output # If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app.kubernetes.io/name=vault kubectl logs -l app.kubernetes.io/name=openbao
fi fi
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

12
test/acceptance/server-ha.bats
View file

@ -12,7 +12,7 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0 wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
@ -58,7 +58,7 @@ load _helpers
# Vault Init # Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
@ -66,17 +66,17 @@ load _helpers
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
done done
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
} }
@ -113,7 +113,7 @@ teardown() {
kubectl logs -l app=consul kubectl logs -l app=consul
kubectl logs -l app.kubernetes.io/name=vault kubectl logs -l app.kubernetes.io/name=vault
fi fi
helm delete vault helm delete openbao
helm delete consul helm delete consul
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true

12
test/acceptance/server-telemetry.bats
View file

@ -29,29 +29,29 @@ load _helpers
# Vault Init # Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
# Vault Unseal # Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
done done
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
# unfortunately it can take up to 2 minutes for the vault prometheus job to appear # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear
# TODO: investigate how reduce this. # TODO: investigate how reduce this.
local job_labels local job_labels
local tries=0 local tries=0

18
test/acceptance/server.bats
View file

@ -15,7 +15,7 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0 wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
@ -40,7 +40,7 @@ load _helpers
local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json | local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath') jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
[ "${mountPath}" == "/vault/data" ] [ "${mountPath}" == "/openbao/data" ]
# Volumes # Volumes
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
@ -72,27 +72,27 @@ load _helpers
jq -r '.spec.ports[1].port') jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ] [ "${ports}" == "8201" ]
# Vault Init # OpenBao Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
# Vault Unseal # Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
done done
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
} }
@ -102,7 +102,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

2
test/unit/server-statefulset.bats
View file

@ -1240,7 +1240,7 @@ load _helpers
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr)
[ "${actual}" = "vault status -tls-skip-verify" ] [ "${actual}" = "bao status -tls-skip-verify" ]
} }
@test "server/standalone-StatefulSet: readinessProbe configurable" { @test "server/standalone-StatefulSet: readinessProbe configurable" {