Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

replace vault command with bao and helm install/delete vault with openbao - part 1

Browse source 
Signed-off-by: jessebot <jessebot@linux.com>
This commit is contained in:
jessebot 2024-05-22 20:33:41 +02:00 committed by Nathan A Phelps
parent 7b8c26e1ce
commit 4f8924d1d7
14 changed files with 114 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
test/acceptance/_helpers.bash
View file

@ -52,7 +52,7 @@ wait_for_sealed_vault() {
POD_NAME=$1 POD_NAME=$1
check() { check() {
sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed')
if [ "$sealed_status" == "true" ]; then if [ "$sealed_status" == "true" ]; then
return 0 return 0
fi fi

18
test/acceptance/csi.bats
View file

@ -22,7 +22,7 @@ load _helpers
--set enableSecretRotation=true \ --set enableSecretRotation=true \
--set rotationPollInterval=5s --set rotationPollInterval=5s
# Install Vault and Vault provider # Install Vault and Vault provider
helm install vault \ helm install openbao \
--wait --timeout=5m \ --wait --timeout=5m \
--namespace=acceptance \ --namespace=acceptance \
--set="server.dev.enabled=true" \ --set="server.dev.enabled=true" \
@ -31,20 +31,20 @@ load _helpers
--set="csi.agent.logLevel=debug" \ --set="csi.agent.logLevel=debug" \
--set="injector.enabled=false" \ --set="injector.enabled=false" \
. .
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
# Set up k8s auth and a kv secret. # Set up k8s auth and a kv secret.
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy -
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \ kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \ kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
bound_service_account_names=nginx \ bound_service_account_names=nginx \
bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
policies=kv-policy \ policies=kv-policy \
ttl=20m ttl=20m
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1 kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
@ -75,7 +75,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm --namespace=acceptance delete vault helm --namespace=acceptance delete openbao
helm --namespace=acceptance delete secrets-store-csi-driver helm --namespace=acceptance delete secrets-store-csi-driver
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance kubectl delete namespace acceptance

2
test/acceptance/helm-test.bats
View file

@ -20,7 +20,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

2
test/acceptance/injector-leader-elector.bats
View file

@ -45,7 +45,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance kubectl delete namespace acceptance
fi fi

24
test/acceptance/injector-test/bootstrap.sh
View file

@ -5,40 +5,40 @@
OUTPUT=/tmp/output.txt OUTPUT=/tmp/output.txt
vault operator init -n 1 -t 1 >> ${OUTPUT?} bao operator init -n 1 -t 1 >> ${OUTPUT?}
unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g") unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g") root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
vault operator unseal ${unseal?} bao operator unseal ${unseal?}
vault login -no-print ${root?} bao login -no-print ${root?}
vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl
vault auth enable kubernetes bao auth enable kubernetes
vault write auth/kubernetes/config \ bao write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/db-backup \ bao write auth/kubernetes/role/db-backup \
bound_service_account_names=pgdump \ bound_service_account_names=pgdump \
bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
policies=db-backup \ policies=db-backup \
ttl=1h ttl=1h
vault secrets enable database bao secrets enable database
vault write database/config/postgresql \ bao write database/config/postgresql \
plugin_name=postgresql-database-plugin \ plugin_name=postgresql-database-plugin \
allowed_roles="db-backup" \ allowed_roles="db-backup" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
username="vault" \ username="openbao" \
password="vault" password="openbao"
vault write database/roles/db-backup \ bao write database/roles/db-backup \
db_name=postgresql \ db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \ GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \

16
test/acceptance/injector.bats
View file

@ -4,7 +4,7 @@ load _helpers
@test "injector: testing deployment" { @test "injector: testing deployment" {
cd `chart_dir` cd `chart_dir`
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance kubectl config set-context --current --namespace=acceptance
@ -15,7 +15,7 @@ load _helpers
kubectl create secret generic test \ kubectl create secret generic test \
--from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ./test/acceptance/injector-test/bootstrap.sh --from-file ./test/acceptance/injector-test/bootstrap.sh
kubectl label secret test app=vault-agent-demo kubectl label secret test app=vault-agent-demo
@ -26,17 +26,17 @@ load _helpers
wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
sleep 5 sleep 5
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl create -f ./test/acceptance/injector-test/job.yaml kubectl create -f ./test/acceptance/injector-test/job.yaml
@ -48,9 +48,9 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete secret test kubectl delete secret test
kubectl delete job pgdump kubectl delete job pgdump
kubectl delete deployment postgres kubectl delete deployment postgres
kubectl delete namespace acceptance kubectl delete namespace acceptance

6
test/acceptance/server-dev.bats
View file

@ -43,11 +43,11 @@ load _helpers
[ "${ports}" == "8201" ] [ "${ports}" == "8201" ]
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
} }
@ -57,7 +57,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

44
test/acceptance/server-ha-enterprise-dr.bats
View file

@ -17,13 +17,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0 wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ] [ "${primary_token}" != "" ]
@ -31,7 +31,7 @@ load _helpers
local primary_root=$(echo ${init} | jq -r '.root_token') local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ] [ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0" wait_for_ready "$(name_prefix)-east-0"
sleep 10 sleep 10
@ -42,30 +42,30 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-east-0" ]] if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json) local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/dr/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ] [ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
@ -84,13 +84,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0 wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ] [ "${secondary_token}" != "" ]
@ -98,7 +98,7 @@ load _helpers
local secondary_root=$(echo ${init} | jq -r '.root_token') local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ] [ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0" wait_for_ready "$(name_prefix)-west-0"
sleep 10 sleep 10
@ -109,28 +109,28 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-west-0" ]] if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/dr/secondary/enable token=${secondary_replica_token}
sleep 10 sleep 10
@ -141,7 +141,7 @@ load _helpers
then then
kubectl delete pod "${pod?}" kubectl delete pod "${pod?}"
wait_for_running "${pod?}" wait_for_running "${pod?}"
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done

44
test/acceptance/server-ha-enterprise-perf.bats
View file

@ -17,13 +17,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0 wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ] [ "${primary_token}" != "" ]
@ -31,7 +31,7 @@ load _helpers
local primary_root=$(echo ${init} | jq -r '.root_token') local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ] [ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token} kubectl exec -ti "$(name_prefix)-east-0" -- bao operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0" wait_for_ready "$(name_prefix)-east-0"
sleep 30 sleep 30
@ -42,30 +42,30 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-east-0" ]] if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-east-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root} kubectl exec "$(name_prefix)-east-0" -- bao login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201 kubectl exec -ti $(name_prefix)-east-0 -- bao write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json) local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- bao write sys/replication/performance/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ] [ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token') local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
@ -84,13 +84,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0 wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ] [ "${secondary_token}" != "" ]
@ -98,7 +98,7 @@ load _helpers
local secondary_root=$(echo ${init} | jq -r '.root_token') local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ] [ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0" wait_for_ready "$(name_prefix)-west-0"
sleep 30 sleep 30
@ -109,28 +109,28 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-west-0" ]] if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token} kubectl exec -ti ${pod} -- bao operator unseal ${secondary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-west-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root} kubectl exec "$(name_prefix)-west-0" -- bao login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token} kubectl exec -ti "$(name_prefix)-west-0" -- bao write sys/replication/performance/secondary/enable token=${secondary_replica_token}
sleep 30 sleep 30
@ -139,7 +139,7 @@ load _helpers
do do
if [[ ${pod?} != "$(name_prefix)-west-0" ]] if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token} kubectl exec -ti ${pod} -- bao operator unseal ${primary_token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done

26
test/acceptance/server-ha-raft.bats
View file

@ -13,7 +13,7 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0 wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
@ -59,43 +59,43 @@ load _helpers
# Vault Init # Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
local root=$(echo ${init} | jq -r '.root_token') local root=$(echo ${init} | jq -r '.root_token')
[ "${root}" != "" ] [ "${root}" != "" ]
kubectl exec -ti vault-0 -- vault operator unseal ${token} kubectl exec -ti openbao-0 -- bao operator unseal ${token}
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
sleep 5 sleep 5
# Vault Unseal # Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
if [[ ${pod?} != "$(name_prefix)-0" ]] if [[ ${pod?} != "$(name_prefix)-0" ]]
then then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
wait_for_ready "${pod}" wait_for_ready "${pod}"
fi fi
done done
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-0" -- vault login ${root} kubectl exec "$(name_prefix)-0" -- bao login ${root}
local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length') jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ] [ "${raft_status}" == "3" ]
} }
@ -112,9 +112,9 @@ teardown() {
then then
# If the test failed, print some debug output # If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app.kubernetes.io/name=vault kubectl logs -l app.kubernetes.io/name=openbao
fi fi
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

12
test/acceptance/server-ha.bats
View file

@ -12,7 +12,7 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0 wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
@ -58,7 +58,7 @@ load _helpers
# Vault Init # Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
@ -66,17 +66,17 @@ load _helpers
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
done done
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
} }
@ -113,7 +113,7 @@ teardown() {
kubectl logs -l app=consul kubectl logs -l app=consul
kubectl logs -l app.kubernetes.io/name=vault kubectl logs -l app.kubernetes.io/name=vault
fi fi
helm delete vault helm delete openbao
helm delete consul helm delete consul
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true

12
test/acceptance/server-telemetry.bats
View file

@ -29,29 +29,29 @@ load _helpers
# Vault Init # Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
# Vault Unseal # Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
done done
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
# unfortunately it can take up to 2 minutes for the vault prometheus job to appear # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear
# TODO: investigate how reduce this. # TODO: investigate how reduce this.
local job_labels local job_labels
local tries=0 local tries=0

18
test/acceptance/server.bats
View file

@ -15,7 +15,7 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0 wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "false" ] [ "${init_status}" == "false" ]
@ -40,7 +40,7 @@ load _helpers
local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json | local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath') jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
[ "${mountPath}" == "/vault/data" ] [ "${mountPath}" == "/openbao/data" ]
# Volumes # Volumes
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
@ -72,27 +72,27 @@ load _helpers
jq -r '.spec.ports[1].port') jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ] [ "${ports}" == "8201" ]
# Vault Init # OpenBao Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
# Vault Unseal # Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- vault operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
done done
wait_for_ready "$(name_prefix)-0" wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized # Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
} }
@ -102,7 +102,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete vault helm delete openbao
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

2
test/unit/server-statefulset.bats
View file

@ -1240,7 +1240,7 @@ load _helpers
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr)
[ "${actual}" = "vault status -tls-skip-verify" ] [ "${actual}" = "bao status -tls-skip-verify" ]
} }
@test "server/standalone-StatefulSet: readinessProbe configurable" { @test "server/standalone-StatefulSet: readinessProbe configurable" {