VAULT-571 Matching documented behavior and consul (#703)

VAULT-571 Matching documented behavior and consul

Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:

> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.

(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)

We also simplified the chart logic using a few template helpers.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
This commit is contained in:
Christopher Swenson 2022-03-21 09:50:23 -07:00 committed by GitHub
parent 56a253ba97
commit 710915952e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
47 changed files with 229 additions and 64 deletions

View file

@ -1,6 +1,8 @@
## Unreleased ## Unreleased
CHANGES: CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.9.3 * Vault default image to 1.9.3
* CSI provider default image to 1.0.0 * CSI provider default image to 1.0.0

View file

@ -31,6 +31,50 @@ Expand the name of the chart.
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/* {{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget. Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster. This defaults to (n/2)-1 where n is the number of members of the server cluster.
@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
template logic. template logic.
*/}} */}}
{{- define "vault.mode" -}} {{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- if .Values.injector.externalVaultAddr -}} {{- if .Values.injector.externalVaultAddr -}}
{{- $_ := set . "mode" "external" -}} {{- $_ := set . "mode" "external" -}}
{{- else if ne (.Values.server.enabled | toString) "true" -}} {{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}} {{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}} {{- $_ := set . "mode" "dev" -}}

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:

View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -9,3 +11,4 @@ metadata:
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
@ -10,7 +11,7 @@ metadata:
rules: rules:
- apiGroups: ["admissionregistration.k8s.io"] - apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"] resources: ["mutatingwebhookconfigurations"]
verbs: verbs:
- "get" - "get"
- "list" - "list"
- "watch" - "watch"

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector # Deployment for the injector
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
{{- else }} {{- else }}

View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
@ -19,3 +21,4 @@ spec:
- port: 8080 - port: 8080
protocol: TCP protocol: TCP
{{ end }} {{ end }}
{{ end }}

View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -15,3 +17,4 @@ rules:
resourceNames: resourceNames:
- {{ template "vault.fullname" . }}-agent-injector - {{ template "vault.fullname" . }}-agent-injector
{{- end }} {{- end }}
{{- end }}

View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
@ -16,3 +18,4 @@ subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "vault.fullname" . }}-agent-injector
{{- end }} {{- end }}
{{- end }}

View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
@ -41,3 +43,4 @@ spec:
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}
{{- end }}

View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -24,3 +26,4 @@ rules:
- "patch" - "patch"
- "delete" - "delete"
{{- end }} {{- end }}
{{- end }}

View file

@ -1,4 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
@ -17,3 +19,4 @@ subjects:
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View file

@ -1,4 +1,5 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:

View file

@ -1,5 +1,7 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- else }} {{- else }}
@ -22,3 +24,4 @@ subjects:
name: {{ template "vault.serviceAccount.name" . }} name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
{{ end }} {{ end }}
{{ end }}

View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -36,3 +38,4 @@ data:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -17,3 +19,4 @@ rules:
verbs: ["get", "watch", "list", "update", "patch"] verbs: ["get", "watch", "list", "update", "patch"]
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }}

View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- else }} {{- else }}
@ -25,3 +27,4 @@ subjects:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }}

View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" -}} {{- if ne .mode "external" -}}
{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through # PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes. # voluntary cluster changes.
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
@ -22,3 +24,4 @@ spec:
component: server component: server
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}}

View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for active Vault pod # Service for active Vault pod
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -40,3 +42,4 @@ spec:
vault-active: "true" vault-active: "true"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for standby Vault pod # Service for standby Vault pod
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -40,3 +42,4 @@ spec:
vault-active: "false" vault-active: "false"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster # Service for Vault cluster
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

View file

@ -4,7 +4,9 @@
{{- if .Values.server.ingress.enabled -}} {{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}} {{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} {{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }} {{- end }}
{{- $servicePort := .Values.server.service.port -}} {{- $servicePort := .Values.server.service.port -}}
@ -72,3 +74,4 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,5 +1,7 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -16,3 +18,4 @@ rules:
resourceNames: resourceNames:
- {{ template "vault.fullname" . }} - {{ template "vault.fullname" . }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,5 +1,7 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
@ -17,3 +19,4 @@ subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }} name: {{ template "vault.fullname" . }}
{{- end }} {{- end }}
{{- end }}

View file

@ -1,5 +1,7 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
@ -45,3 +47,4 @@ spec:
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}
{{- end }}

View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster # Service for Vault cluster
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

View file

@ -1,5 +1,6 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount

View file

@ -1,6 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} {{- if ne .mode "" }}
{{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster. # StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
@ -206,3 +208,4 @@ spec:
{{ template "vault.volumeclaims" . }} {{ template "vault.volumeclaims" . }}
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }}

View file

@ -1,6 +1,7 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.serverEnabled" . -}}
{{- if .serverEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:

View file

@ -1,7 +1,8 @@
{{ template "vault.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} {{- template "vault.uiEnabled" . -}}
{{- if eq (.Values.ui.enabled | toString) "true" }} {{- if .uiEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
@ -34,4 +35,3 @@ spec:
{{- include "service.loadBalancer" .Values.ui }} {{- include "service.loadBalancer" .Values.ui }}
{{- end -}} {{- end -}}
{{- end }} {{- end }}
{{- end }}

View file

@ -27,7 +27,7 @@ load _helpers
--set "global.enabled=false" \ --set "global.enabled=false" \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "true" ]
} }
# priorityClassName # priorityClassName

View file

@ -26,12 +26,22 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/injector-deployment.yaml \ --show-only templates/injector-deployment.yaml \
--set 'global.enabled=false' \ --set 'global.enabled=false' \
--set 'injector.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
} }
@test "injector/deployment: enable with injector.enabled true and global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/deployment: image defaults to injector.image" { @test "injector/deployment: image defaults to injector.image" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \

View file

@ -22,7 +22,7 @@ load _helpers
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@test "injector/PodSecurityPolicy-Role: disable with global.enabled" { @test "injector/PodSecurityPolicy-Role: ignore global.enabled" {
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/injector-psp-role.yaml \ --show-only templates/injector-psp-role.yaml \
@ -31,5 +31,5 @@ load _helpers
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "true" ]
} }

View file

@ -22,7 +22,7 @@ load _helpers
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" { @test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" {
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/injector-psp-rolebinding.yaml \ --show-only templates/injector-psp-rolebinding.yaml \
@ -31,5 +31,5 @@ load _helpers
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "true" ]
} }

View file

@ -22,7 +22,7 @@ load _helpers
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@test "injector/PodSecurityPolicy: disable with global.enabled" { @test "injector/PodSecurityPolicy: ignore global.enabled" {
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/injector-psp.yaml \ --show-only templates/injector-psp.yaml \
@ -31,7 +31,7 @@ load _helpers
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "true" ]
} }
@test "injector/PodSecurityPolicy: annotations are templated correctly by default" { @test "injector/PodSecurityPolicy: annotations are templated correctly by default" {

View file

@ -52,7 +52,7 @@ load _helpers
--set 'injector.enabled=true' \ --set 'injector.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "true" ]
} }
@test "injector/Service: generic annotations" { @test "injector/Service: generic annotations" {

View file

@ -7,9 +7,9 @@ load _helpers
# schema, setting it as a string fails 'helm template'. # schema, setting it as a string fails 'helm template'.
@test "schema: csi enabled datatype" { @test "schema: csi enabled datatype" {
cd `chart_dir` cd `chart_dir`
run helm template . --set csi.enabled="nope" run helm template . --set csi.enabled="123"
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
[ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set csi.enabled=true run helm template . --set csi.enabled=true
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
@ -17,9 +17,9 @@ load _helpers
@test "schema: injector enabled datatype" { @test "schema: injector enabled datatype" {
cd `chart_dir` cd `chart_dir`
run helm template . --set injector.enabled="nope" run helm template . --set injector.enabled="123"
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
[ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set injector.enabled=true run helm template . --set injector.enabled=true
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
@ -27,9 +27,9 @@ load _helpers
@test "schema: server enabled datatype" { @test "schema: server enabled datatype" {
cd `chart_dir` cd `chart_dir`
run helm template . --set server.enabled="nope" run helm template . --set server.enabled="123"
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
[ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set server.enabled=true run helm template . --set server.enabled=true
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
@ -37,9 +37,9 @@ load _helpers
@test "schema: ui enabled datatype" { @test "schema: ui enabled datatype" {
cd `chart_dir` cd `chart_dir`
run helm template . --set ui.enabled="nope" run helm template . --set ui.enabled="123"
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
[ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
run helm template . --set ui.enabled=true run helm template . --set ui.enabled=true
[ "$status" -eq 0 ] [ "$status" -eq 0 ]

View file

@ -66,12 +66,23 @@ load _helpers
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@test "server/standalone-server-test-Pod: not disabled with global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/standalone-server-test-Pod: disable with global.enabled" { @test "server/standalone-server-test-Pod: disable with global.enabled" {
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \ --show-only templates/tests/server-test.yaml \
--set 'global.enabled=false' \ --set 'global.enabled=false' \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]

View file

@ -53,6 +53,18 @@ load _helpers
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
} }
@test "ui/Service: 'disable with global, enable with ui.enabled'" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
--set 'ui.enabled=true' \
. | tee /dev/stderr |
yq -r 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "ui/Service: disable with injector.externalVaultAddr" { @test "ui/Service: disable with injector.externalVaultAddr" {
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \

View file

@ -43,7 +43,10 @@
"type": "boolean" "type": "boolean"
}, },
"enabled": { "enabled": {
"type": "boolean" "type": [
"boolean",
"string"
]
}, },
"extraArgs": { "extraArgs": {
"type": "array" "type": "array"
@ -266,7 +269,10 @@
} }
}, },
"enabled": { "enabled": {
"type": "boolean" "type": [
"boolean",
"string"
]
}, },
"externalVaultAddr": { "externalVaultAddr": {
"type": "string" "type": "string"
@ -507,7 +513,10 @@
} }
}, },
"enabled": { "enabled": {
"type": "boolean" "type": [
"boolean",
"string"
]
}, },
"enterpriseLicense": { "enterpriseLicense": {
"type": "object", "type": "object",
@ -874,7 +883,10 @@
] ]
}, },
"enabled": { "enabled": {
"type": "boolean" "type": [
"boolean",
"string"
]
}, },
"externalPort": { "externalPort": {
"type": "integer" "type": "integer"

View file

@ -26,7 +26,8 @@ global:
injector: injector:
# True if you want to enable vault agent injection. # True if you want to enable vault agent injection.
enabled: true # @default: global.enabled
enabled: "-"
replicas: 1 replicas: 1
@ -266,8 +267,9 @@ injector:
# type: RollingUpdate # type: RollingUpdate
server: server:
# If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details # If true, or "-" with global.enabled true, Vault server will be installed.
enabled: true # See vault.mode in _helpers.tpl for implementation details.
enabled: "-"
# [Enterprise Only] This value refers to a Kubernetes secret that you have # [Enterprise Only] This value refers to a Kubernetes secret that you have
# created that contains your enterprise license. If you are not using an # created that contains your enterprise license. If you are not using an
@ -878,7 +880,7 @@ csi:
# This should be a YAML map of the labels to apply to the csi provider pod # This should be a YAML map of the labels to apply to the csi provider pod
extraLabels: {} extraLabels: {}
# Priority class for csi pods # Priority class for csi pods
priorityClassName: "" priorityClassName: ""