Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #19 from openbao/bao-2-0-2

Browse source 
Update OpenBao to v2.0.2
This commit is contained in:
Jan Martens 2024-10-07 10:57:59 +02:00 committed by GitHub
commit 7a7a5b3711
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 133 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
charts/openbao/Chart.yaml
View file

@ -3,8 +3,8 @@
apiVersion: v2 apiVersion: v2
name: openbao name: openbao
version: 0.5.1 version: 0.6.0
appVersion: v2.0.1 appVersion: v2.0.2
kubeVersion: ">= 1.27.0-0" kubeVersion: ">= 1.27.0-0"
description: Official OpenBao Chart description: Official OpenBao Chart
home: https://github.com/openbao/openbao-helm home: https://github.com/openbao/openbao-helm

2
charts/openbao/README.md
View file

@ -1,6 +1,6 @@
# openbao # openbao
![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v2.0.1](https://img.shields.io/badge/AppVersion-v2.0.1-informational?style=flat-square) ![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
Official OpenBao Chart Official OpenBao Chart

4
charts/openbao/values.openshift.yaml
View file

@ -14,13 +14,13 @@ injector:
agentImage: agentImage:
registry: "quay.io" registry: "quay.io"
repository: "openbao/openbao" repository: "openbao/openbao"
tag: "v2.0.1-ubi" tag: "v2.0.2-ubi"
server: server:
image: image:
registry: "quay.io" registry: "quay.io"
repository: "openbao/openbao" repository: "openbao/openbao"
tag: "v2.0.1-ubi" tag: "v2.0.2-ubi"
readinessProbe: readinessProbe:
path: "/v1/sys/health?uninitcode=204" path: "/v1/sys/health?uninitcode=204"

49
charts/openbao/values.yaml
View file

@ -71,7 +71,7 @@ injector:
# -- image repo to use for k8s image # -- image repo to use for k8s image
repository: "hashicorp/vault-k8s" repository: "hashicorp/vault-k8s"
# -- image tag to use for k8s image # -- image tag to use for k8s image
tag: "1.3.1" tag: "1.4.2"
# -- image pull policy to use for k8s image. if tag is "latest", set to "Always" # -- image pull policy to use for k8s image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -84,7 +84,7 @@ injector:
# -- image repo to use for agent image # -- image repo to use for agent image
repository: "openbao/openbao" repository: "openbao/openbao"
# -- image tag to use for agent image # -- image tag to use for agent image
tag: "2.0.1" tag: "2.0.2"
# -- image pull policy to use for agent image. if tag is "latest", set to "Always" # -- image pull policy to use for agent image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -288,7 +288,8 @@ injector:
# extraEnvironmentVars is a list of extra environment variables to set in the # extraEnvironmentVars is a list of extra environment variables to set in the
# injector deployment. # injector deployment.
extraEnvironmentVars: {} extraEnvironmentVars:
{}
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc # KUBERNETES_SERVICE_HOST: kubernetes.default.svc
# Affinity Settings for injector pods # Affinity Settings for injector pods
@ -379,7 +380,7 @@ server:
# -- image repo to use for server image # -- image repo to use for server image
repository: "openbao/openbao" repository: "openbao/openbao"
# -- image tag to use for server image # -- image tag to use for server image
tag: "2.0.1" tag: "2.0.2"
# -- image pull policy to use for server image. if tag is "latest", set to "Always" # -- image pull policy to use for server image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -410,9 +411,11 @@ server:
# In order to expose the service, use the route section below # In order to expose the service, use the route section below
ingress: ingress:
enabled: false enabled: false
labels: {} labels:
{}
# traffic: external # traffic: external
annotations: {} annotations:
{}
# | # |
# kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true" # kubernetes.io/tls-acme: "true"
@ -480,7 +483,8 @@ server:
# -- extraInitContainers is a list of init containers. Specified as a YAML list. # -- extraInitContainers is a list of init containers. Specified as a YAML list.
# This is useful if you need to run a script to provision TLS certificates or # This is useful if you need to run a script to provision TLS certificates or
# write out configuration files in a dynamic way. # write out configuration files in a dynamic way.
extraInitContainers: [] extraInitContainers:
[]
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
# # which is defined in the volumes value. # # which is defined in the volumes value.
# - name: oauthapp # - name: oauthapp
@ -508,7 +512,8 @@ server:
# -- extraPorts is a list of extra ports. Specified as a YAML list. # -- extraPorts is a list of extra ports. Specified as a YAML list.
# This is useful if you need to add additional ports to the statefulset in dynamic way. # This is useful if you need to add additional ports to the statefulset in dynamic way.
extraPorts: [] extraPorts:
[]
# - containerPort: 8300 # - containerPort: 8300
# name: http-monitoring # name: http-monitoring
@ -570,14 +575,16 @@ server:
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal. # used to include variables required for auto-unseal.
extraEnvironmentVars: {} extraEnvironmentVars:
{}
# GOOGLE_REGION: global # GOOGLE_REGION: global
# GOOGLE_PROJECT: myproject # GOOGLE_PROJECT: myproject
# GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
# These variables take value from existing Secret objects. # These variables take value from existing Secret objects.
extraSecretEnvironmentVars: [] extraSecretEnvironmentVars:
[]
# - envName: AWS_SECRET_ACCESS_KEY # - envName: AWS_SECRET_ACCESS_KEY
# secretName: openbao # secretName: openbao
# secretKey: AWS_SECRET_ACCESS_KEY # secretKey: AWS_SECRET_ACCESS_KEY
@ -586,7 +593,8 @@ server:
# extraVolumes is a list of extra volumes to mount. These will be exposed # extraVolumes is a list of extra volumes to mount. These will be exposed
# to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is # to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below. # an array of objects, examples are shown below.
extraVolumes: [] extraVolumes:
[]
# - type: secret (or "configMap") # - type: secret (or "configMap")
# name: my-secret # name: my-secret
# path: null # default is `/openbao/userconfig` # path: null # default is `/openbao/userconfig`
@ -651,12 +659,12 @@ server:
# port: 443 # port: 443
ingress: ingress:
- from: - from:
- namespaceSelector: {} - namespaceSelector: {}
ports: ports:
- port: 8200 - port: 8200
protocol: TCP protocol: TCP
- port: 8201 - port: 8201
protocol: TCP protocol: TCP
# Priority class for server pods # Priority class for server pods
priorityClassName: "" priorityClassName: ""
@ -893,7 +901,6 @@ server:
# persistent volumes for OpenBao to store data according to the configuration under server.dataStorage. # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage.
# The OpenBao cluster will coordinate leader elections and failovers internally. # The OpenBao cluster will coordinate leader elections and failovers internally.
raft: raft:
# Enables Raft integrated storage # Enables Raft integrated storage
enabled: false enabled: false
# Set the Node Raft ID to the name of the pod # Set the Node Raft ID to the name of the pod
@ -968,8 +975,8 @@ server:
disruptionBudget: disruptionBudget:
enabled: true enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of # maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here. # replicas. If you'd like a custom value, you can specify an override here.
maxUnavailable: null maxUnavailable: null
# Definition of the serviceAccount used to run Vault. # Definition of the serviceAccount used to run Vault.
@ -1093,7 +1100,7 @@ csi:
# -- image repo to use for csi image # -- image repo to use for csi image
repository: "hashicorp/vault-csi-provider" repository: "hashicorp/vault-csi-provider"
# -- image tag to use for csi image # -- image tag to use for csi image
tag: "1.4.1" tag: "1.4.0"
# -- image pull policy to use for csi image. if tag is "latest", set to "Always" # -- image pull policy to use for csi image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -1183,7 +1190,7 @@ csi:
# -- image repo to use for agent image # -- image repo to use for agent image
repository: "openbao/openbao" repository: "openbao/openbao"
# -- image tag to use for agent image # -- image tag to use for agent image
tag: "2.0.1" tag: "2.0.2"
# -- image pull policy to use for agent image. if tag is "latest", set to "Always" # -- image pull policy to use for agent image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent

4
test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
View file

@ -5,9 +5,9 @@
apiVersion: secrets-store.csi.x-k8s.io/v1 apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass kind: SecretProviderClass
metadata: metadata:
name: openbao-kv name: vault-kv
spec: spec:
provider: openbao provider: vault
parameters: parameters:
roleName: "kv-role" roleName: "kv-role"
objects: | objects: |

118
test/acceptance/csi.bats
View file

@ -2,73 +2,73 @@
load _helpers load _helpers
# @test "csi: testing deployment" { @test "csi: testing deployment" {
# cd `chart_dir` cd `chart_dir`
# kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
# kubectl create namespace acceptance kubectl create namespace acceptance
# # Install Secrets Store CSI driver # Install Secrets Store CSI driver
# # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
# # so we can see Agent's cache working. # so we can see Agent's cache working.
# CSI_DRIVER_VERSION=1.3.2 CSI_DRIVER_VERSION=1.3.2
# helm install secrets-store-csi-driver secrets-store-csi-driver \ helm install secrets-store-csi-driver secrets-store-csi-driver \
# --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
# --version=$CSI_DRIVER_VERSION \ --version=$CSI_DRIVER_VERSION \
# --wait --timeout=5m \ --wait --timeout=5m \
# --namespace=acceptance \ --namespace=acceptance \
# --set linux.image.pullPolicy="IfNotPresent" \ --set linux.image.pullPolicy="IfNotPresent" \
# --set tokenRequests[0].audience="openbao" \ --set tokenRequests[0].audience="openbao" \
# --set enableSecretRotation=true \ --set enableSecretRotation=true \
# --set rotationPollInterval=5s --set rotationPollInterval=5s
# # Install OpenBao and OpenBao provider # Install OpenBao and OpenBao provider
# helm install openbao \ helm install openbao \
# --wait --timeout=5m \ --wait --timeout=5m \
# --namespace=acceptance \ --namespace=acceptance \
# --set="server.dev.enabled=true" \ --set="server.dev.enabled=true" \
# --set="csi.enabled=true" \ --set="csi.enabled=true" \
# --set="csi.debug=true" \ --set="csi.debug=true" \
# --set="csi.agent.logLevel=debug" \ --set="csi.agent.logLevel=debug" \
# --set="injector.enabled=false" \ --set="injector.enabled=false" \
# . .
# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
# # Set up k8s auth and a kv secret. # Set up k8s auth and a kv secret.
# cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
# kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
# kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
# kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
# kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
# bound_service_account_names=nginx \ bound_service_account_names=nginx \
# bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
# policies=kv-policy \ policies=kv-policy \
# ttl=20m ttl=20m
# kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
# result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
# [[ "$result" == "hello1" ]] [[ "$result" == "hello1" ]]
# for i in $(seq 10); do for i in $(seq 10); do
# sleep 2 sleep 2
# if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
# echo "Agent returned a cached login response" echo "Agent returned a cached login response"
# return return
# fi fi
# echo "Waiting to confirm the Agent is renewing CSI's auth token..." echo "Waiting to confirm the Agent is renewing CSI's auth token..."
# done done
# # Print the logs and fail the test # Print the logs and fail the test
# echo "Failed to find a log for the Agent renewing CSI's auth token" echo "Failed to find a log for the Agent renewing CSI's auth token"
# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
# exit 1 exit 1
# } }
# Clean up # Clean up
teardown() { teardown() {

14
test/acceptance/injector-test/job.yaml
View file

@ -32,11 +32,11 @@ spec:
spec: spec:
serviceAccountName: pgdump serviceAccountName: pgdump
containers: containers:
- name: pgdump - name: pgdump
image: postgres:11.5 image: postgres:11.5
command: command:
- "/bin/sh" - "/bin/sh"
- "-ec" - "-ec"
args: args:
- "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout" - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
restartPolicy: Never restartPolicy: Never

58
test/acceptance/injector.bats
View file

@ -2,46 +2,46 @@
load _helpers load _helpers
# @test "injector: testing deployment" { @test "injector: testing deployment" {
# cd `chart_dir` cd `chart_dir`
# kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
# kubectl create namespace acceptance kubectl create namespace acceptance
# kubectl config set-context --current --namespace=acceptance kubectl config set-context --current --namespace=acceptance
# kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
# sleep 5 sleep 5
# wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")
# kubectl create secret generic test \ kubectl create secret generic test \
# --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
# --from-file ../../test/acceptance/injector-test/bootstrap.sh --from-file ../../test/acceptance/injector-test/bootstrap.sh
# kubectl label secret test app=openbao-agent-demo kubectl label secret test app=openbao-agent-demo
# helm install "$(name_prefix)" \ helm install "$(name_prefix)" \
# --set="server.extraVolumes[0].type=secret" \ --set="server.extraVolumes[0].type=secret" \
# --set="server.extraVolumes[0].name=test" . --set="server.extraVolumes[0].name=test" .
# wait_for_running $(name_prefix)-0 wait_for_running $(name_prefix)-0
# wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
# kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
# sleep 5 sleep 5
# # Sealed, not initialized # Sealed, not initialized
# local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
# jq -r '.sealed' ) jq -r '.sealed' )
# [ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
# local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
# jq -r '.initialized') jq -r '.initialized')
# [ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
# kubectl create -f ../../test/acceptance/injector-test/job.yaml kubectl create -f ../../test/acceptance/injector-test/job.yaml
# wait_for_complete_job "pgdump" wait_for_complete_job "pgdump"
# } }
# Clean up # Clean up
teardown() { teardown() {

6
test/unit/csi-daemonset.bats
View file

@ -107,7 +107,7 @@ load _helpers
[ "${actual}" = "PullPolicy1" ] [ "${actual}" = "PullPolicy1" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[1].image' | tee /dev/stderr) yq -r '.[1].image' | tee /dev/stderr)
[ "${actual}" = "Image2:0.0.2" ] [ "${actual}" = "quay.io/Image2:0.0.2" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[1].imagePullPolicy' | tee /dev/stderr) yq -r '.[1].imagePullPolicy' | tee /dev/stderr)
[ "${actual}" = "PullPolicy2" ] [ "${actual}" = "PullPolicy2" ]
@ -796,7 +796,7 @@ load _helpers
yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "error" ] [ "${value}" = "error" ]
} }
@ -810,7 +810,7 @@ load _helpers
yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "json" ] [ "${value}" = "json" ]
} }