Merge pull request #19 from openbao/bao-2-0-2

Update OpenBao to v2.0.2
2024-10-07 10:57:59 +02:00 · 2024-10-07 10:57:59 +02:00 · 7a7a5b3711
commit 7a7a5b3711
parent a6d9d9f388 2e7c23ce62
9 changed files with 133 additions and 126 deletions
--- a/charts/openbao/Chart.yaml
+++ b/charts/openbao/Chart.yaml
@ -3,8 +3,8 @@

 apiVersion: v2
 name: openbao
-version: 0.5.1
-appVersion: v2.0.1
+version: 0.6.0
+appVersion: v2.0.2
 kubeVersion: ">= 1.27.0-0"
 description: Official OpenBao Chart
 home: https://github.com/openbao/openbao-helm
--- a/charts/openbao/README.md
+++ b/charts/openbao/README.md
@ -1,6 +1,6 @@
 # openbao

-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v2.0.1](https://img.shields.io/badge/AppVersion-v2.0.1-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)

 Official OpenBao Chart

--- a/charts/openbao/values.openshift.yaml
+++ b/charts/openbao/values.openshift.yaml
@ -14,13 +14,13 @@ injector:
  agentImage:
    registry: "quay.io"
    repository: "openbao/openbao"
-    tag: "v2.0.1-ubi"
+    tag: "v2.0.2-ubi"

 server:
  image:
    registry: "quay.io"
    repository: "openbao/openbao"
-    tag: "v2.0.1-ubi"
+    tag: "v2.0.2-ubi"

  readinessProbe:
    path: "/v1/sys/health?uninitcode=204"
--- a/charts/openbao/values.yaml
+++ b/charts/openbao/values.yaml
@ -71,7 +71,7 @@ injector:
    # -- image repo to use for k8s image
    repository: "hashicorp/vault-k8s"
    # -- image tag to use for k8s image
-    tag: "1.3.1"
+    tag: "1.4.2"
    # -- image pull policy to use for k8s image. if tag is "latest", set to "Always"
    pullPolicy: IfNotPresent

@ -84,7 +84,7 @@ injector:
    # -- image repo to use for agent image
    repository: "openbao/openbao"
    # -- image tag to use for agent image
-    tag: "2.0.1"
+    tag: "2.0.2"
    # -- image pull policy to use for agent image. if tag is "latest", set to "Always"
    pullPolicy: IfNotPresent

@ -288,7 +288,8 @@ injector:

  # extraEnvironmentVars is a list of extra environment variables to set in the
  # injector deployment.
-  extraEnvironmentVars: {}
+  extraEnvironmentVars:
+    {}
    # KUBERNETES_SERVICE_HOST: kubernetes.default.svc

  # Affinity Settings for injector pods
@ -379,7 +380,7 @@ server:
    # -- image repo to use for server image
    repository: "openbao/openbao"
    # -- image tag to use for server image
-    tag: "2.0.1"
+    tag: "2.0.2"
    # -- image pull policy to use for server image. if tag is "latest", set to "Always"
    pullPolicy: IfNotPresent

@ -410,9 +411,11 @@ server:
  # In order to expose the service, use the route section below
  ingress:
    enabled: false
-    labels: {}
+    labels:
+      {}
      # traffic: external
-    annotations: {}
+    annotations:
+      {}
      # |
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
@ -480,7 +483,8 @@ server:
  # -- extraInitContainers is a list of init containers. Specified as a YAML list.
  # This is useful if you need to run a script to provision TLS certificates or
  # write out configuration files in a dynamic way.
-  extraInitContainers: []
+  extraInitContainers:
+    []
    # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
    # # which is defined in the volumes value.
    # - name: oauthapp
@ -508,7 +512,8 @@ server:

  # -- extraPorts is a list of extra ports. Specified as a YAML list.
  # This is useful if you need to add additional ports to the statefulset in dynamic way.
-  extraPorts: []
+  extraPorts:
+    []
    # - containerPort: 8300
    #   name: http-monitoring

@ -570,14 +575,16 @@ server:

  # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
  # used to include variables required for auto-unseal.
-  extraEnvironmentVars: {}
+  extraEnvironmentVars:
+    {}
    # GOOGLE_REGION: global
    # GOOGLE_PROJECT: myproject
    # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json

  # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
  # These variables take value from existing Secret objects.
-  extraSecretEnvironmentVars: []
+  extraSecretEnvironmentVars:
+    []
    # - envName: AWS_SECRET_ACCESS_KEY
    #   secretName: openbao
    #   secretKey: AWS_SECRET_ACCESS_KEY
@ -586,7 +593,8 @@ server:
  # extraVolumes is a list of extra volumes to mount. These will be exposed
  # to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is
  # an array of objects, examples are shown below.
-  extraVolumes: []
+  extraVolumes:
+    []
    # - type: secret (or "configMap")
    #   name: my-secret
    #   path: null # default is `/openbao/userconfig`
@ -893,7 +901,6 @@ server:
    # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage.
    # The OpenBao cluster will coordinate leader elections and failovers internally.
    raft:
-
      # Enables Raft integrated storage
      enabled: false
      # Set the Node Raft ID to the name of the pod
@ -1093,7 +1100,7 @@ csi:
    # -- image repo to use for csi image
    repository: "hashicorp/vault-csi-provider"
    # -- image tag to use for csi image
-    tag: "1.4.1"
+    tag: "1.4.0"
    # -- image pull policy to use for csi image. if tag is "latest", set to "Always"
    pullPolicy: IfNotPresent

@ -1183,7 +1190,7 @@ csi:
      # -- image repo to use for agent image
      repository: "openbao/openbao"
      # -- image tag to use for agent image
-      tag: "2.0.1"
+      tag: "2.0.2"
      # -- image pull policy to use for agent image. if tag is "latest", set to "Always"
      pullPolicy: IfNotPresent

--- a/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
+++ b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
@ -5,9 +5,9 @@
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: openbao-kv
+  name: vault-kv
 spec:
-  provider: openbao
+  provider: vault
  parameters:
    roleName: "kv-role"
    objects: |
--- a/test/acceptance/csi.bats
+++ b/test/acceptance/csi.bats
@ -2,73 +2,73 @@

 load _helpers

-# @test "csi: testing deployment" {
-#   cd `chart_dir`
+@test "csi: testing deployment" {
+  cd `chart_dir`

-#   kubectl delete namespace acceptance --ignore-not-found=true
-#   kubectl create namespace acceptance
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance

-#   # Install Secrets Store CSI driver
-#   # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
-#   # so we can see Agent's cache working.
-#   CSI_DRIVER_VERSION=1.3.2
-#   helm install secrets-store-csi-driver secrets-store-csi-driver \
-#     --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
-#     --version=$CSI_DRIVER_VERSION \
-#     --wait --timeout=5m \
-#     --namespace=acceptance \
-#     --set linux.image.pullPolicy="IfNotPresent" \
-#     --set tokenRequests[0].audience="openbao" \
-#     --set enableSecretRotation=true \
-#     --set rotationPollInterval=5s
-#   # Install OpenBao and OpenBao provider
-#   helm install openbao \
-#     --wait --timeout=5m \
-#     --namespace=acceptance \
-#     --set="server.dev.enabled=true" \
-#     --set="csi.enabled=true" \
-#     --set="csi.debug=true" \
-#     --set="csi.agent.logLevel=debug" \
-#     --set="injector.enabled=false" \
-#     .
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
+  # Install Secrets Store CSI driver
+  # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
+  # so we can see Agent's cache working.
+  CSI_DRIVER_VERSION=1.3.2
+  helm install secrets-store-csi-driver secrets-store-csi-driver \
+    --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
+    --version=$CSI_DRIVER_VERSION \
+    --wait --timeout=5m \
+    --namespace=acceptance \
+    --set linux.image.pullPolicy="IfNotPresent" \
+    --set tokenRequests[0].audience="openbao" \
+    --set enableSecretRotation=true \
+    --set rotationPollInterval=5s
+  # Install OpenBao and OpenBao provider
+  helm install openbao \
+    --wait --timeout=5m \
+    --namespace=acceptance \
+    --set="server.dev.enabled=true" \
+    --set="csi.enabled=true" \
+    --set="csi.debug=true" \
+    --set="csi.agent.logLevel=debug" \
+    --set="injector.enabled=false" \
+    .
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider

-#   # Set up k8s auth and a kv secret.
-#   cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
-#   kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
-#   kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
-#     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
-#   kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
-#     bound_service_account_names=nginx \
-#     bound_service_account_namespaces=acceptance \
-#     policies=kv-policy \
-#     ttl=20m
-#   kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
+  # Set up k8s auth and a kv secret.
+  cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
+  kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
+  kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
+    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
+  kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
+    bound_service_account_names=nginx \
+    bound_service_account_namespaces=acceptance \
+    policies=kv-policy \
+    ttl=20m
+  kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1

-#   kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
-#   kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx

-#   result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
-#   [[ "$result" == "hello1" ]]
+  result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
+  [[ "$result" == "hello1" ]]

-#   for i in $(seq 10); do
-#     sleep 2
-#     if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
-#         echo "Agent returned a cached login response"
-#         return
-#     fi
+  for i in $(seq 10); do
+    sleep 2
+    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
+        echo "Agent returned a cached login response"
+        return
+    fi

-#     echo "Waiting to confirm the Agent is renewing CSI's auth token..."
-#   done
+    echo "Waiting to confirm the Agent is renewing CSI's auth token..."
+  done

-#   # Print the logs and fail the test
-#   echo "Failed to find a log for the Agent renewing CSI's auth token"
-#   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
-#   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
-#   exit 1
-# }
+  # Print the logs and fail the test
+  echo "Failed to find a log for the Agent renewing CSI's auth token"
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
+  exit 1
+}

 # Clean up
 teardown() {
--- a/test/acceptance/injector-test/job.yaml
+++ b/test/acceptance/injector-test/job.yaml
@ -38,5 +38,5 @@ spec:
            - "/bin/sh"
            - "-ec"
          args:
-          - "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout"
+            - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
      restartPolicy: Never
--- a/test/acceptance/injector.bats
+++ b/test/acceptance/injector.bats
@ -2,46 +2,46 @@

 load _helpers

-# @test "injector: testing deployment" {
-#   cd `chart_dir`
+@test "injector: testing deployment" {
+  cd `chart_dir`

-#   kubectl delete namespace acceptance --ignore-not-found=true
-#   kubectl create namespace acceptance
-#   kubectl config set-context --current --namespace=acceptance
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance

-#   kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
-#   sleep 5
-#   wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")
+  kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
+  sleep 5
+  wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")

-#   kubectl create secret generic test \
-#     --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
-#     --from-file ../../test/acceptance/injector-test/bootstrap.sh
+  kubectl create secret generic test \
+    --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
+    --from-file ../../test/acceptance/injector-test/bootstrap.sh

-#   kubectl label secret test app=openbao-agent-demo
+  kubectl label secret test app=openbao-agent-demo

-#   helm install "$(name_prefix)" \
-#     --set="server.extraVolumes[0].type=secret" \
-#     --set="server.extraVolumes[0].name=test" .
-#   wait_for_running $(name_prefix)-0
+  helm install "$(name_prefix)" \
+    --set="server.extraVolumes[0].type=secret" \
+    --set="server.extraVolumes[0].name=test" .
+  wait_for_running $(name_prefix)-0

-#   wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
+  wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")

-#   kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
-#   sleep 5
+  kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
+  sleep 5

-#     # Sealed, not initialized
-#   local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
-#     jq -r '.sealed' )
-#   [ "${sealed_status}" == "false" ]
+    # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]

-#   local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
-#     jq -r '.initialized')
-#   [ "${init_status}" == "true" ]
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]


-#   kubectl create -f ../../test/acceptance/injector-test/job.yaml
-#   wait_for_complete_job "pgdump"
-# }
+  kubectl create -f ../../test/acceptance/injector-test/job.yaml
+  wait_for_complete_job "pgdump"
+}

 # Clean up
 teardown() {
--- a/test/unit/csi-daemonset.bats
+++ b/test/unit/csi-daemonset.bats
@ -107,7 +107,7 @@ load _helpers
  [ "${actual}" = "PullPolicy1" ]
  local actual=$(echo $object |
      yq -r '.[1].image' | tee /dev/stderr)
-  [ "${actual}" = "Image2:0.0.2" ]
+  [ "${actual}" = "quay.io/Image2:0.0.2" ]
  local actual=$(echo $object |
      yq -r '.[1].imagePullPolicy' | tee /dev/stderr)
  [ "${actual}" = "PullPolicy2" ]
@ -796,7 +796,7 @@ load _helpers
      yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)

  local value=$(echo $object |
-      yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
+      yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = "error" ]
 }

@ -810,7 +810,7 @@ load _helpers
      yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)

  local value=$(echo $object |
-      yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
+      yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = "json" ]
 }