Restore missing 'vault' service account (#737)

Our tutorials rely on this service account being present even if we are
using an external Vault.

The `values.yaml` also states that external Vaults are expected to use
this service account.

For example,
https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault
This commit is contained in:
Christopher Swenson 2022-05-24 08:27:17 -07:00 committed by GitHub
parent 3dcc3fd612
commit 830761a293
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 35 additions and 9 deletions

View file

@ -1,5 +1,8 @@
## Unreleased
CHANGES:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0
## 0.20.0 (May 16th, 2022)
CHANGES:

View file

@ -58,6 +58,32 @@ Compute if the server is enabled.
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "vault.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true" )
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "vault.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator"
(and
(eq (.Values.server.authDelegator.enabled | toString) "true" )
(or (eq (.Values.server.serviceAccount.create | toString) "true")
(not (eq .Values.server.serviceAccount.name "")))
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server service is enabled.
*/}}

View file

@ -1,6 +1,5 @@
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
{{ template "vault.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
@ -22,5 +21,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
{{ end }}

View file

@ -1,6 +1,5 @@
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
{{ template "vault.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
@ -13,4 +12,3 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}
{{ end }}

View file

@ -65,6 +65,7 @@ load _helpers
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-clusterrolebinding.yaml \
--set 'server.enabled=false' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)