Restore missing 'vault' service account (#737)
Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault
This commit is contained in:
parent
3dcc3fd612
commit
830761a293
5 changed files with 35 additions and 9 deletions
|
@ -1,5 +1,8 @@
|
|||
## Unreleased
|
||||
|
||||
CHANGES:
|
||||
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0
|
||||
|
||||
## 0.20.0 (May 16th, 2022)
|
||||
|
||||
CHANGES:
|
||||
|
|
|
@ -58,6 +58,32 @@ Compute if the server is enabled.
|
|||
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Compute if the server auth delegator serviceaccount is enabled.
|
||||
*/}}
|
||||
{{- define "vault.serverServiceAccountEnabled" -}}
|
||||
{{- $_ := set . "serverServiceAccountEnabled"
|
||||
(and
|
||||
(eq (.Values.server.serviceAccount.create | toString) "true" )
|
||||
(or
|
||||
(eq (.Values.server.enabled | toString) "true")
|
||||
(eq (.Values.global.enabled | toString) "true"))) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Compute if the server auth delegator serviceaccount is enabled.
|
||||
*/}}
|
||||
{{- define "vault.serverAuthDelegator" -}}
|
||||
{{- $_ := set . "serverAuthDelegator"
|
||||
(and
|
||||
(eq (.Values.server.authDelegator.enabled | toString) "true" )
|
||||
(or (eq (.Values.server.serviceAccount.create | toString) "true")
|
||||
(not (eq .Values.server.serviceAccount.name "")))
|
||||
(or
|
||||
(eq (.Values.server.enabled | toString) "true")
|
||||
(eq (.Values.global.enabled | toString) "true"))) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Compute if the server service is enabled.
|
||||
*/}}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if .serverEnabled -}}
|
||||
{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
|
||||
{{ template "vault.serverAuthDelegator" . }}
|
||||
{{- if .serverAuthDelegator -}}
|
||||
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- else }}
|
||||
|
@ -22,5 +21,4 @@ subjects:
|
|||
- kind: ServiceAccount
|
||||
name: {{ template "vault.serviceAccount.name" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
|
@ -1,6 +1,5 @@
|
|||
{{ template "vault.mode" . }}
|
||||
{{- if .serverEnabled -}}
|
||||
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
|
||||
{{ template "vault.serverServiceAccountEnabled" . }}
|
||||
{{- if .serverServiceAccountEnabled -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
|
@ -13,4 +12,3 @@ metadata:
|
|||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{ template "vault.serviceAccount.annotations" . }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
|
|
@ -65,6 +65,7 @@ load _helpers
|
|||
cd `chart_dir`
|
||||
local actual=$( (helm template \
|
||||
--show-only templates/server-clusterrolebinding.yaml \
|
||||
--set 'server.enabled=false' \
|
||||
--set 'injector.externalVaultAddr=http://vault-outside' \
|
||||
. || echo "---") | tee /dev/stderr |
|
||||
yq 'length > 0' | tee /dev/stderr)
|
||||
|
|
Loading…
Reference in a new issue