From 830761a293148b3149f8a497fb2e55bae5288160 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Tue, 24 May 2022 08:27:17 -0700 Subject: [PATCH] Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault --- CHANGELOG.md | 3 +++ templates/_helpers.tpl | 26 ++++++++++++++++++++++++ templates/server-clusterrolebinding.yaml | 8 +++----- templates/server-serviceaccount.yaml | 6 ++---- test/unit/server-clusterrolebinding.bats | 1 + 5 files changed, 35 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b891e27..004076a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +CHANGES: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 + ## 0.20.0 (May 16th, 2022) CHANGES: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 846bfc3..8c66a37 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -58,6 +58,32 @@ Compute if the server is enabled. (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} {{- end -}} +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverServiceAccountEnabled" -}} +{{- $_ := set . "serverServiceAccountEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true" ) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverAuthDelegator" -}} +{{- $_ := set . "serverAuthDelegator" + (and + (eq (.Values.server.authDelegator.enabled | toString) "true" ) + (or (eq (.Values.server.serviceAccount.create | toString) "true") + (not (eq .Values.server.serviceAccount.name ""))) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute if the server service is enabled. */}} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e045b9e..8cdd611 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,6 +1,5 @@ -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{ template "vault.serverAuthDelegator" . }} +{{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,5 +21,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} -{{ end }} -{{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 2d1a104..c0d32d1 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,6 +1,5 @@ -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} +{{ template "vault.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -13,4 +12,3 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "vault.serviceAccount.annotations" . }} {{ end }} -{{ end }} diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index bf0a4d8..9d05aea 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -65,6 +65,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-clusterrolebinding.yaml \ + --set 'server.enabled=false' \ --set 'injector.externalVaultAddr=http://vault-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr)