Add new vault-k8s environment variables (#219)

* Add new vault-k8s envs * update vault image * Add default tests for envs * Add note about supported log parameters * Fix typo in test name
2020-03-06 15:03:58 -05:00 · 2020-03-06 15:03:58 -05:00 · 9d1693ad13
commit 9d1693ad13
parent 9d92922c9d
3 changed files with 115 additions and 3 deletions
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@ -60,6 +60,10 @@ spec:
            - name: AGENT_INJECT_TLS_AUTO_HOSTS
              value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
            {{- end }}
+            - name: AGENT_INJECT_LOG_FORMAT
+              value: {{ .Values.injector.logFormat | default "standard" }}
+            - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
+              value: {{ .Values.injector.revokeOnShutdown | default false }}
          args:
            - agent-inject
            - 2>&1
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@ -222,3 +222,102 @@ load _helpers
      yq -r '.[3].value' | tee /dev/stderr)
  [ "${actual}" = "auth/k8s" ]
 }
+
+@test "injector/deployment: default logLevel" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[1].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ]
+
+  local actual=$(echo $object |
+      yq -r '.[1].value' | tee /dev/stderr)
+  [ "${actual}" = "info" ]
+}
+
+@test "injector/deployment: custom logLevel" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.logLevel=foo' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[1].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ]
+
+  local actual=$(echo $object |
+      yq -r '.[1].value' | tee /dev/stderr)
+  [ "${actual}" = "foo" ]
+}
+
+@test "injector/deployment: default logFormat" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[7].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ]
+
+  local actual=$(echo $object |
+      yq -r '.[7].value' | tee /dev/stderr)
+  [ "${actual}" = "standard" ]
+}
+
+@test "injector/deployment: custom logFormat" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.logFormat=json' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[7].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ]
+
+  local actual=$(echo $object |
+      yq -r '.[7].value' | tee /dev/stderr)
+  [ "${actual}" = "json" ]
+}
+
+@test "injector/deployment: default revoke on shutdown" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[8].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ]
+
+  local actual=$(echo $object |
+      yq -r '.[8].value' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/deployment: custom revoke on shutdown" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.revokeOnShutdown=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[8].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ]
+
+  local actual=$(echo $object |
+      yq -r '.[8].value' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
--- a/values.yaml
+++ b/values.yaml
@ -22,7 +22,7 @@ injector:
  # image sets the repo and tag of the vault-k8s image to use for the injector.
  image:
    repository: "hashicorp/vault-k8s"
-    tag: "0.2.0"
+    tag: "0.3.0"
    pullPolicy: IfNotPresent

  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@ -30,11 +30,20 @@ injector:
  # required.
  agentImage:
    repository: "vault"
-    tag: "1.3.2"
+    tag: "1.3.3"

  # Mount Path of the Vault Kubernetes Auth Method.
  authPath: "auth/kubernetes"

+  # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info
+  logLevel: "info"
+
+  # Configures the log format of the injector. Supported log formats: "standard", "json".
+  logFormat: "standard"
+  
+  # Configures all Vault Agent sidecars to revoke their token when shutting down
+  revokeOnShutdown: false
+
  # namespaceSelector is the selector for restricting the webhook to only
  # specific namespaces. This should be set to a multiline string.
  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@ -79,7 +88,7 @@ server:

  image:
    repository: "vault"
-    tag: "1.3.2"
+    tag: "1.3.3"
    # Overrides the default Image Pull Policy
    pullPolicy: IfNotPresent