From 9d1693ad13bf364da56f0cfe5210981bbe2bf696 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 15:03:58 -0500 Subject: [PATCH] Add new vault-k8s environment variables (#219) * Add new vault-k8s envs * update vault image * Add default tests for envs * Add note about supported log parameters * Fix typo in test name --- templates/injector-deployment.yaml | 4 ++ test/unit/injector-deployment.bats | 99 ++++++++++++++++++++++++++++++ values.yaml | 15 ++++- 3 files changed, 115 insertions(+), 3 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 16f6223..fa3688e 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -60,6 +60,10 @@ spec: - name: AGENT_INJECT_TLS_AUTO_HOSTS value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc {{- end }} + - name: AGENT_INJECT_LOG_FORMAT + value: {{ .Values.injector.logFormat | default "standard" }} + - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN + value: {{ .Values.injector.revokeOnShutdown | default false }} args: - agent-inject - 2>&1 diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index fb00ee3..54b5c1c 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -222,3 +222,102 @@ load _helpers yq -r '.[3].value' | tee /dev/stderr) [ "${actual}" = "auth/k8s" ] } + +@test "injector/deployment: default logLevel" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] + + local actual=$(echo $object | + yq -r '.[1].value' | tee /dev/stderr) + [ "${actual}" = "info" ] +} + +@test "injector/deployment: custom logLevel" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.logLevel=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] + + local actual=$(echo $object | + yq -r '.[1].value' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + +@test "injector/deployment: default logFormat" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[7].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] + + local actual=$(echo $object | + yq -r '.[7].value' | tee /dev/stderr) + [ "${actual}" = "standard" ] +} + +@test "injector/deployment: custom logFormat" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[7].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] + + local actual=$(echo $object | + yq -r '.[7].value' | tee /dev/stderr) + [ "${actual}" = "json" ] +} + +@test "injector/deployment: default revoke on shutdown" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[8].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] + + local actual=$(echo $object | + yq -r '.[8].value' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/deployment: custom revoke on shutdown" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.revokeOnShutdown=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[8].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] + + local actual=$(echo $object | + yq -r '.[8].value' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.yaml b/values.yaml index 24cbfd6..e31e40f 100644 --- a/values.yaml +++ b/values.yaml @@ -22,7 +22,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.2.0" + tag: "0.3.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -30,11 +30,20 @@ injector: # required. agentImage: repository: "vault" - tag: "1.3.2" + tag: "1.3.3" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" + # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info + logLevel: "info" + + # Configures the log format of the injector. Supported log formats: "standard", "json". + logFormat: "standard" + + # Configures all Vault Agent sidecars to revoke their token when shutting down + revokeOnShutdown: false + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. This should be set to a multiline string. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -79,7 +88,7 @@ server: image: repository: "vault" - tag: "1.3.2" + tag: "1.3.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent