Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Require vault to run as non root (#80)

Browse source 
* Require vault to run as non root

* Fix unit tests

* Make uid/gid configurable, remove home emptydir
This commit is contained in:
Jason O'Donnell 2019-10-18 12:42:25 -04:00 committed by GitHub
parent f7aa2576d0
commit b41d36c621
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 223 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
templates/server-config-configmap.yaml
View file

@ -13,9 +13,7 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
data: data:
extraconfig-from-values.hcl: |- extraconfig-from-values.hcl: |-
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
disable_mlock = true disable_mlock = true
{{- end }}
{{- if eq .mode "standalone" }} {{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }} {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if eq .mode "ha" }} {{- else if eq .mode "ha" }}

10
templates/server-statefulset.yaml
View file

@ -41,17 +41,19 @@ spec:
terminationGracePeriodSeconds: 10 terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "vault.fullname" . }} serviceAccountName: {{ template "vault.fullname" . }}
securityContext: securityContext:
fsGroup: 1000 readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
volumes: volumes:
{{ template "vault.volumes" . }} {{ template "vault.volumes" . }}
containers: containers:
- name: vault - name: vault
{{ template "vault.resources" . }} {{ template "vault.resources" . }}
{{- if eq (.Values.server.mlock.enabled | toString) "true" }}
securityContext: securityContext:
capabilities: capabilities:
add: ["IPC_LOCK"] add: ["IPC_LOCK"]
{{- end }}
image: "{{ .Values.global.image }}" image: "{{ .Values.global.image }}"
command: {{ template "vault.command" . }} command: {{ template "vault.command" . }}
args: {{ template "vault.args" . }} args: {{ template "vault.args" . }}
@ -70,10 +72,8 @@ spec:
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
- name: SKIP_CHOWN - name: SKIP_CHOWN
value: "true" value: "true"
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
- name: SKIP_SETCAP - name: SKIP_SETCAP
value: "true" value: "true"
{{- end }}
{{ template "vault.envs" . }} {{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}

49
test/unit/server-configmap.bats
View file

@ -82,52 +82,3 @@ load _helpers
yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr) yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
[ ! -z "${actual}" ] [ ! -z "${actual}" ]
} }
@test "server/ConfigMap: mlock by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]
}
@test "server/ConfigMap: disable mlock" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]
}

85
test/unit/server-dev-statefulset.bats
View file

@ -224,19 +224,19 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr) yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "FOO" ] [ "${actual}" = "FOO" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].value' | tee /dev/stderr) yq -r '.[7].value' | tee /dev/stderr)
[ "${actual}" = "bar" ] [ "${actual}" = "bar" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[7].name' | tee /dev/stderr) yq -r '.[8].name' | tee /dev/stderr)
[ "${actual}" = "FOOBAR" ] [ "${actual}" = "FOOBAR" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[7].value' | tee /dev/stderr) yq -r '.[8].value' | tee /dev/stderr)
[ "${actual}" = "foobar" ] [ "${actual}" = "foobar" ]
} }
@ -257,23 +257,23 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr) yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_0" ] [ "${actual}" = "ENV_FOO_0" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.name' | tee /dev/stderr) yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_0" ] [ "${actual}" = "secret_name_0" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.key' | tee /dev/stderr) yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_0" ] [ "${actual}" = "secret_key_0" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr) yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_1" ] [ "${actual}" = "ENV_FOO_1" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr) yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_1" ] [ "${actual}" = "secret_name_1" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr) yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_1" ] [ "${actual}" = "secret_key_1" ]
} }
@ -311,3 +311,68 @@ load _helpers
yq -r '.spec.volumeClaimTemplates' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates' | tee /dev/stderr)
[ "${actual}" = "null" ] [ "${actual}" = "null" ]
} }
#--------------------------------------------------------------------
# Security Contexts
@test "server/standalone-StatefulSet: uid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "100" ]
}
@test "server/standalone-StatefulSet: uid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.uid=2000' \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: gid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: gid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: fsgroup default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: fsgroup configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}

85
test/unit/server-ha-statefulset.bats
View file

@ -320,19 +320,19 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr) yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "FOO" ] [ "${actual}" = "FOO" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].value' | tee /dev/stderr) yq -r '.[6].value' | tee /dev/stderr)
[ "${actual}" = "bar" ] [ "${actual}" = "bar" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr) yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "FOOBAR" ] [ "${actual}" = "FOOBAR" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].value' | tee /dev/stderr) yq -r '.[7].value' | tee /dev/stderr)
[ "${actual}" = "foobar" ] [ "${actual}" = "foobar" ]
} }
@ -354,23 +354,23 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr) yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_0" ] [ "${actual}" = "ENV_FOO_0" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.name' | tee /dev/stderr) yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_0" ] [ "${actual}" = "secret_name_0" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.key' | tee /dev/stderr) yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_0" ] [ "${actual}" = "secret_key_0" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr) yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_1" ] [ "${actual}" = "ENV_FOO_1" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr) yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_1" ] [ "${actual}" = "secret_name_1" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr) yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_1" ] [ "${actual}" = "secret_key_1" ]
} }
@ -506,3 +506,68 @@ load _helpers
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "testing" ] [ "${actual}" = "testing" ]
} }
#--------------------------------------------------------------------
# Security Contexts
@test "server/standalone-StatefulSet: uid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "100" ]
}
@test "server/standalone-StatefulSet: uid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.uid=2000' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: gid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: gid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: fsgroup default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: fsgroup configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}

76
test/unit/server-statefulset.bats
View file

@ -305,19 +305,19 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr) yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "FOO" ] [ "${actual}" = "FOO" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].value' | tee /dev/stderr) yq -r '.[6].value' | tee /dev/stderr)
[ "${actual}" = "bar" ] [ "${actual}" = "bar" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr) yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "FOOBAR" ] [ "${actual}" = "FOOBAR" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].value' | tee /dev/stderr) yq -r '.[7].value' | tee /dev/stderr)
[ "${actual}" = "foobar" ] [ "${actual}" = "foobar" ]
local object=$(helm template \ local object=$(helm template \
@ -328,19 +328,19 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr) yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "FOO" ] [ "${actual}" = "FOO" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[5].value' | tee /dev/stderr) yq -r '.[6].value' | tee /dev/stderr)
[ "${actual}" = "bar" ] [ "${actual}" = "bar" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr) yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "FOOBAR" ] [ "${actual}" = "FOOBAR" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.[6].value' | tee /dev/stderr) yq -r '.[7].value' | tee /dev/stderr)
[ "${actual}" = "foobar" ] [ "${actual}" = "foobar" ]
} }
@ -532,3 +532,63 @@ load _helpers
yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ] [ "${actual}" = "bar" ]
} }
#--------------------------------------------------------------------
# Security Contexts
@test "server/standalone-StatefulSet: uid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "100" ]
}
@test "server/standalone-StatefulSet: uid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.uid=2000' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: gid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: gid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: fsgroup default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: fsgroup configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}

5
values.yaml
View file

@ -240,11 +240,6 @@ server:
serviceaccount: serviceaccount:
annotations: {} annotations: {}
# mlock prevents memory from being swapped to disk. If swap is enabled this should
# be true.
mlock:
enabled: true
# Vault UI # Vault UI
ui: ui:
# True if you want to create a Service entry for the Vault UI. # True if you want to create a Service entry for the Vault UI.