Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update more vault to openbao everywhere

Browse source 
Signed-off-by: jessebot <jessebot@linux.com>
This commit is contained in:
jessebot 2024-05-28 13:52:10 +02:00 committed by Nathan A Phelps
parent f15d0f69f9
commit b473c07acc
93 changed files with 695 additions and 763 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CONTRIBUTING.md
View file

@ -86,7 +86,7 @@ Next, execute the tests with the following commands:
```shell ```shell
docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit
``` ```
It's possible to only run specific bats tests using regular expressions. It's possible to only run specific bats tests using regular expressions.
For example, the following will run only tests with "injector" in the name: For example, the following will run only tests with "injector" in the name:
```shell ```shell
docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector" docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector"
@ -123,7 +123,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
start from a clean slate. start from a clean slate.
**Note:** There is a Terraform configuration in the **Note:** There is a Terraform configuration in the
[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory [`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory
that can be used to quickly bring up a GKE cluster and configure that can be used to quickly bring up a GKE cluster and configure
`kubectl` and `helm` locally. This can be used to quickly spin up a test `kubectl` and `helm` locally. This can be used to quickly spin up a test
cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes

9
Makefile
View file

@ -1,6 +1,6 @@
TEST_IMAGE?=vault-helm-test TEST_IMAGE?=openbao-helm-test
GOOGLE_CREDENTIALS?=vault-helm-test.json GOOGLE_CREDENTIALS?=openbao-helm-test.json
CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514
# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
ACCEPTANCE_TESTS?=acceptance ACCEPTANCE_TESTS?=acceptance
@ -11,7 +11,7 @@ UNIT_TESTS_FILTER?='.*'
LOCAL_ACCEPTANCE_TESTS?=false LOCAL_ACCEPTANCE_TESTS?=false
# kind cluster name # kind cluster name
KIND_CLUSTER_NAME?=vault-helm KIND_CLUSTER_NAME?=openbao-helm
# kind k8s version # kind k8s version
KIND_K8S_VERSION?=v1.29.2 KIND_K8S_VERSION?=v1.29.2
@ -40,7 +40,6 @@ else
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \ -e KUBECONFIG=/helm-test/.kube/config \
-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
-w /helm-test \ -w /helm-test \
$(TEST_IMAGE) \ $(TEST_IMAGE) \
make acceptance make acceptance

36
charts/openbao/README.md
View file

@ -10,7 +10,7 @@ Official OpenBao Chart
| Name | Email | Url | | Name | Email | Url |
| ---- | ------ | --- | | ---- | ------ | --- |
| OpenBao | <https://lists.lfedge.org/g/openbao> | <https://openbao.org> | | OpenBao | <openbao-security@lists.lfedge.org> | <https://openbao.org> |
## Source Code ## Source Code
@ -42,7 +42,7 @@ Kubernetes: `>= 1.27.0-0`
| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | | | csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | |
| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | | | csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | |
| csi.debug | bool | `false` | | | csi.debug | bool | `false` | |
| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount Vault secrets into volumes similar to the Vault Agent injector, and you can also sync those secrets into Kubernetes secrets. | | csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. |
| csi.extraArgs | list | `[]` | | | csi.extraArgs | list | `[]` | |
| csi.hmacSecretName | string | `""` | | | csi.hmacSecretName | string | `""` | |
| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" | | csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
@ -68,10 +68,10 @@ Kubernetes: `>= 1.27.0-0`
| csi.resources | object | `{}` | | | csi.resources | object | `{}` | |
| csi.serviceAccount.annotations | object | `{}` | | | csi.serviceAccount.annotations | object | `{}` | |
| csi.serviceAccount.extraLabels | object | `{}` | | | csi.serviceAccount.extraLabels | object | `{}` | |
| csi.volumeMounts | string | `nil` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | | csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| csi.volumes | string | `nil` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | | csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. | | global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. |
| global.externalVaultAddr | string | `""` | External vault server address for the injector and CSI provider to use. Setting this will disable deployment of a vault server. | | global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. |
| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. | | global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. |
| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. | | global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. |
| global.openshift | bool | `false` | If deploying to OpenShift | | global.openshift | bool | `false` | If deploying to OpenShift |
@ -79,7 +79,7 @@ Kubernetes: `>= 1.27.0-0`
| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. | | global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. |
| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. | | global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. |
| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport | | global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport |
| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | | injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | |
| injector.agentDefaults.cpuLimit | string | `"500m"` | | | injector.agentDefaults.cpuLimit | string | `"500m"` | |
| injector.agentDefaults.cpuRequest | string | `"250m"` | | | injector.agentDefaults.cpuRequest | string | `"250m"` | |
| injector.agentDefaults.memLimit | string | `"128Mi"` | | | injector.agentDefaults.memLimit | string | `"128Mi"` | |
@ -87,7 +87,7 @@ Kubernetes: `>= 1.27.0-0`
| injector.agentDefaults.template | string | `"map"` | | | injector.agentDefaults.template | string | `"map"` | |
| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | | | injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | |
| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | | | injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | |
| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the Vault image to use for the Vault Agent containers. This should be set to the official Vault image. Vault 1.3.1+ is required. | | injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. |
| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | | injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image | | injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image | | injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
@ -98,7 +98,7 @@ Kubernetes: `>= 1.27.0-0`
| injector.certs.certName | string | `"tls.crt"` | | | injector.certs.certName | string | `"tls.crt"` | |
| injector.certs.keyName | string | `"tls.key"` | | | injector.certs.keyName | string | `"tls.key"` | |
| injector.certs.secretName | string | `nil` | | | injector.certs.secretName | string | `nil` | |
| injector.enabled | string | `"-"` | True if you want to enable vault agent injection. @default: global.enabled | | injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled |
| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. | | injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. |
| injector.extraEnvironmentVars | object | `{}` | | | injector.extraEnvironmentVars | object | `{}` | |
| injector.extraLabels | object | `{}` | | | injector.extraLabels | object | `{}` | |
@ -147,16 +147,16 @@ Kubernetes: `>= 1.27.0-0`
| injector.webhook.failurePolicy | string | `"Ignore"` | | | injector.webhook.failurePolicy | string | `"Ignore"` | |
| injector.webhook.matchPolicy | string | `"Exact"` | | | injector.webhook.matchPolicy | string | `"Exact"` | |
| injector.webhook.namespaceSelector | object | `{}` | | | injector.webhook.namespaceSelector | object | `{}` | |
| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"vault.name\" . }}-agent-injector\n"` | | | injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"openbao.name\" . }}-agent-injector\n"` | |
| injector.webhook.timeoutSeconds | int | `30` | | | injector.webhook.timeoutSeconds | int | `30` | |
| injector.webhookAnnotations | object | `{}` | | | injector.webhookAnnotations | object | `{}` | |
| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | | | server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | |
| server.annotations | object | `{}` | | | server.annotations | object | `{}` | |
| server.auditStorage.accessMode | string | `"ReadWriteOnce"` | | | server.auditStorage.accessMode | string | `"ReadWriteOnce"` | |
| server.auditStorage.annotations | object | `{}` | | | server.auditStorage.annotations | object | `{}` | |
| server.auditStorage.enabled | bool | `false` | | | server.auditStorage.enabled | bool | `false` | |
| server.auditStorage.labels | object | `{}` | | | server.auditStorage.labels | object | `{}` | |
| server.auditStorage.mountPath | string | `"/vault/audit"` | | | server.auditStorage.mountPath | string | `"/openbao/audit"` | |
| server.auditStorage.size | string | `"10Gi"` | | | server.auditStorage.size | string | `"10Gi"` | |
| server.auditStorage.storageClass | string | `nil` | | | server.auditStorage.storageClass | string | `nil` | |
| server.authDelegator.enabled | bool | `true` | | | server.authDelegator.enabled | bool | `true` | |
@ -165,13 +165,13 @@ Kubernetes: `>= 1.27.0-0`
| server.dataStorage.annotations | object | `{}` | | | server.dataStorage.annotations | object | `{}` | |
| server.dataStorage.enabled | bool | `true` | | | server.dataStorage.enabled | bool | `true` | |
| server.dataStorage.labels | object | `{}` | | | server.dataStorage.labels | object | `{}` | |
| server.dataStorage.mountPath | string | `"/vault/data"` | | | server.dataStorage.mountPath | string | `"/openbao/data"` | |
| server.dataStorage.size | string | `"10Gi"` | | | server.dataStorage.size | string | `"10Gi"` | |
| server.dataStorage.storageClass | string | `nil` | | | server.dataStorage.storageClass | string | `nil` | |
| server.dev.devRootToken | string | `"root"` | | | server.dev.devRootToken | string | `"root"` | |
| server.dev.enabled | bool | `false` | | | server.dev.enabled | bool | `false` | |
| server.enabled | string | `"-"` | | | server.enabled | string | `"-"` | |
| server.extraArgs | string | `""` | extraArgs is a string containing additional Vault server arguments. | | server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. |
| server.extraContainers | string | `nil` | | | server.extraContainers | string | `nil` | |
| server.extraEnvironmentVars | object | `{}` | | | server.extraEnvironmentVars | object | `{}` | |
| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. | | server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. |
@ -181,11 +181,11 @@ Kubernetes: `>= 1.27.0-0`
| server.extraVolumes | list | `[]` | | | server.extraVolumes | list | `[]` | |
| server.ha.apiAddr | string | `nil` | | | server.ha.apiAddr | string | `nil` | |
| server.ha.clusterAddr | string | `nil` | | | server.ha.clusterAddr | string | `nil` | |
| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"vault\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | | server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"openbao\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.ha.disruptionBudget.enabled | bool | `true` | | | server.ha.disruptionBudget.enabled | bool | `true` | |
| server.ha.disruptionBudget.maxUnavailable | string | `nil` | | | server.ha.disruptionBudget.maxUnavailable | string | `nil` | |
| server.ha.enabled | bool | `false` | | | server.ha.enabled | bool | `false` | |
| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/vault/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | | | server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | |
| server.ha.raft.enabled | bool | `false` | | | server.ha.raft.enabled | bool | `false` | |
| server.ha.raft.setNodeId | bool | `false` | | | server.ha.raft.setNodeId | bool | `false` | |
| server.ha.replicas | int | `3` | | | server.ha.replicas | int | `3` | |
@ -261,8 +261,8 @@ Kubernetes: `>= 1.27.0-0`
| server.serviceAccount.extraLabels | object | `{}` | | | server.serviceAccount.extraLabels | object | `{}` | |
| server.serviceAccount.name | string | `""` | | | server.serviceAccount.name | string | `""` | |
| server.serviceAccount.serviceDiscovery.enabled | bool | `true` | | | server.serviceAccount.serviceDiscovery.enabled | bool | `true` | |
| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between Vault and the extraContainers This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation | | server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation |
| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | | server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.standalone.enabled | string | `"-"` | | | server.standalone.enabled | string | `"-"` | |
| server.statefulSet.annotations | object | `{}` | | | server.statefulSet.annotations | object | `{}` | |
| server.statefulSet.securityContext.container | object | `{}` | | | server.statefulSet.securityContext.container | object | `{}` | |
@ -280,7 +280,7 @@ Kubernetes: `>= 1.27.0-0`
| serverTelemetry.serviceMonitor.interval | string | `"30s"` | | | serverTelemetry.serviceMonitor.interval | string | `"30s"` | |
| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | | | serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | |
| serverTelemetry.serviceMonitor.selectors | object | `{}` | | | serverTelemetry.serviceMonitor.selectors | object | `{}` | |
| ui.activeVaultPodOnly | bool | `false` | | | ui.activeOpenbaoPodOnly | bool | `false` | |
| ui.annotations | object | `{}` | | | ui.annotations | object | `{}` | |
| ui.enabled | bool | `false` | | | ui.enabled | bool | `false` | |
| ui.externalPort | int | `8200` | | | ui.externalPort | int | `8200` | |

2
charts/openbao/templates/NOTES.txt
View file

@ -2,7 +2,7 @@
Thank you for installing OpenBao! Thank you for installing OpenBao!
Now that you have deployed OpenBao, you should look over the docs on using Now that you have deployed OpenBao, you should look over the docs on using
Vault with Kubernetes available here: OpenBao with Kubernetes available here:
https://openbao.org/docs/ https://openbao.org/docs/

122
charts/openbao/templates/_helpers.tpl
View file

@ -9,7 +9,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). If release name contains chart name it will this (by the DNS naming spec). If release name contains chart name it will
be used as a full name. be used as a full name.
*/}} */}}
{{- define "vault.fullname" -}} {{- define "openbao.fullname" -}}
{{- if .Values.fullnameOverride -}} {{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}} {{- else -}}
@ -25,28 +25,28 @@ be used as a full name.
{{/* {{/*
Create chart name and version as used by the chart label. Create chart name and version as used by the chart label.
*/}} */}}
{{- define "vault.chart" -}} {{- define "openbao.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/* {{/*
Expand the name of the chart. Expand the name of the chart.
*/}} */}}
{{- define "vault.name" -}} {{- define "openbao.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/* {{/*
Allow the release namespace to be overridden Allow the release namespace to be overridden
*/}} */}}
{{- define "vault.namespace" -}} {{- define "openbao.namespace" -}}
{{- default .Release.Namespace .Values.global.namespace -}} {{- default .Release.Namespace .Values.global.namespace -}}
{{- end -}} {{- end -}}
{{/* {{/*
Compute if the csi driver is enabled. Compute if the csi driver is enabled.
*/}} */}}
{{- define "vault.csiEnabled" -}} {{- define "openbao.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or {{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true") (eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -55,7 +55,7 @@ Compute if the csi driver is enabled.
{{/* {{/*
Compute if the injector is enabled. Compute if the injector is enabled.
*/}} */}}
{{- define "vault.injectorEnabled" -}} {{- define "openbao.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or {{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true") (eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -64,7 +64,7 @@ Compute if the injector is enabled.
{{/* {{/*
Compute if the server is enabled. Compute if the server is enabled.
*/}} */}}
{{- define "vault.serverEnabled" -}} {{- define "openbao.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or {{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true") (eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -73,7 +73,7 @@ Compute if the server is enabled.
{{/* {{/*
Compute if the server serviceaccount is enabled. Compute if the server serviceaccount is enabled.
*/}} */}}
{{- define "vault.serverServiceAccountEnabled" -}} {{- define "openbao.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled" {{- $_ := set . "serverServiceAccountEnabled"
(and (and
(eq (.Values.server.serviceAccount.create | toString) "true" ) (eq (.Values.server.serviceAccount.create | toString) "true" )
@ -85,7 +85,7 @@ Compute if the server serviceaccount is enabled.
{{/* {{/*
Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
*/}} */}}
{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} {{- define "openbao.serverServiceAccountSecretCreationEnabled" -}}
{{- $_ := set . "serverServiceAccountSecretCreationEnabled" {{- $_ := set . "serverServiceAccountSecretCreationEnabled"
(and (and
(eq (.Values.server.serviceAccount.create | toString) "true") (eq (.Values.server.serviceAccount.create | toString) "true")
@ -96,7 +96,7 @@ Compute if the server serviceaccount should have a token created and mounted to
{{/* {{/*
Compute if the server auth delegator serviceaccount is enabled. Compute if the server auth delegator serviceaccount is enabled.
*/}} */}}
{{- define "vault.serverAuthDelegator" -}} {{- define "openbao.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator" {{- $_ := set . "serverAuthDelegator"
(and (and
(eq (.Values.server.authDelegator.enabled | toString) "true" ) (eq (.Values.server.authDelegator.enabled | toString) "true" )
@ -110,15 +110,15 @@ Compute if the server auth delegator serviceaccount is enabled.
{{/* {{/*
Compute if the server service is enabled. Compute if the server service is enabled.
*/}} */}}
{{- define "vault.serverServiceEnabled" -}} {{- define "openbao.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}} {{- template "openbao.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} {{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}} {{- end -}}
{{/* {{/*
Compute if the ui is enabled. Compute if the ui is enabled.
*/}} */}}
{{- define "vault.uiEnabled" -}} {{- define "openbao.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or {{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true") (eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -129,7 +129,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster. This defaults to (n/2)-1 where n is the number of members of the server cluster.
Add a special case for replicas=1, where it should default to 0 as well. Add a special case for replicas=1, where it should default to 0 as well.
*/}} */}}
{{- define "vault.pdb.maxUnavailable" -}} {{- define "openbao.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.ha.replicas) 1 -}} {{- if eq (int .Values.server.ha.replicas) 1 -}}
{{ 0 }} {{ 0 }}
{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} {{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
@ -143,8 +143,8 @@ Add a special case for replicas=1, where it should default to 0 as well.
Set the variable 'mode' to the server mode requested by the user to simplify Set the variable 'mode' to the server mode requested by the user to simplify
template logic. template logic.
*/}} */}}
{{- define "vault.mode" -}} {{- define "openbao.mode" -}}
{{- template "vault.serverEnabled" . -}} {{- template "openbao.serverEnabled" . -}}
{{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
{{- $_ := set . "mode" "external" -}} {{- $_ := set . "mode" "external" -}}
{{- else if not .serverEnabled -}} {{- else if not .serverEnabled -}}
@ -163,7 +163,7 @@ template logic.
{{/* {{/*
Set's the replica count based on the different modes configured by user Set's the replica count based on the different modes configured by user
*/}} */}}
{{- define "vault.replicas" -}} {{- define "openbao.replicas" -}}
{{ if eq .mode "standalone" }} {{ if eq .mode "standalone" }}
{{- default 1 -}} {{- default 1 -}}
{{ else if eq .mode "ha" }} {{ else if eq .mode "ha" }}
@ -182,11 +182,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user
defined a custom configuration. Additionally iterates over any defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS). extra volumes the user may have specified (such as a secret with TLS).
*/}} */}}
{{- define "vault.volumes" -}} {{- define "openbao.volumes" -}}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config - name: config
configMap: configMap:
name: {{ template "vault.fullname" . }}-config name: {{ template "openbao.fullname" . }}-config
{{ end }} {{ end }}
{{- range .Values.server.extraVolumes }} {{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }} - name: userconfig-{{ .name }}
@ -204,11 +204,11 @@ extra volumes the user may have specified (such as a secret with TLS).
{{- end -}} {{- end -}}
{{/* {{/*
Set's the args for custom command to render the Vault configuration Set's the args for custom command to render the OpenBao configuration
file with IP addresses to make the out of box experience easier file with IP addresses to make the out of box experience easier
for users looking to use this chart with Consul Helm. for users looking to use this chart with Consul Helm.
*/}} */}}
{{- define "vault.args" -}} {{- define "openbao.args" -}}
{{ if or (eq .mode "standalone") (eq .mode "ha") }} {{ if or (eq .mode "standalone") (eq .mode "ha") }}
- | - |
cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
@ -221,14 +221,14 @@ for users looking to use this chart with Consul Helm.
/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} /usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
{{ else if eq .mode "dev" }} {{ else if eq .mode "dev" }}
- | - |
/usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} /usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }}
{{ end }} {{ end }}
{{- end -}} {{- end -}}
{{/* {{/*
Set's additional environment variables based on the mode. Set's additional environment variables based on the mode.
*/}} */}}
{{- define "vault.envs" -}} {{- define "openbao.envs" -}}
{{ if eq .mode "dev" }} {{ if eq .mode "dev" }}
- name: VAULT_DEV_ROOT_TOKEN_ID - name: VAULT_DEV_ROOT_TOKEN_ID
value: {{ .Values.server.dev.devRootToken }} value: {{ .Values.server.dev.devRootToken }}
@ -241,7 +241,7 @@ Set's additional environment variables based on the mode.
Set's which additional volumes should be mounted to the container Set's which additional volumes should be mounted to the container
based on the mode configured. based on the mode configured.
*/}} */}}
{{- define "vault.mounts" -}} {{- define "openbao.mounts" -}}
{{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- name: audit - name: audit
mountPath: {{ .Values.server.auditStorage.mountPath }} mountPath: {{ .Values.server.auditStorage.mountPath }}
@ -254,12 +254,12 @@ based on the mode configured.
{{ end }} {{ end }}
{{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config - name: config
mountPath: /vault/config mountPath: /openbao/config
{{ end }} {{ end }}
{{- range .Values.server.extraVolumes }} {{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }} - name: userconfig-{{ .name }}
readOnly: true readOnly: true
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }}
{{- end }} {{- end }}
{{- if .Values.server.volumeMounts }} {{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 12}} {{- toYaml .Values.server.volumeMounts | nindent 12}}
@ -271,14 +271,14 @@ Set's up the volumeClaimTemplates when data or audit storage is required. HA
might not use data storage since Consul is likely it's backend, however, audit might not use data storage since Consul is likely it's backend, however, audit
storage might be desired by the user. storage might be desired by the user.
*/}} */}}
{{- define "vault.volumeclaims" -}} {{- define "openbao.volumeclaims" -}}
{{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
volumeClaimTemplates: volumeClaimTemplates:
{{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
- metadata: - metadata:
name: data name: data
{{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} {{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} {{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }}
spec: spec:
accessModes: accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@ -292,8 +292,8 @@ storage might be desired by the user.
{{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- metadata: - metadata:
name: audit name: audit
{{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} {{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} {{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }}
spec: spec:
accessModes: accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@ -310,7 +310,7 @@ storage might be desired by the user.
{{/* {{/*
Set's the affinity for pod placement when running in standalone and HA modes. Set's the affinity for pod placement when running in standalone and HA modes.
*/}} */}}
{{- define "vault.affinity" -}} {{- define "openbao.affinity" -}}
{{- if and (ne .mode "dev") .Values.server.affinity }} {{- if and (ne .mode "dev") .Values.server.affinity }}
affinity: affinity:
{{ $tp := typeOf .Values.server.affinity }} {{ $tp := typeOf .Values.server.affinity }}
@ -340,7 +340,7 @@ Sets the injector affinity for pod placement
{{/* {{/*
Sets the topologySpreadConstraints when running in standalone and HA modes. Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}} */}}
{{- define "vault.topologySpreadConstraints" -}} {{- define "openbao.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints: topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }} {{ $tp := typeOf .Values.server.topologySpreadConstraints }}
@ -371,7 +371,7 @@ Sets the injector topologySpreadConstraints for pod placement
{{/* {{/*
Sets the toleration for pod placement when running in standalone and HA modes. Sets the toleration for pod placement when running in standalone and HA modes.
*/}} */}}
{{- define "vault.tolerations" -}} {{- define "openbao.tolerations" -}}
{{- if and (ne .mode "dev") .Values.server.tolerations }} {{- if and (ne .mode "dev") .Values.server.tolerations }}
tolerations: tolerations:
{{- $tp := typeOf .Values.server.tolerations }} {{- $tp := typeOf .Values.server.tolerations }}
@ -401,7 +401,7 @@ Sets the injector toleration for pod placement
{{/* {{/*
Set's the node selector for pod placement when running in standalone and HA modes. Set's the node selector for pod placement when running in standalone and HA modes.
*/}} */}}
{{- define "vault.nodeselector" -}} {{- define "openbao.nodeselector" -}}
{{- if and (ne .mode "dev") .Values.server.nodeSelector }} {{- if and (ne .mode "dev") .Values.server.nodeSelector }}
nodeSelector: nodeSelector:
{{- $tp := typeOf .Values.server.nodeSelector }} {{- $tp := typeOf .Values.server.nodeSelector }}
@ -446,10 +446,10 @@ Sets the injector deployment update strategy
{{/* {{/*
Sets extra pod annotations Sets extra pod annotations
*/}} */}}
{{- define "vault.annotations" }} {{- define "openbao.annotations" }}
annotations: annotations:
{{- if .Values.server.includeConfigAnnotation }} {{- if .Values.server.includeConfigAnnotation }}
vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
{{- end }} {{- end }}
{{- if .Values.server.annotations }} {{- if .Values.server.annotations }}
{{- $tp := typeOf .Values.server.annotations }} {{- $tp := typeOf .Values.server.annotations }}
@ -555,7 +555,7 @@ securityContext for the statefulset pod template.
{{- end -}} {{- end -}}
{{/* {{/*
securityContext for the statefulset vault container securityContext for the statefulset openbao container
*/}} */}}
{{- define "server.statefulSet.securityContext.container" -}} {{- define "server.statefulSet.securityContext.container" -}}
{{- if .Values.server.statefulSet.securityContext.container }} {{- if .Values.server.statefulSet.securityContext.container }}
@ -622,7 +622,7 @@ Set's the injector webhook objectSelector
{{/* {{/*
Sets extra ui service annotations Sets extra ui service annotations
*/}} */}}
{{- define "vault.ui.annotations" -}} {{- define "openbao.ui.annotations" -}}
{{- if .Values.ui.annotations }} {{- if .Values.ui.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.ui.annotations }} {{- $tp := typeOf .Values.ui.annotations }}
@ -637,9 +637,9 @@ Sets extra ui service annotations
{{/* {{/*
Create the name of the service account to use Create the name of the service account to use
*/}} */}}
{{- define "vault.serviceAccount.name" -}} {{- define "openbao.serviceAccount.name" -}}
{{- if .Values.server.serviceAccount.create -}} {{- if .Values.server.serviceAccount.create -}}
{{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} {{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}} {{- else -}}
{{ default "default" .Values.server.serviceAccount.name }} {{ default "default" .Values.server.serviceAccount.name }}
{{- end -}} {{- end -}}
@ -648,7 +648,7 @@ Create the name of the service account to use
{{/* {{/*
Sets extra service account annotations Sets extra service account annotations
*/}} */}}
{{- define "vault.serviceAccount.annotations" -}} {{- define "openbao.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.serviceAccount.annotations }} {{- $tp := typeOf .Values.server.serviceAccount.annotations }}
@ -663,7 +663,7 @@ Sets extra service account annotations
{{/* {{/*
Sets extra ingress annotations Sets extra ingress annotations
*/}} */}}
{{- define "vault.ingress.annotations" -}} {{- define "openbao.ingress.annotations" -}}
{{- if .Values.server.ingress.annotations }} {{- if .Values.server.ingress.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.ingress.annotations }} {{- $tp := typeOf .Values.server.ingress.annotations }}
@ -678,7 +678,7 @@ Sets extra ingress annotations
{{/* {{/*
Sets extra route annotations Sets extra route annotations
*/}} */}}
{{- define "vault.route.annotations" -}} {{- define "openbao.route.annotations" -}}
{{- if .Values.server.route.annotations }} {{- if .Values.server.route.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.route.annotations }} {{- $tp := typeOf .Values.server.route.annotations }}
@ -691,9 +691,9 @@ Sets extra route annotations
{{- end -}} {{- end -}}
{{/* {{/*
Sets extra vault server Service annotations Sets extra openbao server Service annotations
*/}} */}}
{{- define "vault.service.annotations" -}} {{- define "openbao.service.annotations" -}}
{{- if .Values.server.service.annotations }} {{- if .Values.server.service.annotations }}
{{- $tp := typeOf .Values.server.service.annotations }} {{- $tp := typeOf .Values.server.service.annotations }}
{{- if eq $tp "string" }} {{- if eq $tp "string" }}
@ -705,9 +705,9 @@ Sets extra vault server Service annotations
{{- end -}} {{- end -}}
{{/* {{/*
Sets extra vault server Service (active) annotations Sets extra openbao server Service (active) annotations
*/}} */}}
{{- define "vault.service.active.annotations" -}} {{- define "openbao.service.active.annotations" -}}
{{- if .Values.server.service.active.annotations }} {{- if .Values.server.service.active.annotations }}
{{- $tp := typeOf .Values.server.service.active.annotations }} {{- $tp := typeOf .Values.server.service.active.annotations }}
{{- if eq $tp "string" }} {{- if eq $tp "string" }}
@ -718,9 +718,9 @@ Sets extra vault server Service (active) annotations
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/* {{/*
Sets extra vault server Service annotations Sets extra openbao server Service annotations
*/}} */}}
{{- define "vault.service.standby.annotations" -}} {{- define "openbao.service.standby.annotations" -}}
{{- if .Values.server.service.standby.annotations }} {{- if .Values.server.service.standby.annotations }}
{{- $tp := typeOf .Values.server.service.standby.annotations }} {{- $tp := typeOf .Values.server.service.standby.annotations }}
{{- if eq $tp "string" }} {{- if eq $tp "string" }}
@ -734,7 +734,7 @@ Sets extra vault server Service annotations
{{/* {{/*
Sets PodSecurityPolicy annotations Sets PodSecurityPolicy annotations
*/}} */}}
{{- define "vault.psp.annotations" -}} {{- define "openbao.psp.annotations" -}}
{{- if .Values.global.psp.annotations }} {{- if .Values.global.psp.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.global.psp.annotations }} {{- $tp := typeOf .Values.global.psp.annotations }}
@ -749,7 +749,7 @@ Sets PodSecurityPolicy annotations
{{/* {{/*
Sets extra statefulset annotations Sets extra statefulset annotations
*/}} */}}
{{- define "vault.statefulSet.annotations" -}} {{- define "openbao.statefulSet.annotations" -}}
{{- if .Values.server.statefulSet.annotations }} {{- if .Values.server.statefulSet.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.statefulSet.annotations }} {{- $tp := typeOf .Values.server.statefulSet.annotations }}
@ -764,7 +764,7 @@ Sets extra statefulset annotations
{{/* {{/*
Sets VolumeClaim annotations for data volume Sets VolumeClaim annotations for data volume
*/}} */}}
{{- define "vault.dataVolumeClaim.annotations" -}} {{- define "openbao.dataVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
annotations: annotations:
{{- $tp := typeOf .Values.server.dataStorage.annotations }} {{- $tp := typeOf .Values.server.dataStorage.annotations }}
@ -779,7 +779,7 @@ Sets VolumeClaim annotations for data volume
{{/* {{/*
Sets VolumeClaim labels for data volume Sets VolumeClaim labels for data volume
*/}} */}}
{{- define "vault.dataVolumeClaim.labels" -}} {{- define "openbao.dataVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
labels: labels:
{{- $tp := typeOf .Values.server.dataStorage.labels }} {{- $tp := typeOf .Values.server.dataStorage.labels }}
@ -794,7 +794,7 @@ Sets VolumeClaim labels for data volume
{{/* {{/*
Sets VolumeClaim annotations for audit volume Sets VolumeClaim annotations for audit volume
*/}} */}}
{{- define "vault.auditVolumeClaim.annotations" -}} {{- define "openbao.auditVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
annotations: annotations:
{{- $tp := typeOf .Values.server.auditStorage.annotations }} {{- $tp := typeOf .Values.server.auditStorage.annotations }}
@ -809,7 +809,7 @@ Sets VolumeClaim annotations for audit volume
{{/* {{/*
Sets VolumeClaim labels for audit volume Sets VolumeClaim labels for audit volume
*/}} */}}
{{- define "vault.auditVolumeClaim.labels" -}} {{- define "openbao.auditVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
labels: labels:
{{- $tp := typeOf .Values.server.auditStorage.labels }} {{- $tp := typeOf .Values.server.auditStorage.labels }}
@ -824,7 +824,7 @@ Sets VolumeClaim labels for audit volume
{{/* {{/*
Set's the container resources if the user has set any. Set's the container resources if the user has set any.
*/}} */}}
{{- define "vault.resources" -}} {{- define "openbao.resources" -}}
{{- if .Values.server.resources -}} {{- if .Values.server.resources -}}
resources: resources:
{{ toYaml .Values.server.resources | indent 12}} {{ toYaml .Values.server.resources | indent 12}}
@ -983,7 +983,7 @@ Sets extra CSI service account annotations
{{/* {{/*
Inject extra environment vars in the format key:value, if populated Inject extra environment vars in the format key:value, if populated
*/}} */}}
{{- define "vault.extraEnvironmentVars" -}} {{- define "openbao.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}} {{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }} {{- range $key, $value := .extraEnvironmentVars }}
- name: {{ printf "%s" $key | replace "." "_" | upper | quote }} - name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
@ -995,7 +995,7 @@ Inject extra environment vars in the format key:value, if populated
{{/* {{/*
Inject extra environment populated by secrets, if populated Inject extra environment populated by secrets, if populated
*/}} */}}
{{- define "vault.extraSecretEnvironmentVars" -}} {{- define "openbao.extraSecretEnvironmentVars" -}}
{{- if .extraSecretEnvironmentVars -}} {{- if .extraSecretEnvironmentVars -}}
{{- range .extraSecretEnvironmentVars }} {{- range .extraSecretEnvironmentVars }}
- name: {{ .envName }} - name: {{ .envName }}
@ -1008,7 +1008,7 @@ Inject extra environment populated by secrets, if populated
{{- end -}} {{- end -}}
{{/* Scheme for health check and local endpoint */}} {{/* Scheme for health check and local endpoint */}}
{{- define "vault.scheme" -}} {{- define "openbao.scheme" -}}
{{- if .Values.global.tlsDisable -}} {{- if .Values.global.tlsDisable -}}
{{ "http" }} {{ "http" }}
{{- else -}} {{- else -}}
@ -1071,7 +1071,7 @@ Supported inputs are Values.ui
{{/* {{/*
config file from values config file from values
*/}} */}}
{{- define "vault.config" -}} {{- define "openbao.config" -}}
{{- if or (eq .mode "ha") (eq .mode "standalone") }} {{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }} {{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }} {{- if eq $type "string" }}

12
charts/openbao/templates/csi-agent-configmap.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.csiEnabled" . -}} {{- template "openbao.csiEnabled" . -}}
{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} {{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
data: data:
@ -21,7 +21,7 @@ data:
{{- if .Values.global.externalVaultAddr }} {{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}" "address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }} {{- else }}
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}"
{{- end }} {{- end }}
} }

6
charts/openbao/templates/csi-clusterrole.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.csiEnabled" . -}} {{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:

12
charts/openbao/templates/csi-clusterrolebinding.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.csiEnabled" . -}} {{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
{{- end }} {{- end }}

26
charts/openbao/templates/csi-daemonset.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.csiEnabled" . -}} {{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: {{ template "vault.fullname" . }}-csi-provider name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}} {{- if .Values.csi.daemonSet.extraLabels -}}
@ -27,12 +27,12 @@ spec:
{{- end }} {{- end }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
template: template:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}} {{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
@ -43,12 +43,12 @@ spec:
{{- if .Values.csi.priorityClassName }} {{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }} priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }} {{- end }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }} {{- template "csi.pod.tolerations" . }}
{{- template "csi.pod.nodeselector" . }} {{- template "csi.pod.nodeselector" . }}
{{- template "csi.pod.affinity" . }} {{- template "csi.pod.affinity" . }}
containers: containers:
- name: {{ include "vault.name" . }}-csi-provider - name: {{ include "openbao.name" . }}-csi-provider
{{ template "csi.resources" . }} {{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }} {{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
@ -59,7 +59,7 @@ spec:
{{- if .Values.csi.hmacSecretName }} {{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }} - --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }} {{- else }}
- --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key
{{- end }} {{- end }}
{{- if .Values.csi.extraArgs }} {{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- toYaml .Values.csi.extraArgs | nindent 12 }}
@ -71,7 +71,7 @@ spec:
{{- else if .Values.global.externalVaultAddr }} {{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}" value: "{{ .Values.global.externalVaultAddr }}"
{{- else }} {{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: providervol - name: providervol
@ -102,12 +102,12 @@ spec:
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }} {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: {{ include "vault.name" . }}-agent - name: {{ include "openbao.name" . }}-agent
image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
{{ template "csi.agent.resources" . }} {{ template "csi.agent.resources" . }}
command: command:
- vault - bao
args: args:
- agent - agent
- -config=/etc/vault/config.hcl - -config=/etc/vault/config.hcl
@ -145,7 +145,7 @@ spec:
{{- if eq (.Values.csi.agent.enabled | toString) "true" }} {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-config - name: agent-config
configMap: configMap:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
- name: agent-unix-socket - name: agent-unix-socket
emptyDir: emptyDir:
medium: Memory medium: Memory

10
charts/openbao/templates/csi-role.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.csiEnabled" . -}} {{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ template "vault.fullname" . }}-csi-provider-role name: {{ template "openbao.fullname" . }}-csi-provider-role
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:
@ -22,7 +22,7 @@ rules:
{{- if .Values.csi.hmacSecretName }} {{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }} - {{ .Values.csi.hmacSecretName }}
{{- else }} {{- else }}
- {{ include "vault.name" . }}-csi-provider-hmac-key - {{ include "openbao.name" . }}-csi-provider-hmac-key
{{- end }} {{- end }}
# 'create' permissions cannot be restricted by resource name: # 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

14
charts/openbao/templates/csi-rolebinding.yaml
View file

@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.csiEnabled" . -}} {{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: {{ template "vault.fullname" . }}-csi-provider-role name: {{ template "openbao.fullname" . }}-csi-provider-role
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
{{- end }} {{- end }}

8
charts/openbao/templates/csi-serviceaccount.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.csiEnabled" . -}} {{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ template "vault.fullname" . }}-csi-provider name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}} {{- if .Values.csi.serviceAccount.extraLabels -}}

10
charts/openbao/templates/injector-certs-secret.yaml
View file

@ -3,17 +3,17 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: vault-injector-certs name: openbao-injector-certs
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }} {{- end }}
{{- end }} {{- end }}

6
charts/openbao/templates/injector-clusterrole.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:

12
charts/openbao/templates/injector-clusterrolebinding.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-binding name: {{ template "openbao.fullname" . }}-agent-injector-binding
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
{{ end }} {{ end }}

22
charts/openbao/templates/injector-deployment.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
# Deployment for the injector # Deployment for the injector
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook component: webhook
@ -20,14 +20,14 @@ spec:
replicas: {{ .Values.injector.replicas }} replicas: {{ .Values.injector.replicas }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{ template "injector.strategy" . }} {{ template "injector.strategy" . }}
template: template:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{- if .Values.injector.extraLabels -}} {{- if .Values.injector.extraLabels -}}
@ -42,7 +42,7 @@ spec:
{{- if .Values.injector.priorityClassName }} {{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }} priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }} {{- end }}
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}} {{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }} {{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }} hostNetwork: {{ .Values.injector.hostNetwork }}
@ -64,7 +64,7 @@ spec:
{{- else if .Values.injector.externalVaultAddr }} {{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}" value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }} {{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }} {{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH - name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }} value: {{ .Values.injector.authPath }}
@ -77,9 +77,9 @@ spec:
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }} {{- else }}
- name: AGENT_INJECT_TLS_AUTO - name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg value: {{ template "openbao.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS - name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc
{{- end }} {{- end }}
- name: AGENT_INJECT_LOG_FORMAT - name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }} value: {{ .Values.injector.logFormat | default "standard" }}
@ -125,7 +125,7 @@ spec:
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }} {{- end }}
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} {{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:

10
charts/openbao/templates/injector-disruptionbudget.yaml
View file

@ -7,18 +7,18 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: policy/v1 apiVersion: policy/v1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook component: webhook
spec: spec:
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}

10
charts/openbao/templates/injector-mutating-webhook.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
@ -12,9 +12,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }} {{- end }}
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-cfg name: {{ template "openbao.fullname" . }}-agent-injector-cfg
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "injector.webhookAnnotations" . }} {{- template "injector.webhookAnnotations" . }}
@ -27,8 +27,8 @@ webhooks:
admissionReviewVersions: ["v1", "v1beta1"] admissionReviewVersions: ["v1", "v1beta1"]
clientConfig: clientConfig:
service: service:
name: {{ template "vault.fullname" . }}-agent-injector-svc name: {{ template "openbao.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
path: "/mutate" path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }} caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules: rules:

8
charts/openbao/templates/injector-network-policy.yaml
View file

@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }} {{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
labels: labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
spec: spec:
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
ingress: ingress:

10
charts/openbao/templates/injector-psp-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }} {{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp name: {{ template "openbao.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:
@ -20,6 +20,6 @@ rules:
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']
resourceNames: resourceNames:
- {{ template "vault.fullname" . }}-agent-injector - {{ template "openbao.fullname" . }}-agent-injector
{{- end }} {{- end }}
{{- end }} {{- end }}

12
charts/openbao/templates/injector-psp-rolebinding.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }} {{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp name: {{ template "openbao.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
kind: Role kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-psp name: {{ template "openbao.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
{{- end }} {{- end }}
{{- end }} {{- end }}

8
charts/openbao/templates/injector-psp.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }} {{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }} {{- template "openbao.psp.annotations" . }}
spec: spec:
privileged: false privileged: false
# Required to prevent escalations to root. # Required to prevent escalations to root.

8
charts/openbao/templates/injector-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:

14
charts/openbao/templates/injector-rolebinding.yaml
View file

@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}

10
charts/openbao/templates/injector-service.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc name: {{ template "openbao.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.service.annotations" . }} {{ template "injector.service.annotations" . }}
@ -21,7 +21,7 @@ spec:
port: 443 port: 443
targetPort: {{ .Values.injector.port }} targetPort: {{ .Values.injector.port }}
selector: selector:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{- end }} {{- end }}

8
charts/openbao/templates/injector-serviceaccount.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- template "vault.injectorEnabled" . -}} {{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }} {{ template "injector.serviceAccount.annotations" . }}

8
charts/openbao/templates/prometheus-prometheusrules.yaml
View file

@ -10,10 +10,10 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule kind: PrometheusRule
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,7 +25,7 @@ metadata:
{{- end }} {{- end }}
spec: spec:
groups: groups:
- name: {{ include "vault.fullname" . }} - name: {{ include "openbao.fullname" . }}
rules: rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }} {{- end }}

20
charts/openbao/templates/prometheus-servicemonitor.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
--- ---
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,18 +25,18 @@ metadata:
spec: spec:
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- if eq .mode "ha" }} {{- if eq .mode "ha" }}
vault-active: "true" openbao-active: "true"
{{- else }} {{- else }}
vault-internal: "true" openbao-internal: "true"
{{- end }} {{- end }}
endpoints: endpoints:
- port: {{ include "vault.scheme" . }} - port: {{ include "openbao.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "vault.scheme" . | lower }} scheme: {{ include "openbao.scheme" . | lower }}
path: /v1/sys/metrics path: /v1/sys/metrics
params: params:
format: format:
@ -45,5 +45,5 @@ spec:
insecureSkipVerify: true insecureSkipVerify: true
namespaceSelector: namespaceSelector:
matchNames: matchNames:
- {{ include "vault.namespace" . }} - {{ include "openbao.namespace" . }}
{{ end }} {{ end }}

14
charts/openbao/templates/server-clusterrolebinding.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.serverAuthDelegator" . }} {{ template "openbao.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}} {{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -12,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }} {{- end }}
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-server-binding name: {{ template "openbao.fullname" . }}-server-binding
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
@ -24,6 +24,6 @@ roleRef:
name: system:auth-delegator name: system:auth-delegator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }} name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
{{ end }} {{ end }}

14
charts/openbao/templates/server-config-configmap.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if ne .mode "dev" -}} {{- if ne .mode "dev" -}}
@ -11,20 +11,20 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ template "vault.fullname" . }}-config name: {{ template "openbao.fullname" . }}-config
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.includeConfigAnnotation }} {{- if .Values.server.includeConfigAnnotation }}
annotations: annotations:
vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
{{- end }} {{- end }}
data: data:
extraconfig-from-values.hcl: |- extraconfig-from-values.hcl: |-
{{ template "vault.config" . }} {{ template "openbao.config" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

10
charts/openbao/templates/server-discovery-role.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if eq .mode "ha" }} {{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-discovery-role name: {{ template "openbao.fullname" . }}-discovery-role
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:

16
charts/openbao/templates/server-discovery-rolebinding.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if eq .mode "ha" }} {{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
@ -14,21 +14,21 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }} {{- end }}
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding name: {{ template "openbao.fullname" . }}-discovery-rolebinding
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: {{ template "vault.fullname" . }}-discovery-role name: {{ template "openbao.fullname" . }}-discovery-role
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }} name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }} {{ end }}

14
charts/openbao/templates/server-disruptionbudget.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" -}} {{- if ne .mode "external" -}}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
@ -12,18 +12,18 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: policy/v1 apiVersion: policy/v1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
spec: spec:
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
{{- end -}} {{- end -}}

26
charts/openbao/templates/server-ha-active-service.yaml
View file

@ -3,27 +3,27 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}} {{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}} {{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }} {{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.active.enabled | toString) "true" }} {{- if eq (.Values.server.service.active.enabled | toString) "true" }}
# Service for active Vault pod # Service for active OpenBao pod
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.fullname" . }}-active name: {{ template "openbao.fullname" . }}-active
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-active: "true" openbao-active: "true"
annotations: annotations:
{{- template "vault.service.active.annotations" . }} {{- template "openbao.service.active.annotations" . }}
{{- template "vault.service.annotations" . }} {{- template "openbao.service.annotations" . }}
spec: spec:
{{- if .Values.server.service.type}} {{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }} type: {{ .Values.server.service.type }}
@ -42,7 +42,7 @@ spec:
{{- include "service.externalTrafficPolicy" .Values.server.service }} {{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports: ports:
- name: {{ include "vault.scheme" . }} - name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }} port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }} targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -52,12 +52,12 @@ spec:
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }} {{- end }}
component: server component: server
vault-active: "true" openbao-active: "true"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

24
charts/openbao/templates/server-ha-standby-service.yaml
View file

@ -3,26 +3,26 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}} {{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}} {{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }} {{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} {{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
# Service for standby Vault pod # Service for standby OpenBao pod
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.fullname" . }}-standby name: {{ template "openbao.fullname" . }}-standby
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations: annotations:
{{- template "vault.service.standby.annotations" . }} {{- template "openbao.service.standby.annotations" . }}
{{- template "vault.service.annotations" . }} {{- template "openbao.service.annotations" . }}
spec: spec:
{{- if .Values.server.service.type}} {{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }} type: {{ .Values.server.service.type }}
@ -41,7 +41,7 @@ spec:
{{- include "service.externalTrafficPolicy" .Values.server.service }} {{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports: ports:
- name: {{ include "vault.scheme" . }} - name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }} port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }} targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -51,12 +51,12 @@ spec:
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }} {{- end }}
component: server component: server
vault-active: "false" openbao-active: "false"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

22
charts/openbao/templates/server-headless-service.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}} {{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}} {{- if .serverServiceEnabled -}}
# Service for Vault cluster # Service for OpenBao cluster
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.fullname" . }}-internal name: {{ template "openbao.fullname" . }}-internal
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-internal: "true" openbao-internal: "true"
annotations: annotations:
{{ template "vault.service.annotations" .}} {{ template "openbao.service.annotations" .}}
spec: spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }} {{- if .Values.server.service.ipFamilyPolicy }}
@ -33,14 +33,14 @@ spec:
clusterIP: None clusterIP: None
publishNotReadyAddresses: true publishNotReadyAddresses: true
ports: ports:
- name: "{{ include "vault.scheme" . }}" - name: "{{ include "openbao.scheme" . }}"
port: {{ .Values.server.service.port }} port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }} targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal - name: https-internal
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
{{- end }} {{- end }}

16
charts/openbao/templates/server-ingress.yaml
View file

@ -4,12 +4,12 @@ SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{- if not .Values.global.openshift }} {{- if not .Values.global.openshift }}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}} {{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}} {{- $serviceName := include "openbao.fullname" . -}}
{{- template "vault.serverServiceEnabled" . -}} {{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}} {{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
@ -20,17 +20,17 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.ingress.labels }} {{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- template "vault.ingress.annotations" . }} {{- template "openbao.ingress.annotations" . }}
spec: spec:
{{- if .Values.server.ingress.tls }} {{- if .Values.server.ingress.tls }}
tls: tls:

6
charts/openbao/templates/server-network-policy.yaml
View file

@ -7,14 +7,14 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
labels: labels:
app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
spec: spec:
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
{{- if .Values.server.networkPolicy.egress }} {{- if .Values.server.networkPolicy.egress }}

10
charts/openbao/templates/server-psp-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ template "vault.fullname" . }}-psp name: {{ template "openbao.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:
@ -20,6 +20,6 @@ rules:
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']
resourceNames: resourceNames:
- {{ template "vault.fullname" . }} - {{ template "openbao.fullname" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}

12
charts/openbao/templates/server-psp-rolebinding.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-psp name: {{ template "openbao.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
kind: Role kind: Role
name: {{ template "vault.fullname" . }}-psp name: {{ template "openbao.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}

8
charts/openbao/templates/server-psp.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }} {{- template "openbao.psp.annotations" . }}
spec: spec:
privileged: false privileged: false
# Required to prevent escalations to root. # Required to prevent escalations to root.

12
charts/openbao/templates/server-route.yaml
View file

@ -6,24 +6,24 @@ SPDX-License-Identifier: MPL-2.0
{{- if .Values.global.openshift }} {{- if .Values.global.openshift }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}} {{- if .Values.server.route.enabled -}}
{{- $serviceName := include "vault.fullname" . -}} {{- $serviceName := include "openbao.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} {{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }} {{- end }}
kind: Route kind: Route
apiVersion: route.openshift.io/v1 apiVersion: route.openshift.io/v1
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.route.labels }} {{- with .Values.server.route.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- template "vault.route.annotations" . }} {{- template "openbao.route.annotations" . }}
spec: spec:
host: {{ .Values.server.route.host }} host: {{ .Values.server.route.host }}
to: to:

20
charts/openbao/templates/server-service.yaml
View file

@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}} {{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}} {{- if .serverServiceEnabled -}}
# Service for Vault cluster # Service for OpenBao cluster
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations: annotations:
{{ template "vault.service.annotations" .}} {{ template "openbao.service.annotations" .}}
spec: spec:
{{- if .Values.server.service.type}} {{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }} type: {{ .Values.server.service.type }}
@ -40,7 +40,7 @@ spec:
# since this DNS is also used for join operations. # since this DNS is also used for join operations.
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports: ports:
- name: {{ include "vault.scheme" . }} - name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }} port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }} targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -50,7 +50,7 @@ spec:
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }} {{- end }}

14
charts/openbao/templates/server-serviceaccount-secret.yaml
View file

@ -3,19 +3,19 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} {{ template "openbao.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}} {{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ template "vault.serviceAccount.name" . }}-token name: {{ template "openbao.serviceAccount.name" . }}-token
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
annotations: annotations:
kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token type: kubernetes.io/service-account-token
{{ end }} {{ end }}

12
charts/openbao/templates/server-serviceaccount.yaml
View file

@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.serverServiceAccountEnabled" . }} {{ template "openbao.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}} {{- if .serverServiceAccountEnabled -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ template "vault.serviceAccount.name" . }} name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.serviceAccount.extraLabels -}} {{- if .Values.server.serviceAccount.extraLabels -}}
{{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}} {{- end -}}
{{ template "vault.serviceAccount.annotations" . }} {{ template "openbao.serviceAccount.annotations" . }}
{{ end }} {{ end }}

94
charts/openbao/templates/server-statefulset.yaml
View file

@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if ne .mode "" }} {{- if ne .mode "" }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster. # StatefulSet to run the actual openbao server cluster.
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: {{ template "vault.fullname" . }} name: {{ template "openbao.fullname" . }}
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.statefulSet.annotations" . }} {{- template "openbao.statefulSet.annotations" . }}
spec: spec:
serviceName: {{ template "vault.fullname" . }}-internal serviceName: {{ template "openbao.fullname" . }}-internal
podManagementPolicy: Parallel podManagementPolicy: Parallel
replicas: {{ template "vault.replicas" . }} replicas: {{ template "openbao.replicas" . }}
updateStrategy: updateStrategy:
type: {{ .Values.server.updateStrategyType }} type: {{ .Values.server.updateStrategyType }}
{{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
@ -29,30 +29,30 @@ spec:
{{- end }} {{- end }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
template: template:
metadata: metadata:
labels: labels:
helm.sh/chart: {{ template "vault.chart" . }} helm.sh/chart: {{ template "openbao.chart" . }}
app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
{{- if .Values.server.extraLabels -}} {{- if .Values.server.extraLabels -}}
{{- toYaml .Values.server.extraLabels | nindent 8 -}} {{- toYaml .Values.server.extraLabels | nindent 8 -}}
{{- end -}} {{- end -}}
{{ template "vault.annotations" . }} {{ template "openbao.annotations" . }}
spec: spec:
{{ template "vault.affinity" . }} {{ template "openbao.affinity" . }}
{{ template "vault.topologySpreadConstraints" . }} {{ template "openbao.topologySpreadConstraints" . }}
{{ template "vault.tolerations" . }} {{ template "openbao.tolerations" . }}
{{ template "vault.nodeselector" . }} {{ template "openbao.nodeselector" . }}
{{- if .Values.server.priorityClassName }} {{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }} {{- end }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }} serviceAccountName: {{ template "openbao.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }} {{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true shareProcessNamespace: true
{{ end }} {{ end }}
@ -61,7 +61,7 @@ spec:
hostNetwork: {{ .Values.server.hostNetwork }} hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }} {{- end }}
volumes: volumes:
{{ template "vault.volumes" . }} {{ template "openbao.volumes" . }}
- name: home - name: home
emptyDir: {} emptyDir: {}
{{- if .Values.server.hostAliases }} {{- if .Values.server.hostAliases }}
@ -73,14 +73,14 @@ spec:
{{ toYaml .Values.server.extraInitContainers | nindent 8}} {{ toYaml .Values.server.extraInitContainers | nindent 8}}
{{- end }} {{- end }}
containers: containers:
- name: vault - name: openbao
{{ template "vault.resources" . }} {{ template "openbao.resources" . }}
image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }} imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command: command:
- "/bin/sh" - "/bin/sh"
- "-ec" - "-ec"
args: {{ template "vault.args" . }} args: {{ template "openbao.args" . }}
{{- template "server.statefulSet.securityContext.container" . }} {{- template "server.statefulSet.securityContext.container" . }}
env: env:
- name: HOST_IP - name: HOST_IP
@ -91,21 +91,21 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: status.podIP fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME - name: BAO_K8S_POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE - name: BAO_K8S_NAMESPACE
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
- name: VAULT_ADDR - name: BAO_ADDR
value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200"
- name: VAULT_API_ADDR - name: BAO_API_ADDR
{{- if .Values.server.ha.apiAddr }} {{- if .Values.server.ha.apiAddr }}
value: {{ .Values.server.ha.apiAddr }} value: {{ .Values.server.ha.apiAddr }}
{{- else }} {{- else }}
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200"
{{- end }} {{- end }}
- name: SKIP_CHOWN - name: SKIP_CHOWN
value: "true" value: "true"
@ -115,42 +115,42 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR - name: BAO_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }} {{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr | quote }} value: {{ .Values.server.ha.clusterAddr | quote }}
{{- else }} {{- else }}
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201"
{{- end }} {{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: VAULT_RAFT_NODE_ID - name: BAO_RAFT_NODE_ID
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
{{- end }} {{- end }}
- name: HOME - name: HOME
value: "/home/vault" value: "/home/openbao"
{{- if .Values.server.logLevel }} {{- if .Values.server.logLevel }}
- name: VAULT_LOG_LEVEL - name: BAO_LOG_LEVEL
value: "{{ .Values.server.logLevel }}" value: "{{ .Values.server.logLevel }}"
{{- end }} {{- end }}
{{- if .Values.server.logFormat }} {{- if .Values.server.logFormat }}
- name: VAULT_LOG_FORMAT - name: BAO_LOG_FORMAT
value: "{{ .Values.server.logFormat }}" value: "{{ .Values.server.logFormat }}"
{{- end }} {{- end }}
{{ template "vault.envs" . }} {{ template "openbao.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
volumeMounts: volumeMounts:
{{ template "vault.mounts" . }} {{ template "openbao.mounts" . }}
- name: home - name: home
mountPath: /home/vault mountPath: /home/openbao
ports: ports:
- containerPort: 8200 - containerPort: 8200
name: {{ include "vault.scheme" . }} name: {{ include "openbao.scheme" . }}
- containerPort: 8201 - containerPort: 8201
name: https-internal name: https-internal
- containerPort: 8202 - containerPort: 8202
name: {{ include "vault.scheme" . }}-rep name: {{ include "openbao.scheme" . }}-rep
{{- if .Values.server.extraPorts -}} {{- if .Values.server.extraPorts -}}
{{ toYaml .Values.server.extraPorts | nindent 12}} {{ toYaml .Values.server.extraPorts | nindent 12}}
{{- end }} {{- end }}
@ -160,15 +160,15 @@ spec:
httpGet: httpGet:
path: {{ .Values.server.readinessProbe.path | quote }} path: {{ .Values.server.readinessProbe.path | quote }}
port: {{ .Values.server.readinessProbe.port }} port: {{ .Values.server.readinessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }} scheme: {{ include "openbao.scheme" . | upper }}
{{- else }} {{- else }}
# Check status; unsealed vault servers return 0 # Check status; unsealed openbao servers return 0
# The exit code reflects the seal status: # The exit code reflects the seal status:
# 0 - unsealed # 0 - unsealed
# 1 - error # 1 - error
# 2 - sealed # 2 - sealed
exec: exec:
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
{{- end }} {{- end }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
@ -188,7 +188,7 @@ spec:
httpGet: httpGet:
path: {{ .Values.server.livenessProbe.path | quote }} path: {{ .Values.server.livenessProbe.path | quote }}
port: {{ .Values.server.livenessProbe.port }} port: {{ .Values.server.livenessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }} scheme: {{ include "openbao.scheme" . | upper }}
{{- end }} {{- end }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
@ -197,7 +197,7 @@ spec:
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
{{- end }} {{- end }}
lifecycle: lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes # openbao container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This # and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself # causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services). # from Consul (zombie services).
@ -208,7 +208,7 @@ spec:
# Adding a sleep here to give the pod eviction a # Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made # chance to propagate, so requests will not be made
# to this pod while it's terminating # to this pod while it's terminating
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)",
] ]
{{- if .Values.server.postStart }} {{- if .Values.server.postStart }}
postStart: postStart:
@ -222,7 +222,7 @@ spec:
{{ toYaml .Values.server.extraContainers | nindent 8}} {{ toYaml .Values.server.extraContainers | nindent 8}}
{{- end }} {{- end }}
{{- include "imagePullSecrets" . | nindent 6 }} {{- include "imagePullSecrets" . | nindent 6 }}
{{ template "vault.volumeclaims" . }} {{ template "openbao.volumeclaims" . }}
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }} {{ end }}

10
charts/openbao/templates/tests/server-test.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: {{ template "vault.fullname" . }}-server-test name: {{ template "openbao.fullname" . }}-server-test
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
annotations: annotations:
"helm.sh/hook": test "helm.sh/hook": test
spec: spec:
@ -21,8 +21,8 @@ spec:
imagePullPolicy: {{ .Values.server.image.pullPolicy }} imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }}
command: command:
- /bin/sh - /bin/sh
- -c - -c

22
charts/openbao/templates/ui-service.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0 SPDX-License-Identifier: MPL-2.0
*/}} */}}
{{ template "vault.mode" . }} {{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- template "vault.uiEnabled" . -}} {{- template "openbao.uiEnabled" . -}}
{{- if .uiEnabled -}} {{- if .uiEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.fullname" . }}-ui name: {{ template "openbao.fullname" . }}-ui
namespace: {{ include "vault.namespace" . }} namespace: {{ include "openbao.namespace" . }}
labels: labels:
helm.sh/chart: {{ include "vault.chart" . }} helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui app.kubernetes.io/name: {{ include "openbao.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.ui.annotations" . }} {{- template "openbao.ui.annotations" . }}
spec: spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.ui.serviceIPFamilyPolicy }} {{- if .Values.ui.serviceIPFamilyPolicy }}
@ -29,15 +29,15 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
selector: selector:
app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
{{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }}
vault-active: "true" openbao-active: "true"
{{- end }} {{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports: ports:
- name: {{ include "vault.scheme" . }} - name: {{ include "openbao.scheme" . }}
port: {{ .Values.ui.externalPort }} port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }} targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }} {{- if .Values.ui.serviceNodePort }}

15
charts/openbao/values.schema.json
View file

@ -230,7 +230,7 @@
}, },
"namespace": { "namespace": {
"type": "string" "type": "string"
}, },
"externalVaultAddr": { "externalVaultAddr": {
"type": "string" "type": "string"
}, },
@ -659,17 +659,6 @@
"string" "string"
] ]
}, },
"enterpriseLicense": {
"type": "object",
"properties": {
"secretKey": {
"type": "string"
},
"secretName": {
"type": "string"
}
}
},
"extraArgs": { "extraArgs": {
"type": "string" "type": "string"
}, },
@ -1163,7 +1152,7 @@
"ui": { "ui": {
"type": "object", "type": "object",
"properties": { "properties": {
"activeVaultPodOnly": { "activeOpenbaoPodOnly": {
"type": "boolean" "type": "boolean"
}, },
"annotations": { "annotations": {

178
charts/openbao/values.yaml
View file

@ -1,7 +1,7 @@
# Copyright (c) HashiCorp, Inc. # Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0 # SPDX-License-Identifier: MPL-2.0
# Available parameters and their default values for the Vault chart. # Available parameters and their default values for the OpenBao chart.
global: global:
# -- enabled is the master enabled switch. Setting this to true or false # -- enabled is the master enabled switch. Setting this to true or false
@ -20,8 +20,8 @@ global:
# -- TLS for end-to-end encrypted transport # -- TLS for end-to-end encrypted transport
tlsDisable: true tlsDisable: true
# -- External vault server address for the injector and CSI provider to use. # -- External openbao server address for the injector and CSI provider to use.
# Setting this will disable deployment of a vault server. # Setting this will disable deployment of a openbao server.
externalVaultAddr: "" externalVaultAddr: ""
# -- If deploying to OpenShift # -- If deploying to OpenShift
@ -44,7 +44,7 @@ global:
prometheusOperator: false prometheusOperator: false
injector: injector:
# -- True if you want to enable vault agent injection. @default: global.enabled # -- True if you want to enable openbao agent injection. @default: global.enabled
enabled: "-" enabled: "-"
replicas: 1 replicas: 1
@ -75,8 +75,8 @@ injector:
# -- image pull policy to use for k8s image. if tag is "latest", set to "Always" # -- image pull policy to use for k8s image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# -- agentImage sets the repo and tag of the Vault image to use for the Vault Agent # -- agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent
# containers. This should be set to the official Vault image. Vault 1.3.1+ is # containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is
# required. # required.
agentImage: agentImage:
# -- image registry to use for agent image # -- image registry to use for agent image
@ -88,7 +88,7 @@ injector:
# -- image pull policy to use for agent image. if tag is "latest", set to "Always" # -- image pull policy to use for agent image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# The default values for the injected Vault Agent containers. # The default values for the injected OpenBao Agent containers.
agentDefaults: agentDefaults:
# For more information on configuring resources, see the K8s documentation: # For more information on configuring resources, see the K8s documentation:
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@ -145,7 +145,7 @@ injector:
# -- Number of seconds after which the probe times out. # -- Number of seconds after which the probe times out.
timeoutSeconds: 5 timeoutSeconds: 5
# Mount Path of the Vault Kubernetes Auth Method. # Mount Path of the OpenBao Kubernetes Auth Method.
authPath: "auth/kubernetes" authPath: "auth/kubernetes"
# -- Configures the log verbosity of the injector. # -- Configures the log verbosity of the injector.
@ -155,7 +155,7 @@ injector:
# -- Configures the log format of the injector. Supported log formats: "standard", "json". # -- Configures the log format of the injector. Supported log formats: "standard", "json".
logFormat: "standard" logFormat: "standard"
# Configures all Vault Agent sidecars to revoke their token when shutting down # Configures all OpenBao Agent sidecars to revoke their token when shutting down
revokeOnShutdown: false revokeOnShutdown: false
webhook: webhook:
@ -204,7 +204,7 @@ injector:
- key: app.kubernetes.io/name - key: app.kubernetes.io/name
operator: NotIn operator: NotIn
values: values:
- {{ template "vault.name" . }}-agent-injector - {{ template "openbao.name" . }}-agent-injector
# Extra annotations to attach to the webhook # Extra annotations to attach to the webhook
annotations: {} annotations: {}
@ -300,7 +300,7 @@ injector:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector: - labelSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: "{{ .Release.Name }}" app.kubernetes.io/instance: "{{ .Release.Name }}"
component: webhook component: webhook
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
@ -365,8 +365,8 @@ injector:
# type: RollingUpdate # type: RollingUpdate
server: server:
# If true, or "-" with global.enabled true, Vault server will be installed. # If true, or "-" with global.enabled true, OpenBao server will be installed.
# See vault.mode in _helpers.tpl for implementation details. # See openbao.mode in _helpers.tpl for implementation details.
enabled: "-" enabled: "-"
# Resource requests, limits, etc. for the server cluster placement. This # Resource requests, limits, etc. for the server cluster placement. This
@ -387,11 +387,11 @@ server:
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategyType: "OnDelete" updateStrategyType: "OnDelete"
# Configure the logging verbosity for the Vault server. # Configure the logging verbosity for the OpenBao server.
# Supported log levels include: trace, debug, info, warn, error # Supported log levels include: trace, debug, info, warn, error
logLevel: "" logLevel: ""
# Configure the logging format for the Vault server. # Configure the logging format for the OpenBao server.
# Supported log formats include: standard, json # Supported log formats include: standard, json
logFormat: "" logFormat: ""
@ -405,7 +405,7 @@ server:
# cpu: 250m # cpu: 250m
# Ingress allows ingress services to be created to allow external access # Ingress allows ingress services to be created to allow external access
# from Kubernetes to access Vault pods. # from Kubernetes to access OpenBao pods.
# If deployment is on OpenShift, the following block is ignored. # If deployment is on OpenShift, the following block is ignored.
# In order to expose the service, use the route section below # In order to expose the service, use the route section below
ingress: ingress:
@ -429,7 +429,7 @@ server:
pathType: Prefix pathType: Prefix
# When HA mode is enabled and K8s service registration is being used, # When HA mode is enabled and K8s service registration is being used,
# configure the ingress to point to the Vault active service. # configure the ingress to point to the OpenBao active service.
activeService: true activeService: true
hosts: hosts:
- host: chart-example.local - host: chart-example.local
@ -459,7 +459,7 @@ server:
enabled: false enabled: false
# When HA mode is enabled and K8s service registration is being used, # When HA mode is enabled and K8s service registration is being used,
# configure the route to point to the Vault active service. # configure the route to point to the OpenBao active service.
activeService: true activeService: true
labels: {} labels: {}
@ -499,11 +499,11 @@ server:
# extraContainers is a list of sidecar containers. Specified as a YAML list. # extraContainers is a list of sidecar containers. Specified as a YAML list.
extraContainers: null extraContainers: null
# -- shareProcessNamespace enables process namespace sharing between Vault and the extraContainers # -- shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation # This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation
shareProcessNamespace: false shareProcessNamespace: false
# -- extraArgs is a string containing additional Vault server arguments. # -- extraArgs is a string containing additional OpenBao server arguments.
extraArgs: "" extraArgs: ""
# -- extraPorts is a list of extra ports. Specified as a YAML list. # -- extraPorts is a list of extra ports. Specified as a YAML list.
@ -537,7 +537,7 @@ server:
execCommand: [] execCommand: []
# - /bin/sh # - /bin/sh
# - -c # - -c
# - /vault/userconfig/mylivenessscript/run.sh # - /openbao/userconfig/mylivenessscript/run.sh
# Path for the livenessProbe to use httpGet as the livenessProbe handler # Path for the livenessProbe to use httpGet as the livenessProbe handler
path: "/v1/sys/health?standbyok=true" path: "/v1/sys/health?standbyok=true"
# Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
@ -566,30 +566,30 @@ server:
postStart: [] postStart: []
# - /bin/sh # - /bin/sh
# - -c # - -c
# - /vault/userconfig/myscript/run.sh # - /openbao/userconfig/myscript/run.sh
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal. # used to include variables required for auto-unseal.
extraEnvironmentVars: {} extraEnvironmentVars: {}
# GOOGLE_REGION: global # GOOGLE_REGION: global
# GOOGLE_PROJECT: myproject # GOOGLE_PROJECT: myproject
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
# These variables take value from existing Secret objects. # These variables take value from existing Secret objects.
extraSecretEnvironmentVars: [] extraSecretEnvironmentVars: []
# - envName: AWS_SECRET_ACCESS_KEY # - envName: AWS_SECRET_ACCESS_KEY
# secretName: vault # secretName: openbao
# secretKey: AWS_SECRET_ACCESS_KEY # secretKey: AWS_SECRET_ACCESS_KEY
# Deprecated: please use 'volumes' instead. # Deprecated: please use 'volumes' instead.
# extraVolumes is a list of extra volumes to mount. These will be exposed # extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is # to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below. # an array of objects, examples are shown below.
extraVolumes: [] extraVolumes: []
# - type: secret (or "configMap") # - type: secret (or "configMap")
# name: my-secret # name: my-secret
# path: null # default is `/vault/userconfig` # path: null # default is `/openbao/userconfig`
# volumes is a list of volumes made available to all containers. These are rendered # volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value. # via toYaml rather than pre-processed like the extraVolumes value.
@ -615,7 +615,7 @@ server:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector: - labelSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}" app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server component: server
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
@ -671,25 +671,25 @@ server:
annotations: {} annotations: {}
# Add an annotation to the server configmap and the statefulset pods, # Add an annotation to the server configmap and the statefulset pods,
# vaultproject.io/config-checksum, that is a hash of the Vault configuration. # vaultproject.io/config-checksum, that is a hash of the OpenBao configuration.
# This can be used together with an OnDelete deployment strategy to help # This can be used together with an OnDelete deployment strategy to help
# identify which pods still need to be deleted during a deployment to pick up # identify which pods still need to be deleted during a deployment to pick up
# any configuration changes. # any configuration changes.
configAnnotation: false configAnnotation: false
# Enables a headless service to be used by the Vault Statefulset # Enables a headless service to be used by the OpenBao Statefulset
service: service:
enabled: true enabled: true
# Enable or disable the vault-active service, which selects Vault pods that # Enable or disable the openbao-active service, which selects OpenBao pods that
# have labeled themselves as the cluster leader with `vault-active: "true"`. # have labeled themselves as the cluster leader with `openbao-active: "true"`.
active: active:
enabled: true enabled: true
# Extra annotations for the service definition. This can either be YAML or a # Extra annotations for the service definition. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply # YAML-formatted multi-line templated string map of the annotations to apply
# to the active service. # to the active service.
annotations: {} annotations: {}
# Enable or disable the vault-standby service, which selects Vault pods that # Enable or disable the openbao-standby service, which selects OpenBao pods that
# have labeled themselves as a cluster follower with `vault-active: "false"`. # have labeled themselves as a cluster follower with `openbao-active: "false"`.
standby: standby:
enabled: true enabled: true
# Extra annotations for the service definition. This can either be YAML or a # Extra annotations for the service definition. This can either be YAML or a
@ -697,19 +697,19 @@ server:
# to the standby service. # to the standby service.
annotations: {} annotations: {}
# If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
# When disabled, services may select Vault pods not deployed from the chart. # When disabled, services may select OpenBao pods not deployed from the chart.
# Does not affect the headless vault-internal service with `ClusterIP: None` # Does not affect the headless openbao-internal service with `ClusterIP: None`
instanceSelector: instanceSelector:
enabled: true enabled: true
# clusterIP controls whether a Cluster IP address is attached to the # clusterIP controls whether a Cluster IP address is attached to the
# Vault service within Kubernetes. By default, the Vault service will # OpenBao service within Kubernetes. By default, the OpenBao service will
# be given a Cluster IP address, set to None to disable. When disabled # be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be # Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round-robin # used to communicate with pods directly through DNS instead of a round-robin
# load balancer. # load balancer.
# clusterIP: None # clusterIP: None
# Configures the service type for the main Vault service. Can be ClusterIP # Configures the service type for the main OpenBao service. Can be ClusterIP
# or NodePort. # or NodePort.
# type: ClusterIP # type: ClusterIP
@ -753,7 +753,7 @@ server:
# will be random if left blank. # will be random if left blank.
# standbyNodePort: 30002 # standbyNodePort: 30002
# Port on which Vault server is listening # Port on which OpenBao server is listening
port: 8200 port: 8200
# Target port to which the service should be mapped to # Target port to which the service should be mapped to
targetPort: 8200 targetPort: 8200
@ -762,7 +762,7 @@ server:
# to the service. # to the service.
annotations: {} annotations: {}
# This configures the Vault Statefulset to create a PVC for data # This configures the OpenBao Statefulset to create a PVC for data
# storage when using the file or raft backend storage engines. # storage when using the file or raft backend storage engines.
# See https://developer.hashicorp.com/vault/docs/configuration/storage to know more # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
dataStorage: dataStorage:
@ -770,7 +770,7 @@ server:
# Size of the PVC created # Size of the PVC created
size: 10Gi size: 10Gi
# Location where the PVC will be mounted. # Location where the PVC will be mounted.
mountPath: "/vault/data" mountPath: "/openbao/data"
# Name of the storage class to use. If null it will use the # Name of the storage class to use. If null it will use the
# configured default Storage Class. # configured default Storage Class.
storageClass: null storageClass: null
@ -789,17 +789,17 @@ server:
# whenScaled: Retain # whenScaled: Retain
persistentVolumeClaimRetentionPolicy: {} persistentVolumeClaimRetentionPolicy: {}
# This configures the Vault Statefulset to create a PVC for audit # This configures the OpenBao Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized, and unsealed, Vault must # logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must
# be configured to use this for audit logs. This will be mounted to # be configured to use this for audit logs. This will be mounted to
# /vault/audit # /openbao/audit
# See https://developer.hashicorp.com/vault/docs/audit to know more # See https://developer.hashicorp.com/vault/docs/audit to know more
auditStorage: auditStorage:
enabled: false enabled: false
# Size of the PVC created # Size of the PVC created
size: 10Gi size: 10Gi
# Location where the PVC will be mounted. # Location where the PVC will be mounted.
mountPath: "/vault/audit" mountPath: "/openbao/audit"
# Name of the storage class to use. If null it will use the # Name of the storage class to use. If null it will use the
# configured default Storage Class. # configured default Storage Class.
storageClass: null storageClass: null
@ -810,8 +810,8 @@ server:
# Labels to apply to the PVC # Labels to apply to the PVC
labels: {} labels: {}
# Run Vault in "dev" mode. This requires no further setup, no state management, # Run OpenBao in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without # and no initialization. This is useful for experimenting with OpenBao without
# needing to unseal, store keys, et. al. All data is lost on restart - do not # needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting. # use dev mode for anything other than experimenting.
# See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
@ -821,7 +821,7 @@ server:
# Set VAULT_DEV_ROOT_TOKEN_ID value # Set VAULT_DEV_ROOT_TOKEN_ID value
devRootToken: "root" devRootToken: "root"
# Run Vault in "standalone" mode. This is the default mode that will deploy if # Run OpenBao in "standalone" mode. This is the default mode that will deploy if
# no arguments are given to helm. This requires a PVC for data storage to use # no arguments are given to helm. This requires a PVC for data storage to use
# the "file" backend. This mode is not highly available and should not be scaled # the "file" backend. This mode is not highly available and should not be scaled
# past a single replica. # past a single replica.
@ -829,7 +829,7 @@ server:
enabled: "-" enabled: "-"
# config is a raw string of default configuration when using a Stateful # config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data # deployment. Default is to use a PersistentVolumeClaim mounted at /openbao/data
# and store data there. This is only used when using a Replica count of 1, and # and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL. # using a stateful set. This should be HCL.
@ -850,17 +850,17 @@ server:
#} #}
} }
storage "file" { storage "file" {
path = "/vault/data" path = "/openbao/data"
} }
# Example configuration for using auto-unseal, using Google Cloud KMS. The # Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account # GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS. # that is authorized to access GCP KMS.
#seal "gcpckms" { #seal "gcpckms" {
# project = "vault-helm-dev" # project = "openbao-helm-dev"
# region = "global" # region = "global"
# key_ring = "vault-helm-unseal-kr" # key_ring = "openbao-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key" # crypto_key = "openbao-helm-unseal-key"
#} #}
# Example configuration for enabling Prometheus metrics in your config. # Example configuration for enabling Prometheus metrics in your config.
@ -869,29 +869,29 @@ server:
# disable_hostname = true # disable_hostname = true
#} #}
# Run Vault in "HA" mode. There are no storage requirements unless the audit log # Run OpenBao in "HA" mode. There are no storage requirements unless the audit log
# persistence is required. In HA mode Vault will configure itself to use Consul # persistence is required. In HA mode OpenBao will configure itself to use Consul
# for its storage backend. The default configuration provided will work the Consul # for its storage backend. The default configuration provided will work the Consul
# Helm project by default. It is possible to manually configure Vault to use a # Helm project by default. It is possible to manually configure OpenBao to use a
# different HA backend. # different HA backend.
ha: ha:
enabled: false enabled: false
replicas: 3 replicas: 3
# Set the api_addr configuration for Vault HA # Set the api_addr configuration for OpenBao HA
# See https://developer.hashicorp.com/vault/docs/configuration#api_addr # See https://developer.hashicorp.com/vault/docs/configuration#api_addr
# If set to null, this will be set to the Pod IP Address # If set to null, this will be set to the Pod IP Address
apiAddr: null apiAddr: null
# Set the cluster_addr confuguration for Vault HA # Set the cluster_addr confuguration for OpenBao HA
# See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 # If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201
clusterAddr: null clusterAddr: null
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where # Enables OpenBao's integrated Raft storage. Unlike the typical HA modes where
# Vault's persistence is external (such as Consul), enabling Raft mode will create # OpenBao's persistence is external (such as Consul), enabling Raft mode will create
# persistent volumes for Vault to store data according to the configuration under server.dataStorage. # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage.
# The Vault cluster will coordinate leader elections and failovers internally. # The OpenBao cluster will coordinate leader elections and failovers internally.
raft: raft:
# Enables Raft integrated storage # Enables Raft integrated storage
@ -917,7 +917,7 @@ server:
} }
storage "raft" { storage "raft" {
path = "/vault/data" path = "/openbao/data"
} }
service_registration "kubernetes" {} service_registration "kubernetes" {}
@ -939,7 +939,7 @@ server:
cluster_address = "[::]:8201" cluster_address = "[::]:8201"
} }
storage "consul" { storage "consul" {
path = "vault" path = "openbao"
address = "HOST_IP:8500" address = "HOST_IP:8500"
} }
@ -949,10 +949,10 @@ server:
# GKMS keys must already exist, and the cluster must have a service account # GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS. # that is authorized to access GCP KMS.
#seal "gcpckms" { #seal "gcpckms" {
# project = "vault-helm-dev-246514" # project = "openbao-helm-dev-246514"
# region = "global" # region = "global"
# key_ring = "vault-helm-unseal-kr" # key_ring = "openbao-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key" # crypto_key = "openbao-helm-unseal-key"
#} #}
# Example configuration for enabling Prometheus metrics. # Example configuration for enabling Prometheus metrics.
@ -973,7 +973,7 @@ server:
maxUnavailable: null maxUnavailable: null
# Definition of the serviceAccount used to run Vault. # Definition of the serviceAccount used to run Vault.
# These options are also used when using an external Vault server to validate # These options are also used when using an external OpenBao server to validate
# Kubernetes tokens. # Kubernetes tokens.
serviceAccount: serviceAccount:
# Specifies whether a service account should be created # Specifies whether a service account should be created
@ -995,12 +995,12 @@ server:
# This should be a YAML map of the labels to apply to the serviceAccount # This should be a YAML map of the labels to apply to the serviceAccount
extraLabels: {} extraLabels: {}
# Enable or disable a service account role binding with the permissions required for # Enable or disable a service account role binding with the permissions required for
# Vault's Kubernetes service_registration config option. # OpenBao's Kubernetes service_registration config option.
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
serviceDiscovery: serviceDiscovery:
enabled: true enabled: true
# Settings for the statefulSet used to run Vault. # Settings for the statefulSet used to run OpenBao.
statefulSet: statefulSet:
# Extra annotations for the statefulSet. This can either be YAML or a # Extra annotations for the statefulSet. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply # YAML-formatted multi-line templated string map of the annotations to apply
@ -1027,17 +1027,17 @@ server:
# Should the server pods run on the host network # Should the server pods run on the host network
hostNetwork: false hostNetwork: false
# Vault UI # OpenBao UI
ui: ui:
# True if you want to create a Service entry for the Vault UI. # True if you want to create a Service entry for the OpenBao UI.
# #
# serviceType can be used to control the type of service created. For # serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load # example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI. # balancer (for supported K8S installations) to access the UI.
enabled: false enabled: false
publishNotReadyAddresses: true publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod # The service should only contain selectors for active OpenBao pod
activeVaultPodOnly: false activeOpenbaoPodOnly: false
serviceType: "ClusterIP" serviceType: "ClusterIP"
serviceNodePort: null serviceNodePort: null
externalPort: 8200 externalPort: 8200
@ -1082,8 +1082,8 @@ csi:
# Requires installing the secrets-store-csi-driver separately, see: # Requires installing the secrets-store-csi-driver separately, see:
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
# #
# With the driver and provider installed, you can mount Vault secrets into volumes # With the driver and provider installed, you can mount OpenBao secrets into volumes
# similar to the Vault Agent injector, and you can also sync those secrets into # similar to the OpenBao Agent injector, and you can also sync those secrets into
# Kubernetes secrets. # Kubernetes secrets.
enabled: false enabled: false
@ -1100,17 +1100,17 @@ csi:
# -- volumes is a list of volumes made available to all containers. These are rendered # -- volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value. # via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers. # The purpose is to make it easy to share volumes between containers.
volumes: null volumes: []
# - name: tls # - name: tls
# secret: # secret:
# secretName: vault-tls # secretName: openbao-tls
# -- volumeMounts is a list of volumeMounts for the main server container. These are rendered # -- volumeMounts is a list of volumeMounts for the main server container. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value. # via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers. # The purpose is to make it easy to share volumes between containers.
volumeMounts: null volumeMounts: []
# - name: tls # - name: tls
# mountPath: "/vault/tls" # mountPath: "/openbao/tls"
# readOnly: true # readOnly: true
resources: {} resources: {}
@ -1245,16 +1245,16 @@ csi:
# for the available command line flags. # for the available command line flags.
extraArgs: [] extraArgs: []
# Vault is able to collect and publish various runtime metrics. # OpenBao is able to collect and publish various runtime metrics.
# Enabling this feature requires setting adding `telemetry{}` stanza to # Enabling this feature requires setting adding `telemetry{}` stanza to
# the Vault configuration. There are a few examples included in the `config` sections above. # the OpenBao configuration. There are a few examples included in the `config` sections above.
# #
# For more information see: # For more information see:
# https://developer.hashicorp.com/vault/docs/configuration/telemetry # https://developer.hashicorp.com/vault/docs/configuration/telemetry
# https://developer.hashicorp.com/vault/docs/internals/telemetry # https://developer.hashicorp.com/vault/docs/internals/telemetry
serverTelemetry: serverTelemetry:
# Enable support for the Prometheus Operator. Currently, this chart does not support # Enable support for the Prometheus Operator. Currently, this chart does not support
# authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included # authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included
# in the `listener "tcp"{}` stanza # in the `listener "tcp"{}` stanza
# telemetry { # telemetry {
# unauthenticated_metrics_access = "true" # unauthenticated_metrics_access = "true"
@ -1262,7 +1262,7 @@ serverTelemetry:
# #
# See the `standalone.config` for a more complete example of this. # See the `standalone.config` for a more complete example of this.
# #
# In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: # In addition, a top level `telemetry{}` stanza must also be included in the OpenBao configuration:
# #
# example: # example:
# telemetry { # telemetry {
@ -1270,7 +1270,7 @@ serverTelemetry:
# disable_hostname = true # disable_hostname = true
# } # }
# #
# Configuration for monitoring the Vault server. # Configuration for monitoring the OpenBao server.
serviceMonitor: serviceMonitor:
# The Prometheus operator *must* be installed before enabling this feature, # The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions # if not the chart will fail to install due to missing CustomResourceDefinitions
@ -1282,7 +1282,7 @@ serverTelemetry:
# https://github.com/prometheus-operator/prometheus-operator # https://github.com/prometheus-operator/prometheus-operator
# https://github.com/prometheus-operator/kube-prometheus # https://github.com/prometheus-operator/kube-prometheus
# Enable deployment of the Vault Server ServiceMonitor CustomResource. # Enable deployment of the OpenBao Server ServiceMonitor CustomResource.
enabled: false enabled: false
# Selector labels to add to the ServiceMonitor. # Selector labels to add to the ServiceMonitor.
@ -1314,14 +1314,14 @@ serverTelemetry:
rules: [] rules: []
# - alert: vault-HighResponseTime # - alert: vault-HighResponseTime
# annotations: # annotations:
# message: The response time of Vault is over 500ms on average over the last 5 minutes. # message: The response time of OpenBao is over 500ms on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
# for: 5m # for: 5m
# labels: # labels:
# severity: warning # severity: warning
# - alert: vault-HighResponseTime # - alert: vault-HighResponseTime
# annotations: # annotations:
# message: The response time of Vault is over 1s on average over the last 5 minutes. # message: The response time of OpenBao is over 1s on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
# for: 5m # for: 5m
# labels: # labels:

16
test/acceptance/_helpers.bash
View file

@ -3,7 +3,7 @@
# name_prefix returns the prefix of the resources within Kubernetes. # name_prefix returns the prefix of the resources within Kubernetes.
name_prefix() { name_prefix() {
printf "vault" printf "openbao"
} }
# chart_dir returns the directory for the chart # chart_dir returns the directory for the chart
@ -11,7 +11,7 @@ chart_dir() {
echo ${BATS_TEST_DIRNAME}/../../charts/openbao echo ${BATS_TEST_DIRNAME}/../../charts/openbao
} }
# helm_install installs the vault chart. This will source overridable # helm_install installs the openbao chart. This will source overridable
# values from the "values.yaml" file in this directory. This can be set # values from the "values.yaml" file in this directory. This can be set
# by CI or other environments to do test-specific overrides. Note that its # by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful. # easily possible to break tests this way so be careful.
@ -22,11 +22,11 @@ helm_install() {
fi fi
helm install -f ${values} \ helm install -f ${values} \
--name vault \ --name openbao \
${BATS_TEST_DIRNAME}/../.. ${BATS_TEST_DIRNAME}/../..
} }
# helm_install_ha installs the vault chart using HA mode. This will source # helm_install_ha installs the openbao chart using HA mode. This will source
# overridable values from the "values.yaml" file in this directory. This can be # overridable values from the "values.yaml" file in this directory. This can be
# set by CI or other environments to do test-specific overrides. Note that its # set by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful. # easily possible to break tests this way so be careful.
@ -37,7 +37,7 @@ helm_install_ha() {
fi fi
helm install -f ${values} \ helm install -f ${values} \
--name vault \ --name openbao \
--set 'server.enabled=false' \ --set 'server.enabled=false' \
--set 'serverHA.enabled=true' \ --set 'serverHA.enabled=true' \
${BATS_TEST_DIRNAME}/../.. ${BATS_TEST_DIRNAME}/../..
@ -61,15 +61,15 @@ wait_for_sealed_vault() {
for i in $(seq 60); do for i in $(seq 60); do
if check ${POD_NAME}; then if check ${POD_NAME}; then
echo "Vault on ${POD_NAME} is running." echo "OpenBao on ${POD_NAME} is running."
return return
fi fi
echo "Waiting for Vault on ${POD_NAME} to be running..." echo "Waiting for OpenBao on ${POD_NAME} to be running..."
sleep 2 sleep 2
done done
echo "Vault on ${POD_NAME} never became running." echo "OpenBao on ${POD_NAME} never became running."
return 1 return 1
} }

6
test/acceptance/csi-test/vault-kv-secretproviderclass.yaml → test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
View file

@ -1,13 +1,13 @@
# Copyright (c) HashiCorp, Inc. # Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0 # SPDX-License-Identifier: MPL-2.0
# The "Hello World" Vault SecretProviderClass # The "Hello World" OpenBao SecretProviderClass
apiVersion: secrets-store.csi.x-k8s.io/v1 apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass kind: SecretProviderClass
metadata: metadata:
name: vault-kv name: openbao-kv
spec: spec:
provider: vault provider: openbao
parameters: parameters:
roleName: "kv-role" roleName: "kv-role"
objects: | objects: |

0
test/acceptance/csi-test/vault-policy.hcl → test/acceptance/csi-test/openbao-policy.hcl
View file

14
test/acceptance/csi.bats
View file

@ -18,10 +18,10 @@ load _helpers
--wait --timeout=5m \ --wait --timeout=5m \
--namespace=acceptance \ --namespace=acceptance \
--set linux.image.pullPolicy="IfNotPresent" \ --set linux.image.pullPolicy="IfNotPresent" \
--set tokenRequests[0].audience="vault" \ --set tokenRequests[0].audience="openbao" \
--set enableSecretRotation=true \ --set enableSecretRotation=true \
--set rotationPollInterval=5s --set rotationPollInterval=5s
# Install Vault and Vault provider # Install OpenBao and OpenBao provider
helm install openbao \ helm install openbao \
--wait --timeout=5m \ --wait --timeout=5m \
--namespace=acceptance \ --namespace=acceptance \
@ -35,7 +35,7 @@ load _helpers
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
# Set up k8s auth and a kv secret. # Set up k8s auth and a kv secret.
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - cat ./test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy -
kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
@ -46,7 +46,7 @@ load _helpers
ttl=20m ttl=20m
kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
@ -55,7 +55,7 @@ load _helpers
for i in $(seq 10); do for i in $(seq 10); do
sleep 2 sleep 2
if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
echo "Agent returned a cached login response" echo "Agent returned a cached login response"
return return
fi fi
@ -65,8 +65,8 @@ load _helpers
# Print the logs and fail the test # Print the logs and fail the test
echo "Failed to find a log for the Agent renewing CSI's auth token" echo "Failed to find a log for the Agent renewing CSI's auth token"
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
exit 1 exit 1
} }

2
test/acceptance/injector-test/job.yaml
View file

@ -38,5 +38,5 @@ spec:
- "/bin/sh" - "/bin/sh"
- "-ec" - "-ec"
args: args:
- "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" - "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout"
restartPolicy: Never restartPolicy: Never

12
test/acceptance/injector-test/pg-deployment.yaml
View file

@ -38,7 +38,7 @@ spec:
- containerPort: 5432 - containerPort: 5432
env: env:
- name: POSTGRES_DB - name: POSTGRES_DB
value: mydb value: mydb
- name: POSTGRES_USER - name: POSTGRES_USER
value: postgres value: postgres
- name: POSTGRES_PASSWORD - name: POSTGRES_PASSWORD
@ -52,7 +52,7 @@ spec:
- name: pgdata - name: pgdata
emptyDir: {} emptyDir: {}
- name: pgconf - name: pgconf
configMap: configMap:
name: "pg-init" name: "pg-init"
--- ---
apiVersion: v1 apiVersion: v1
@ -63,10 +63,10 @@ metadata:
app: postgres app: postgres
data: data:
setup.sql: | setup.sql: |
CREATE ROLE vault; CREATE ROLE openbao;
ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault'; ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao';
\c mydb \c mydb
CREATE SCHEMA app; CREATE SCHEMA app;
CREATE TABLE app.inventory(id int); CREATE TABLE app.inventory(id int);
INSERT INTO app.inventory(id) VALUES (0); INSERT INTO app.inventory(id) VALUES (0);

2
test/acceptance/injector.bats
View file

@ -17,7 +17,7 @@ load _helpers
--from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ./test/acceptance/injector-test/bootstrap.sh --from-file ./test/acceptance/injector-test/bootstrap.sh
kubectl label secret test app=vault-agent-demo kubectl label secret test app=openbao-agent-demo
helm install "$(name_prefix)" \ helm install "$(name_prefix)" \
--set="server.extraVolumes[0].type=secret" \ --set="server.extraVolumes[0].type=secret" \

4
test/acceptance/server-ha-raft.bats
View file

@ -57,7 +57,7 @@ load _helpers
jq -r '.spec.ports[1].port') jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ] [ "${ports}" == "8201" ]
# Vault Init # OpenBao Init
local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
bao operator init -format=json -n 1 -t 1) bao operator init -format=json -n 1 -t 1)
@ -72,7 +72,7 @@ load _helpers
sleep 5 sleep 5
# Vault Unseal # OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do

8
test/acceptance/server-ha.bats
View file

@ -56,14 +56,14 @@ load _helpers
jq -r '.spec.ports[1].port') jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ] [ "${ports}" == "8201" ]
# Vault Init # OpenBao Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
bao operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
# Vault Unseal # OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
kubectl exec -ti ${pod} -- bao operator unseal ${token} kubectl exec -ti ${pod} -- bao operator unseal ${token}
@ -111,7 +111,7 @@ teardown() {
# If the test failed, print some debug output # If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app=consul kubectl logs -l app=consul
kubectl logs -l app.kubernetes.io/name=vault kubectl logs -l app.kubernetes.io/name=openbao
fi fi
helm delete openbao helm delete openbao
helm delete consul helm delete consul

8
test/acceptance/server-telemetry.bats
View file

@ -27,13 +27,13 @@ load _helpers
# Sealed, not initialized # Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0 wait_for_sealed_vault $(name_prefix)-0
# Vault Init # OpenBao Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
bao operator init -format=json -n 1 -t 1 | \ bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
# Vault Unseal # OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do
@ -62,7 +62,7 @@ load _helpers
-- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr ) -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr )
# Ensure the expected job label was picked up by Prometheus # Ensure the expected job label was picked up by Prometheus
[ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break
((++tries)) ((++tries))
sleep .5 sleep .5
@ -72,7 +72,7 @@ load _helpers
# Ensure the expected job is "up" # Ensure the expected job is "up"
local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \
-c prometheus \ -c prometheus \
-- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \ -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \
tee /dev/stderr ) tee /dev/stderr )
[ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ] [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ]
} }

2
test/acceptance/server-test/telemetry.yaml
View file

@ -17,7 +17,7 @@ server:
} }
storage "file" { storage "file" {
path = "/vault/data" path = "/openbao/data"
} }
telemetry { telemetry {

2
test/acceptance/server.bats
View file

@ -78,7 +78,7 @@ load _helpers
jq -r '.unseal_keys_b64[0]') jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ] [ "${token}" != "" ]
# Vault Unseal # OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}" for pod in "${pods[@]}"
do do

2
test/chart/verifier.bats
View file

@ -5,7 +5,7 @@ load _helpers
setup_file() { setup_file() {
cd `chart_dir` cd `chart_dir`
export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json"
export CHART_VOLUME=vault-helm-chart-src export CHART_VOLUME=openbao-helm-chart-src
local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1" local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1"
# chart-verifier requires an openshift version if a cluster isn't available # chart-verifier requires an openshift version if a cluster isn't available
local OPENSHIFT_VERSION="4.12" local OPENSHIFT_VERSION="4.12"

2
test/terraform/main.tf
View file

@ -19,7 +19,7 @@ data "google_service_account" "gcpapi" {
} }
resource "google_container_cluster" "cluster" { resource "google_container_cluster" "cluster" {
name = "vault-helm-dev-${random_id.suffix.dec}" name = "openbao-helm-dev-${random_id.suffix.dec}"
project = "${var.project}" project = "${var.project}"
enable_legacy_abac = true enable_legacy_abac = true
initial_node_count = 3 initial_node_count = 3

2
test/terraform/variables.tf
View file

@ -2,7 +2,7 @@
# SPDX-License-Identifier: MPL-2.0 # SPDX-License-Identifier: MPL-2.0
variable "project" { variable "project" {
default = "vault-helm-dev-246514" default = "openbao-helm-dev-246514"
description = <<EOF description = <<EOF
Google Cloud Project to launch resources in. This project must have GKE Google Cloud Project to launch resources in. This project must have GKE

16
test/unit/csi-agent-configmap.bats
View file

@ -18,7 +18,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-agent-config" ] [ "${actual}" = "release-name-openbao-csi-provider-agent-config" ]
} }
@test "csi/Agent-ConfigMap: namespace" { @test "csi/Agent-ConfigMap: namespace" {
@ -40,25 +40,25 @@ load _helpers
[ "${actual}" = "bar" ] [ "${actual}" = "bar" ]
} }
@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" { @test "csi/Agent-ConfigMap: OpenBao addr not affected by injector setting" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \ --show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \ --set "csi.enabled=true" \
--release-name not-external-test \ --release-name not-external-test \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.data["config.hcl"]' | tee /dev/stderr) yq -r '.data["config.hcl"]' | tee /dev/stderr)
echo "${actual}" | grep "http://not-external-test-vault.default.svc:8200" echo "${actual}" | grep "http://not-external-test-openbao.default.svc:8200"
} }
@test "csi/Agent-ConfigMap: Vault addr correctly set for externalVaultAddr" { @test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalVaultAddr" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \ --show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \ --set "csi.enabled=true" \
--set 'global.externalVaultAddr=http://vault-outside' \ --set 'global.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.data["config.hcl"]' | tee /dev/stderr) yq -r '.data["config.hcl"]' | tee /dev/stderr)
echo "${actual}" | grep "http://vault-outside" echo "${actual}" | grep "http://openbao-outside"
} }

2
test/unit/csi-clusterrole.bats
View file

@ -29,5 +29,5 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
} }

4
test/unit/csi-clusterrolebinding.bats
View file

@ -29,7 +29,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.roleRef.name' | tee /dev/stderr) yq -r '.roleRef.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
} }
# ClusterRoleBinding service account name # ClusterRoleBinding service account name
@ -40,7 +40,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.subjects[0].name' | tee /dev/stderr) yq -r '.subjects[0].name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider" ] [ "${actual}" = "release-name-openbao-csi-provider" ]
} }
# ClusterRoleBinding service account namespace # ClusterRoleBinding service account namespace

10
test/unit/csi-daemonset.bats
View file

@ -81,7 +81,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider" ] [ "${actual}" = "release-name-openbao-csi-provider" ]
} }
# Image # Image
@ -666,7 +666,7 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/csi-daemonset.yaml \ --show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \ --set 'csi.enabled=true' \
--set 'global.externalVaultAddr=http://vault-outside' \ --set 'global.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
@ -682,7 +682,7 @@ load _helpers
--set 'csi.enabled=true' \ --set 'csi.enabled=true' \
--set 'csi.agent.enabled=false' \ --set 'csi.agent.enabled=false' \
--release-name not-external-test \ --release-name not-external-test \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
@ -697,13 +697,13 @@ load _helpers
--show-only templates/csi-daemonset.yaml \ --show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \ --set 'csi.enabled=true' \
--set 'csi.agent.enabled=false' \ --set 'csi.agent.enabled=false' \
--set 'global.externalVaultAddr=http://vault-outside' \ --set 'global.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://vault-outside" ] [ "${value}" = "http://openbao-outside" ]
} }
#-------------------------------------------------------------------- #--------------------------------------------------------------------

2
test/unit/csi-role.bats
View file

@ -18,7 +18,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-role" ] [ "${actual}" = "release-name-openbao-csi-provider-role" ]
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/csi-role.yaml \ --show-only templates/csi-role.yaml \
--set "csi.enabled=true" \ --set "csi.enabled=true" \

2
test/unit/csi-rolebinding.bats
View file

@ -18,7 +18,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-rolebinding" ] [ "${actual}" = "release-name-openbao-csi-provider-rolebinding" ]
} }
@test "csi/RoleBinding: namespace" { @test "csi/RoleBinding: namespace" {

2
test/unit/csi-serviceaccount.bats
View file

@ -29,7 +29,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider" ] [ "${actual}" = "release-name-openbao-csi-provider" ]
} }
# serviceAccountNamespace namespace # serviceAccountNamespace namespace

22
test/unit/injector-deployment.bats
View file

@ -186,7 +186,7 @@ load _helpers
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "release-name-vault-agent-injector-cfg" ] [ "${value}" = "release-name-openbao-agent-injector-cfg" ]
# helm template does uses current context namespace and ignores namespace flags, so # helm template does uses current context namespace and ignores namespace flags, so
# discover the targeted namespace so we can check the rendered value correctly. # discover the targeted namespace so we can check the rendered value correctly.
@ -194,7 +194,7 @@ load _helpers
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ] [ "${value}" = "release-name-openbao-agent-injector-svc,release-name-openbao-agent-injector-svc.${namespace:-default},release-name-openbao-agent-injector-svc.${namespace:-default}.svc" ]
} }
@test "injector/deployment: manual TLS adds volume mount" { @test "injector/deployment: manual TLS adds volume mount" {
@ -202,7 +202,7 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/injector-deployment.yaml \ --show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \ --set 'injector.enabled=true' \
--set 'injector.certs.secretName=vault-tls' \ --set 'injector.certs.secretName=openbao-tls' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr)
@ -219,40 +219,40 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local object=$(helm template \ local object=$(helm template \
--show-only templates/injector-deployment.yaml \ --show-only templates/injector-deployment.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://vault-outside" ] [ "${value}" = "http://openbao-outside" ]
} }
@test "injector/deployment: with global.externalVaultAddr" { @test "injector/deployment: with global.externalVaultAddr" {
cd `chart_dir` cd `chart_dir`
local object=$(helm template \ local object=$(helm template \
--show-only templates/injector-deployment.yaml \ --show-only templates/injector-deployment.yaml \
--set 'global.externalVaultAddr=http://vault-outside' \ --set 'global.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://vault-outside" ] [ "${value}" = "http://openbao-outside" ]
} }
@test "injector/deployment: global.externalVaultAddr takes precendence over injector.externalVaultAddr" { @test "injector/deployment: global.externalVaultAddr takes precendence over injector.externalVaultAddr" {
cd `chart_dir` cd `chart_dir`
local object=$(helm template \ local object=$(helm template \
--show-only templates/injector-deployment.yaml \ --show-only templates/injector-deployment.yaml \
--set 'global.externalVaultAddr=http://global-vault-outside' \ --set 'global.externalVaultAddr=http://global-openbao-outside' \
--set 'injector.externalVaultAddr=http://injector-vault-outside' \ --set 'injector.externalVaultAddr=http://injector-openbao-outside' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://global-vault-outside" ] [ "${value}" = "http://global-openbao-outside" ]
} }
@test "injector/deployment: without externalVaultAddr" { @test "injector/deployment: without externalVaultAddr" {
@ -266,7 +266,7 @@ load _helpers
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://not-external-test-vault.default.svc:8200" ] [ "${value}" = "http://not-external-test-openbao.default.svc:8200" ]
} }
@test "injector/deployment: default authPath" { @test "injector/deployment: default authPath" {

8
test/unit/injector-psp.bats
View file

@ -51,9 +51,9 @@ load _helpers
--show-only templates/injector-psp.yaml \ --show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \ --set 'injector.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \ --set 'global.psp.annotations=openbao-is: amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
} }
@ -63,8 +63,8 @@ load _helpers
--show-only templates/injector-psp.yaml \ --show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \ --set 'injector.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \ --set 'global.psp.annotations.openbao-is=amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
} }

4
test/unit/injector-service.bats
View file

@ -76,8 +76,8 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/injector-service.yaml \ --show-only templates/injector-service.yaml \
--set 'injector.service.annotations=vaultIsAwesome: true' \ --set 'injector.service.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }

4
test/unit/injector-serviceaccount.bats
View file

@ -42,8 +42,8 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/injector-serviceaccount.yaml \ --show-only templates/injector-serviceaccount.yaml \
--set 'injector.serviceAccount.annotations=vaultIsAwesome: true' \ --set 'injector.serviceAccount.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }

2
test/unit/prometheus-prometheusrules.bats
View file

@ -32,7 +32,7 @@ load _helpers
[ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ] [ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ]
[ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ] [ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-vault" ] [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-openbao" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ] [ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].rules[0].foo')" = "bar" ] [ "$(echo "$output" | yq -r '.spec.groups[0].rules[0].foo')" = "bar" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].rules[1].baz')" = "qux" ] [ "$(echo "$output" | yq -r '.spec.groups[0].rules[1].baz')" = "qux" ]

2
test/unit/server-clusterrolebinding.bats
View file

@ -66,7 +66,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-clusterrolebinding.yaml \ --show-only templates/server-clusterrolebinding.yaml \
--set 'server.enabled=false' \ --set 'server.enabled=false' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]

2
test/unit/server-configmap.bats
View file

@ -134,7 +134,7 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-config-configmap.yaml \ --show-only templates/server-config-configmap.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]

6
test/unit/server-dev-statefulset.bats
View file

@ -27,7 +27,7 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
@ -184,7 +184,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
} }
@test "server/dev-StatefulSet: adds extra secret volume" { @test "server/dev-StatefulSet: adds extra secret volume" {
@ -222,7 +222,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
} }
@test "server/dev-StatefulSet: no storageClass on claim by default" { @test "server/dev-StatefulSet: no storageClass on claim by default" {

20
test/unit/server-ha-active-service.bats
View file

@ -7,9 +7,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \ --show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.annotations=vaultIsAwesome: true' \ --set 'server.service.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -18,9 +18,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \ --show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.active.annotations=vaultIsAwesome: true' \ --set 'server.service.active.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@test "server/ha-active-Service: with both annotations set" { @test "server/ha-active-Service: with both annotations set" {
@ -28,14 +28,14 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/server-ha-active-service.yaml \ --show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.active.annotations=vaultIsAwesome: true' \ --set 'server.service.active.annotations=openBaoIsAwesome: true' \
--set 'server.service.annotations=vaultIsNotAwesome: false' \ --set 'server.service.annotations=openbaoIsNotAwesome: false' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata' | tee /dev/stderr) yq -r '.metadata' | tee /dev/stderr)
local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
} }
@test "server/ha-active-Service: disable with ha.enabled false" { @test "server/ha-active-Service: disable with ha.enabled false" {
@ -192,7 +192,7 @@ load _helpers
[ "${actual}" = "null" ] [ "${actual}" = "null" ]
} }
@test "server/ha-active-Service: vault port name is http, when tlsDisable is true" { @test "server/ha-active-Service: openbao port name is http, when tlsDisable is true" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \ --show-only templates/server-ha-active-service.yaml \
@ -203,7 +203,7 @@ load _helpers
[ "${actual}" = "http" ] [ "${actual}" = "http" ]
} }
@test "server/ha-active-Service: vault port name is https, when tlsDisable is false" { @test "server/ha-active-Service: openbao port name is https, when tlsDisable is false" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \ --show-only templates/server-ha-active-service.yaml \

2
test/unit/server-ha-disruptionbudget.bats
View file

@ -47,7 +47,7 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-disruptionbudget.yaml \ --show-only templates/server-disruptionbudget.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]

28
test/unit/server-ha-standby-service.bats
View file

@ -7,9 +7,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \ --show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.annotations=vaultIsAwesome: true' \ --set 'server.service.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -18,9 +18,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \ --show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.annotations.vaultIsAwesome=true' \ --set 'server.service.annotations.openBaoIsAwesome=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -29,9 +29,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \ --show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.standby.annotations=vaultIsAwesome: true' \ --set 'server.service.standby.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -40,9 +40,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \ --show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.standby.annotations.vaultIsAwesome=true' \ --set 'server.service.standby.annotations.openBaoIsAwesome=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@test "server/ha-standby-Service: with both annotations set" { @test "server/ha-standby-Service: with both annotations set" {
@ -50,14 +50,14 @@ load _helpers
local object=$(helm template \ local object=$(helm template \
--show-only templates/server-ha-standby-service.yaml \ --show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.service.standby.annotations=vaultIsAwesome: true' \ --set 'server.service.standby.annotations=openBaoIsAwesome: true' \
--set 'server.service.annotations=vaultIsNotAwesome: false' \ --set 'server.service.annotations=openbaoIsNotAwesome: false' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata' | tee /dev/stderr) yq -r '.metadata' | tee /dev/stderr)
local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
} }
@test "server/ha-standby-Service: disable with ha.enabled false" { @test "server/ha-standby-Service: disable with ha.enabled false" {
@ -214,7 +214,7 @@ load _helpers
[ "${actual}" = "null" ] [ "${actual}" = "null" ]
} }
@test "server/ha-standby-Service: vault port name is http, when tlsDisable is true" { @test "server/ha-standby-Service: openbao port name is http, when tlsDisable is true" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \ --show-only templates/server-ha-standby-service.yaml \
@ -225,7 +225,7 @@ load _helpers
[ "${actual}" = "http" ] [ "${actual}" = "http" ]
} }
@test "server/ha-standby-Service: vault port name is https, when tlsDisable is false" { @test "server/ha-standby-Service: openbao port name is https, when tlsDisable is false" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \ --show-only templates/server-ha-standby-service.yaml \

18
test/unit/server-ha-statefulset.bats
View file

@ -27,7 +27,7 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
@ -266,7 +266,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
} }
@test "server/ha-StatefulSet: adds extra volume custom mount path" { @test "server/ha-StatefulSet: adds extra volume custom mount path" {
@ -347,7 +347,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
} }
#-------------------------------------------------------------------- #--------------------------------------------------------------------
@ -450,7 +450,7 @@ load _helpers
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ]
} }
@test "server/ha-StatefulSet: clusterAddr set to null" { @test "server/ha-StatefulSet: clusterAddr set to null" {
@ -465,7 +465,7 @@ load _helpers
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ]
} }
@test "server/ha-StatefulSet: clusterAddr set to custom url" { @test "server/ha-StatefulSet: clusterAddr set to custom url" {
@ -489,18 +489,18 @@ load _helpers
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'server.ha.raft.enabled=true' \ --set 'server.ha.raft.enabled=true' \
--set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-openbao-internal:8201' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object | local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] [ "${value}" = 'http://$(HOSTNAME).release-name-openbao-internal:8201' ]
} }
@test "server/ha-StatefulSet: clusterAddr gets quoted" { @test "server/ha-StatefulSet: clusterAddr gets quoted" {
cd `chart_dir` cd `chart_dir`
local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' local customUrl='http://$(HOSTNAME).release-name-openbao-internal:8201'
local rendered=$(helm template \ local rendered=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
@ -511,7 +511,7 @@ load _helpers
local value=$(echo $rendered | local value=$(echo $rendered |
yq -Y '.' | tee /dev/stderr) yq -Y '.' | tee /dev/stderr)
[ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] [ "${value}" = 'value: "http://$(HOSTNAME).release-name-openbao-internal:8201"' ]
} }
#-------------------------------------------------------------------- #--------------------------------------------------------------------

14
test/unit/server-ingress.bats
View file

@ -35,7 +35,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-ingress.yaml \ --show-only templates/server-ingress.yaml \
--set 'server.ingress.enabled=true' \ --set 'server.ingress.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
@ -62,7 +62,7 @@ load _helpers
[ "${actual}" = '/' ] [ "${actual}" = '/' ]
} }
@test "server/ingress: vault backend should be added when I specify a path" { @test "server/ingress: openbao backend should be added when I specify a path" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
@ -184,7 +184,7 @@ load _helpers
--set 'server.service.enabled=true' \ --set 'server.service.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-active" ] [ "${actual}" = "release-name-openbao-active" ]
} }
@test "server/ingress: uses regular service when configured with ha - yaml" { @test "server/ingress: uses regular service when configured with ha - yaml" {
@ -199,7 +199,7 @@ load _helpers
--set 'server.service.enabled=true' \ --set 'server.service.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@test "server/ingress: uses regular service when not ha - yaml" { @test "server/ingress: uses regular service when not ha - yaml" {
@ -213,7 +213,7 @@ load _helpers
--set 'server.service.enabled=true' \ --set 'server.service.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" { @test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" {
@ -228,7 +228,7 @@ load _helpers
--kube-version 1.26.3 \ --kube-version 1.26.3 \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @test "server/ingress: uses regular service when not ha and activeService is true - yaml" {
@ -243,7 +243,7 @@ load _helpers
--set 'server.service.enabled=true' \ --set 'server.service.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@test "server/ingress: pathType is added to Kubernetes version == 1.26.3" { @test "server/ingress: pathType is added to Kubernetes version == 1.26.3" {

24
test/unit/server-psp.bats
View file

@ -86,27 +86,27 @@ load _helpers
--show-only templates/server-psp.yaml \ --show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \ --set 'global.psp.annotations=openbao-is: amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-psp.yaml \ --show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \ --set 'global.psp.annotations=openbao-is: amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-psp.yaml \ --show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \ --set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \ --set 'global.psp.annotations=openbao-is: amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
} }
@ -116,27 +116,27 @@ load _helpers
--show-only templates/server-psp.yaml \ --show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \ --set 'global.psp.annotations.openbao-is=amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-psp.yaml \ --show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \ --set 'global.psp.annotations.openbao-is=amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-psp.yaml \ --show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \ --set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \ --set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \ --set 'global.psp.annotations.openbao-is=amazing' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ] [ "${actual}" = "amazing" ]
} }

12
test/unit/server-route.bats
View file

@ -18,7 +18,7 @@ load _helpers
--show-only templates/server-route.yaml \ --show-only templates/server-route.yaml \
--set 'global.openshift=true' \ --set 'global.openshift=true' \
--set 'server.route.enabled=true' \ --set 'server.route.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
@ -57,7 +57,7 @@ load _helpers
[ "${actual}" = 'test.com' ] [ "${actual}" = 'test.com' ]
} }
@test "server/route: OpenShift - vault backend should be added when I specify a path" { @test "server/route: OpenShift - openbao backend should be added when I specify a path" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
@ -120,7 +120,7 @@ load _helpers
--set 'server.route.enabled=true' \ --set 'server.route.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr) yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @test "server/route: OpenShift - route points to main service when not ha and activeService is true" {
@ -133,7 +133,7 @@ load _helpers
--set 'server.route.activeService=true' \ --set 'server.route.activeService=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr) yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@test "server/route: OpenShift - route points to active service by when HA by default" { @test "server/route: OpenShift - route points to active service by when HA by default" {
@ -146,7 +146,7 @@ load _helpers
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr) yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-active" ] [ "${actual}" = "release-name-openbao-active" ]
} }
@test "server/route: OpenShift - route points to general service by when HA when configured" { @test "server/route: OpenShift - route points to general service by when HA when configured" {
@ -160,7 +160,7 @@ load _helpers
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.to.name' | tee /dev/stderr) yq -r '.spec.to.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@test "server/route: OpenShift - route termination mode set to default passthrough" { @test "server/route: OpenShift - route termination mode set to default passthrough" {

14
test/unit/server-service.bats
View file

@ -137,7 +137,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-service.yaml \ --show-only templates/server-service.yaml \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'server.service.enabled=true' \ --set 'server.service.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
@ -146,7 +146,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-service.yaml \ --show-only templates/server-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'server.service.enabled=true' \ --set 'server.service.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
@ -155,7 +155,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-service.yaml \ --show-only templates/server-service.yaml \
--set 'server.standalone.enabled=true' \ --set 'server.standalone.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'server.service.enabled=true' \ --set 'server.service.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
@ -166,9 +166,9 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-service.yaml \ --show-only templates/server-service.yaml \
--set 'server.service.annotations=vaultIsAwesome: true' \ --set 'server.service.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -389,7 +389,7 @@ load _helpers
[ "${actual}" = "null" ] [ "${actual}" = "null" ]
} }
@test "server/Service: vault port name is http, when tlsDisable is true" { @test "server/Service: openbao port name is http, when tlsDisable is true" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
@ -400,7 +400,7 @@ load _helpers
[ "${actual}" = "http" ] [ "${actual}" = "http" ]
} }
@test "server/Service: vault port name is https, when tlsDisable is false" { @test "server/Service: openbao port name is https, when tlsDisable is false" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \

4
test/unit/server-serviceaccount-secret.bats
View file

@ -28,7 +28,7 @@ load _helpers
--set 'server.serviceAccount.createSecret=true' \ --set 'server.serviceAccount.createSecret=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-token" ] [ "${actual}" = "release-name-openbao-token" ]
} }
@ -50,7 +50,7 @@ load _helpers
--set 'server.serviceAccount.createSecret=true' \ --set 'server.serviceAccount.createSecret=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }

8
test/unit/server-serviceaccount.bats
View file

@ -26,7 +26,7 @@ load _helpers
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
@ -115,7 +115,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-service.yaml \ --show-only templates/server-service.yaml \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
@ -123,7 +123,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-service.yaml \ --show-only templates/server-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
@ -131,7 +131,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-service.yaml \ --show-only templates/server-service.yaml \
--set 'server.standalone.enabled=true' \ --set 'server.standalone.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]

116
test/unit/server-statefulset.bats
View file

@ -71,7 +71,7 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'server.standalone.enabled=true' \ --set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
@ -421,7 +421,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
local object=$(helm template \ local object=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
@ -437,7 +437,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
} }
@test "server/standalone-StatefulSet: server.extraVolumes adds extra secret volume" { @test "server/standalone-StatefulSet: server.extraVolumes adds extra secret volume" {
@ -489,7 +489,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
local object=$(helm template \ local object=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
@ -505,7 +505,7 @@ load _helpers
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr) yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/vault/userconfig/foo" ] [ "${actual}" = "/openbao/userconfig/foo" ]
} }
@test "server/standalone-StatefulSet: can mount audit" { @test "server/standalone-StatefulSet: can mount audit" {
@ -1571,7 +1571,7 @@ load _helpers
[[ "${actual}" = "sleep 10 &&"* ]] [[ "${actual}" = "sleep 10 &&"* ]]
} }
@test "server/standalone-StatefulSet: vault port name is http, when tlsDisable is true" { @test "server/standalone-StatefulSet: openbao port name is http, when tlsDisable is true" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
@ -1582,7 +1582,7 @@ load _helpers
[ "${actual}" = "http" ] [ "${actual}" = "http" ]
} }
@test "server/standalone-StatefulSet: vault replication port name is http-rep, when tlsDisable is true" { @test "server/standalone-StatefulSet: openbao replication port name is http-rep, when tlsDisable is true" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
@ -1593,7 +1593,7 @@ load _helpers
[ "${actual}" = "http-rep" ] [ "${actual}" = "http-rep" ]
} }
@test "server/standalone-StatefulSet: vault port name is https, when tlsDisable is false" { @test "server/standalone-StatefulSet: openbao port name is https, when tlsDisable is false" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
@ -1604,7 +1604,7 @@ load _helpers
[ "${actual}" = "https" ] [ "${actual}" = "https" ]
} }
@test "server/standalone-StatefulSet: vault replication port name is https-rep, when tlsDisable is false" { @test "server/standalone-StatefulSet: openbao replication port name is https-rep, when tlsDisable is false" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
@ -1621,9 +1621,9 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.annotations=vaultIsAwesome: true' \ --set 'server.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -1632,9 +1632,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.auditStorage.enabled=true' \ --set 'server.auditStorage.enabled=true' \
--set 'server.auditStorage.annotations=vaultIsAwesome: true' \ --set 'server.auditStorage.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -1643,9 +1643,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.dataStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \
--set 'server.dataStorage.annotations=vaultIsAwesome: true' \ --set 'server.dataStorage.annotations=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -1654,9 +1654,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.auditStorage.enabled=true' \ --set 'server.auditStorage.enabled=true' \
--set 'server.auditStorage.annotations.vaultIsAwesome=true' \ --set 'server.auditStorage.annotations.openBaoIsAwesome=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -1665,9 +1665,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.dataStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \
--set 'server.dataStorage.annotations.vaultIsAwesome=true' \ --set 'server.dataStorage.annotations.openBaoIsAwesome=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -1675,9 +1675,9 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.annotations.vaultIsAwesome=true' \ --set 'server.annotations.openBaoIsAwesome=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -1812,67 +1812,11 @@ load _helpers
--set 'server.serviceAccount.create=true' \ --set 'server.serviceAccount.create=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
[ "${actual}" = "release-name-vault" ] [ "${actual}" = "release-name-openbao" ]
} }
#--------------------------------------------------------------------
# enterprise license autoload support
@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-statefulset.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr)
[ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ]
}
@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-statefulset.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr)
[ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ]
}
@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-statefulset.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
[ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ]
}
@test "server/StatefulSet: blank secretName does not set env var" {
cd `chart_dir`
# setting secretName=null
local actual=$(helm template \
-s templates/server-statefulset.yaml \
--set 'server.enterpriseLicense.secretName=null' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
[ "${actual}" = '' ]
# omitting secretName
local actual=$(helm template \
-s templates/server-statefulset.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
[ "${actual}" = '' ]
}
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# securityContext # securityContext
@ -2036,9 +1980,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.auditStorage.enabled=true' \ --set 'server.auditStorage.enabled=true' \
--set 'server.auditStorage.labels=vaultIsAwesome: true' \ --set 'server.auditStorage.labels=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -2047,9 +1991,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.dataStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \
--set 'server.dataStorage.labels=vaultIsAwesome: true' \ --set 'server.dataStorage.labels=openBaoIsAwesome: true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -2058,9 +2002,9 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.auditStorage.enabled=true' \ --set 'server.auditStorage.enabled=true' \
--set 'server.auditStorage.labels.vaultIsAwesome=true' \ --set 'server.auditStorage.labels.openBaoIsAwesome=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }
@ -2069,8 +2013,8 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/server-statefulset.yaml \ --show-only templates/server-statefulset.yaml \
--set 'server.dataStorage.enabled=true' \ --set 'server.dataStorage.enabled=true' \
--set 'server.dataStorage.labels.vaultIsAwesome=true' \ --set 'server.dataStorage.labels.openBaoIsAwesome=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ] [ "${actual}" = "true" ]
} }

6
test/unit/server-test.bats
View file

@ -43,12 +43,12 @@ load _helpers
--show-only templates/tests/server-test.yaml \ --show-only templates/tests/server-test.yaml \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-server-test" ] [ "${actual}" = "release-name-openbao-server-test" ]
} }
@test "server/standalone-server-test-Pod: release metadata.name vault" { @test "server/standalone-server-test-Pod: release metadata.name vault" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template vault \ local actual=$(helm template openbao \
--show-only templates/tests/server-test.yaml \ --show-only templates/tests/server-test.yaml \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr) yq -r '.metadata.name' | tee /dev/stderr)
@ -119,7 +119,7 @@ load _helpers
cd `chart_dir` cd `chart_dir`
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/tests/server-test.yaml \ --show-only templates/tests/server-test.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'server.standalone.enabled=true' \ --set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)

16
test/unit/ui-service.bats
View file

@ -70,7 +70,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/ui-service.yaml \ --show-only templates/ui-service.yaml \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
@ -78,7 +78,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/ui-service.yaml \ --show-only templates/ui-service.yaml \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
@ -86,7 +86,7 @@ load _helpers
local actual=$( (helm template \ local actual=$( (helm template \
--show-only templates/ui-service.yaml \ --show-only templates/ui-service.yaml \
--set 'server.standalone.enabled=true' \ --set 'server.standalone.enabled=true' \
--set 'injector.externalVaultAddr=http://vault-outside' \ --set 'injector.externalVaultAddr=http://openbao-outside' \
. || echo "---") | tee /dev/stderr | . || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr) yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ] [ "${actual}" = "false" ]
@ -311,7 +311,7 @@ load _helpers
--show-only templates/ui-service.yaml \ --show-only templates/ui-service.yaml \
--set 'ui.enabled=true' \ --set 'ui.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr)
[ "${actual}" = "null" ] [ "${actual}" = "null" ]
} }
@ -320,19 +320,19 @@ load _helpers
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/ui-service.yaml \ --show-only templates/ui-service.yaml \
--set 'ui.enabled=true' \ --set 'ui.enabled=true' \
--set 'ui.activeVaultPodOnly=true' \ --set 'ui.activeOpenbaoPodOnly=true' \
--set 'server.dev.enabled=true' \ --set 'server.dev.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr)
[ "${actual}" = 'null' ] [ "${actual}" = 'null' ]
local actual=$(helm template \ local actual=$(helm template \
--show-only templates/ui-service.yaml \ --show-only templates/ui-service.yaml \
--set 'ui.enabled=true' \ --set 'ui.enabled=true' \
--set 'ui.activeVaultPodOnly=true' \ --set 'ui.activeOpenbaoPodOnly=true' \
--set 'server.ha.enabled=true' \ --set 'server.ha.enabled=true' \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr)
[ "${actual}" = 'true' ] [ "${actual}" = 'true' ]
} }