From b69e3d927641944a0f68c7def3bb71fa9f9bdb8c Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 27 Sep 2021 21:40:09 -0700 Subject: [PATCH 01/19] vault-helm default branch is now `main` (#618) Updated the circleci config to use the `main` branch, and also changed a couple mentions in the contributing guide. --- .circleci/config.yml | 4 ++-- CONTRIBUTING.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index dd0dc63..f4a0ba8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true @@ -94,7 +94,7 @@ workflows: - bats-unit-test filters: branches: - only: master + only: main update-helm-charts-index: jobs: - update-helm-charts-index: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f83d567..f1c1600 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -26,7 +26,7 @@ quickly merge or address your contributions. * Make sure you test against the latest released version. It is possible we already fixed the bug you're experiencing. Even better is if you can test - against `master`, as bugs are fixed regularly but new versions are only + against `main`, as bugs are fixed regularly but new versions are only released every few months. * Provide steps to reproduce the issue, and if possible include the expected @@ -121,7 +121,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to start from a clean slate. **Note:** There is a Terraform configuration in the -[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/master/test/terraform) directory +[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory that can be used to quickly bring up a GKE cluster and configure `kubectl` and `helm` locally. This can be used to quickly spin up a test cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes From 5dfc3515c1712bba3239a3f0d781ecad5c939e99 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 29 Sep 2021 16:28:37 -0700 Subject: [PATCH 02/19] vault-helm 0.16.1 release (#619) --- CHANGELOG.md | 6 ++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 18 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a71e8fc..5208330 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +## 0.16.1 (September 29th, 2021) + +CHANGES: +* Vault image default 1.8.3 +* Vault K8s image default 0.13.1 + ## 0.16.0 (September 16th, 2021) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index 8507580..80c87c8 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.16.0 -appVersion: 1.8.2 +version: 0.16.1 +appVersion: 1.8.3 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 5954c32..f50f87f 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 923fff7..abb7bea 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.2_ent' \ + --set='server.image.tag=1.8.3_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index f02e9a9..4739231 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.13.0-ubi" + tag: "0.13.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.2-ubi" + tag: "1.8.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.2-ubi" + tag: "1.8.3-ubi" diff --git a/values.yaml b/values.yaml index 7d5d046..5d894fa 100644 --- a/values.yaml +++ b/values.yaml @@ -59,7 +59,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.13.0" + tag: "0.13.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -67,7 +67,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.2" + tag: "1.8.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -230,7 +230,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.2" + tag: "1.8.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 97586662620ff66f961a8f2a99cf713a6f6c72e6 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 29 Sep 2021 18:01:14 -0700 Subject: [PATCH 03/19] fix chart publish job (#620) The branch parameter isn't for this repo --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f4a0ba8..8de4c83 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true From 72c485dd2c1e87c1e9fc193c0983b046656420d5 Mon Sep 17 00:00:00 2001 From: Vladislav Rumjantsev <13906830+vrumjantsev@users.noreply.github.com> Date: Sat, 9 Oct 2021 03:13:21 +0300 Subject: [PATCH 04/19] ingress stable networking api (#590) * Moved ingress to stable networking api * lower versions support * ingress disabled by default * added tests for old k8s --- templates/server-ingress.yaml | 12 +++++++++++- test/unit/server-ingress.bats | 31 +++++++++++++++++++++++-------- values.yaml | 6 ++++-- 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 9da020e..cc4f66d 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -8,7 +8,10 @@ {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} -{{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +{{- $kubeVersion := .Capabilities.KubeVersion.Version }} +{{ if semverCompare ">= 1.19.0-0" $kubeVersion }} +apiVersion: networking.k8s.io/v1 +{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} apiVersion: networking.k8s.io/v1beta1 {{ else }} apiVersion: extensions/v1beta1 @@ -48,8 +51,15 @@ spec: {{- range (.paths | default (list "/")) }} - path: {{ . }} backend: + {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{ else }} serviceName: {{ $serviceName }} servicePort: {{ $servicePort }} + {{ end }} {{- end }} {{- end }} {{- end }} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 68183a5..46794a4 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -52,7 +52,7 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName | length > 0' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name | length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -66,9 +66,9 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ --set 'server.ingress.extraPaths[0].path=/annotation-service' \ - --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + --set 'server.ingress.extraPaths[0].backend.service.name=ssl-redirect' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = 'ssl-redirect' ] local actual=$(helm template \ @@ -77,7 +77,7 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ --set 'server.ingress.extraPaths[0].path=/annotation-service' \ - --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + --set 'server.ingress.extraPaths[0].backend.service.name=ssl-redirect' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].path' | tee /dev/stderr) [ "${actual}" = '/annotation-service' ] @@ -88,7 +88,7 @@ load _helpers --set 'server.ingress.hosts[0].host=test.com' \ --set 'server.ingress.hosts[0].paths[0]=/' \ --set 'server.ingress.extraPaths[0].path=/annotation-service' \ - --set 'server.ingress.extraPaths[0].backend.serviceName=ssl-redirect' \ + --set 'server.ingress.extraPaths[0].backend.service.name=ssl-redirect' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[1].path' | tee /dev/stderr) [ "${actual}" = '/' ] @@ -141,7 +141,7 @@ load _helpers --set 'server.ha.enabled=true' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault-active" ] } @@ -156,7 +156,7 @@ load _helpers --set 'server.ha.enabled=true' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } @@ -170,6 +170,21 @@ load _helpers --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} + +@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'server.dev.enabled=false' \ + --set 'server.ha.enabled=false' \ + --set 'server.service.enabled=true' \ + --kube-version 1.18.3 \ + . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } @@ -185,6 +200,6 @@ load _helpers --set 'server.ha.enabled=false' \ --set 'server.service.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) + yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } diff --git a/values.yaml b/values.yaml index 5d894fa..32c59c4 100644 --- a/values.yaml +++ b/values.yaml @@ -281,8 +281,10 @@ server: extraPaths: [] # - path: /* # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation + # service: + # name: ssl-redirect + # port: + # number: use-annotation tls: [] # - secretName: chart-example-tls # hosts: From ffd50861575c1ec130a38b5030e1b2c43baef639 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 11 Oct 2021 02:28:37 -0700 Subject: [PATCH 05/19] changelog++ (#623) --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5208330..076aff0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) + ## 0.16.1 (September 29th, 2021) CHANGES: From 96b8c98b3b7c6db1a7eb59acc85650fc6322cc3e Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 11 Oct 2021 14:12:55 -0700 Subject: [PATCH 06/19] Updating acceptance tests (#624) GKE's stable K8s version is now 1.19. Also adding VAULT_LICENSE_CI to the `make test-acceptance` target to make it easier to run the acceptance tests manually, and mentioned it in the test README. --- Makefile | 1 + test/README.md | 2 ++ test/terraform/main.tf | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e4e9df1..0ac6850 100644 --- a/Makefile +++ b/Makefile @@ -40,6 +40,7 @@ else -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ -e KUBECONFIG=/helm-test/.kube/config \ + -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ -w /helm-test \ $(TEST_IMAGE) \ make acceptance diff --git a/test/README.md b/test/README.md index fdd586f..951a061 100644 --- a/test/README.md +++ b/test/README.md @@ -4,6 +4,8 @@ The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster. +Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license. + ### Running in a GKE cluster * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project. diff --git a/test/terraform/main.tf b/test/terraform/main.tf index c56f409..5c3570f 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -8,7 +8,7 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = "${var.zone}" - version_prefix = "1.18." + version_prefix = "1.19." } data "google_service_account" "gcpapi" { From d96a4287faa7f490cbba012c7ef5bedabef4e121 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Mon, 18 Oct 2021 09:45:52 -0400 Subject: [PATCH 07/19] Feat: add externalTrafficPolicy support (#626) - externalTrafficPolicy can be set for both the ui and server services. It is only supported for NodePort or LoadBalancer service types. --- templates/_helpers.tpl | 35 +++++++++++++++++ templates/server-ha-active-service.yaml | 1 + templates/server-ha-standby-service.yaml | 3 +- templates/server-service.yaml | 1 + templates/ui-service.yaml | 12 +----- test/unit/server-ha-active-service.bats | 40 +++++++++++++++++++ test/unit/server-ha-standby-service.bats | 40 +++++++++++++++++++ test/unit/server-service.bats | 40 +++++++++++++++++++ test/unit/ui-service.bats | 50 ++++++++++++++++++++++++ values.yaml | 14 ++++++- 10 files changed, 224 insertions(+), 12 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 3e936f7..731119a 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -655,3 +655,38 @@ imagePullSecrets: {{- end -}} {{- end -}} {{- end -}} + +{{/* +externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable. +Supported inputs are Values.server.service and Values.ui +*/}} +{{- define "service.externalTrafficPolicy" -}} +{{- $type := "" -}} +{{- if .serviceType -}} +{{- $type = .serviceType -}} +{{- else if .type -}} +{{- $type = .type -}} +{{- end -}} +{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }} + externalTrafficPolicy: {{ .externalTrafficPolicy }} +{{- else }} +{{- end }} +{{- end -}} + +{{/* +loadBalancer configuration for the the UI service. +Supported inputs are Values.ui +*/}} +{{- define "service.loadBalancer" -}} +{{- if eq (.serviceType | toString) "LoadBalancer" }} +{{- if .loadBalancerIP }} + loadBalancerIP: {{ .loadBalancerIP }} +{{- end }} +{{- with .loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{- range . }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end }} +{{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 74fca41..c2a4f02 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -21,6 +21,7 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: true ports: - name: {{ include "vault.scheme" . }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 9213b74..fef92a1 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -21,6 +21,7 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: true ports: - name: {{ include "vault.scheme" . }} @@ -38,4 +39,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 6f82e38..00996aa 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -21,6 +21,7 @@ spec: {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 9e90af4..ea27de2 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -30,16 +30,8 @@ spec: nodePort: {{ .Values.ui.serviceNodePort }} {{- end }} type: {{ .Values.ui.serviceType }} - {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerSourceRanges) }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.ui.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} - {{- end }} - {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerIP) }} - loadBalancerIP: {{ .Values.ui.loadBalancerIP }} - {{- end }} + {{- include "service.externalTrafficPolicy" .Values.ui }} + {{- include "service.loadBalancer" .Values.ui }} {{- end -}} - {{- end }} {{- end }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index be3060d..a835c9d 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -157,3 +157,43 @@ load _helpers yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) [ "${actual}" = "https" ] } + +# duplicated in server-service.bats +@test "server/ha-active-Service: NodePort assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +# duplicated in server-service.bats +@test "server/ha-active-Service: NodePort assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +# duplicated in server-service.bats +@test "server/ha-active-Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=ClusterIP' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index e164cde..7dfd5d7 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -168,3 +168,43 @@ load _helpers yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) [ "${actual}" = "https" ] } + +# duplicated in server-service.bats +@test "server/ha-standby-Service: NodePort assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +# duplicated in server-service.bats +@test "server/ha-standby-Service: NodePort assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +# duplicated in server-service.bats +@test "server/ha-standby-Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=ClusterIP' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 7922f0f..4695f2f 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -384,3 +384,43 @@ load _helpers yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) [ "${actual}" = "https" ] } + +# duplicated in server-ha-active-service.bats +@test "server/Service: NodePort assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +# duplicated in server-ha-active-service.bats +@test "server/ha-active-Service: NodePort assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +# duplicated in server-ha-active-service.bats +@test "server/Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.type=ClusterIP' \ + --set 'server.service.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 9dade3d..0603303 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -135,6 +135,16 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "LoadBalancer" ] + + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=LoadBalancer' \ + --set 'ui.externalTrafficPolicy=Local' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Local" ] } @test "ui/Service: LoadBalancerIP set if specified and serviceType == LoadBalancer" { @@ -183,6 +193,19 @@ load _helpers [ "${actual}" = "null" ] } +@test "ui/Service: ClusterIP assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=ClusterIP' \ + --set 'ui.externalTrafficPolicy=Foo' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + @test "ui/Service: specify annotations" { cd `chart_dir` local actual=$(helm template \ @@ -323,3 +346,30 @@ load _helpers yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) [ "${actual}" = "123" ] } + +@test "ui/Service: LoadBalancer assert externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=LoadBalancer' \ + --set 'ui.externalTrafficPolicy=Foo' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Foo" ] +} + +@test "ui/Service: LoadBalancer assert no externalTrafficPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'server.standalone.enabled=true' \ + --set 'ui.serviceType=LoadBalancer' \ + --set 'ui.externalTrafficPolicy=' \ + . | tee /dev/stderr | + yq '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] + +} diff --git a/values.yaml b/values.yaml index 32c59c4..48b413a 100644 --- a/values.yaml +++ b/values.yaml @@ -483,6 +483,12 @@ server: # or NodePort. #type: ClusterIP + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. #nodePort: 30000 @@ -704,7 +710,13 @@ ui: externalPort: 8200 targetPort: 8200 - # loadBalancerSourceRanges: + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + #loadBalancerSourceRanges: # - 10.0.0.0/16 # - 1.78.23.3/32 From 6914c4d877c310894bc18a9825c28fd0e6dafe7d Mon Sep 17 00:00:00 2001 From: Toni Tauro Date: Tue, 19 Oct 2021 21:06:07 +0200 Subject: [PATCH 08/19] fix(csi-ds): mountpoint-dir same mountpath in pod (#628) * fix(csi-ds): mountpoint-dir same mountpath in pod Signed-off-by: Toni Tauro * Update Chart.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- templates/csi-daemonset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 0ab5211..a6461fb 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -44,7 +44,7 @@ spec: - name: providervol mountPath: "/provider" - name: mountpoint-dir - mountPath: /var/lib/kubelet/pods + mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods mountPropagation: HostToContainer {{- if .Values.csi.volumeMounts }} {{- toYaml .Values.csi.volumeMounts | nindent 12}} From 4aa01e898652e939b2673a2de46046bfb6421727 Mon Sep 17 00:00:00 2001 From: Ben Ash <32777270+benashz@users.noreply.github.com> Date: Thu, 21 Oct 2021 12:14:31 -0400 Subject: [PATCH 09/19] Update changelog for #626 and #628 (#631) --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 076aff0..056be87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ Improvements: * Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) +* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) + +Bugs: +* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) ## 0.16.1 (September 29th, 2021) From 3b1bb783be1a4a9942355b3e337f41970becae64 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 21 Oct 2021 09:23:45 -0700 Subject: [PATCH 10/19] Add server.ingress.ingressClassName (#630) Co-authored-by: Joel Cressy --- CHANGELOG.md | 1 + templates/server-ingress.yaml | 3 +++ test/unit/server-ingress.bats | 23 +++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 4 ++++ 5 files changed, 34 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 056be87..9b461dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Improvements: * Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) * Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) +* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630) Bugs: * Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index cc4f66d..b814a6a 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -39,6 +39,9 @@ spec: {{- end }} secretName: {{ .secretName }} {{- end }} +{{- end }} +{{- if .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} {{- end }} rules: {{- range .Values.server.ingress.hosts }} diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 46794a4..56a3f92 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -131,6 +131,29 @@ load _helpers [ "${actual}" = "nginx" ] } +@test "server/ingress: ingressClassName added to object spec - string" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.ingressClassName=nginx \ + . | tee /dev/stderr | + yq -r '.spec.ingressClassName' | tee /dev/stderr) + [ "${actual}" = "nginx" ] +} + +@test "server/ingress: ingressClassName is not added by default" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ingressClassName' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + @test "server/ingress: uses active service when ha by default - yaml" { cd `chart_dir` diff --git a/values.schema.json b/values.schema.json index 4c0a004..4ddbedf 100644 --- a/values.schema.json +++ b/values.schema.json @@ -608,6 +608,9 @@ } } }, + "ingressClassName": { + "type": "string" + }, "labels": { "type": "object" }, diff --git a/values.yaml b/values.yaml index 48b413a..735f153 100644 --- a/values.yaml +++ b/values.yaml @@ -271,6 +271,10 @@ server: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" + # Optionally use ingressClassName instead of deprecated annotation. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + ingressClassName: "" + # When HA mode is enabled and K8s service registration is being used, # configure the ingress to point to the Vault active service. activeService: true From 91ac2eedbcc384c7b3ffa7710fa0058a63cc1a41 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 21 Oct 2021 12:12:45 -0700 Subject: [PATCH 11/19] vault-helm 0.17.0 release (#632) --- CHANGELOG.md | 6 ++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 18 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b461dc..63adb75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +## 0.17.0 (October 21st, 2021) + +CHANGES: +* Vault image default 1.8.4 +* Vault K8s image default 0.14.0 + Improvements: * Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) * Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) diff --git a/Chart.yaml b/Chart.yaml index 80c87c8..094ab89 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.16.1 -appVersion: 1.8.3 +version: 0.17.0 +appVersion: 1.8.4 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index f50f87f..c9a5d19 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index abb7bea..b42bb50 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.3_ent' \ + --set='server.image.tag=1.8.4_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 4739231..4db41c2 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.13.1-ubi" + tag: "0.14.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.3-ubi" + tag: "1.8.4-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.3-ubi" + tag: "1.8.4-ubi" diff --git a/values.yaml b/values.yaml index 735f153..6abc909 100644 --- a/values.yaml +++ b/values.yaml @@ -59,7 +59,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.13.1" + tag: "0.14.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -67,7 +67,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.3" + tag: "1.8.4" # The default values for the injected Vault Agent containers. agentDefaults: @@ -230,7 +230,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.3" + tag: "1.8.4" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From dc08ab6324a879ea2670f4b7ff47ec4dbee6b84c Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 22 Oct 2021 18:00:29 -0700 Subject: [PATCH 12/19] note a regression in 0.17.0 (#635) --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63adb75..56ea96e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## 0.17.0 (October 21st, 2021) +KNOWN ISSUES: +* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set + CHANGES: * Vault image default 1.8.4 * Vault K8s image default 0.14.0 From c09c50f9d6ed7fed6a2fb8b8508a8b7fbc88b687 Mon Sep 17 00:00:00 2001 From: Tim Collins <45351296+tico24@users.noreply.github.com> Date: Mon, 25 Oct 2021 16:30:06 +0100 Subject: [PATCH 13/19] Add option for Ingress pathType (#634) --- templates/server-ingress.yaml | 4 ++++ test/unit/server-ingress.bats | 39 +++++++++++++++++++++++++++++++++++ values.yaml | 4 ++++ 3 files changed, 47 insertions(+) diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index b814a6a..48c76a8 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -8,6 +8,7 @@ {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} +{{- $pathType := .Values.server.ingress.pathType -}} {{- $kubeVersion := .Capabilities.KubeVersion.Version }} {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} apiVersion: networking.k8s.io/v1 @@ -53,6 +54,9 @@ spec: {{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} + {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} + pathType: {{ $pathType }} + {{ end }} backend: {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} service: diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 56a3f92..4132c16 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -226,3 +226,42 @@ load _helpers yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } + +@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.pathType=ImplementationSpecific \ + --kube-version 1.19.0 \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) + [ "${actual}" = "ImplementationSpecific" ] +} + +@test "server/ingress: pathType is not added to Kubernetes versions < 1.19" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.pathType=ImplementationSpecific \ + --kube-version 1.18.3 \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ingress: pathType is added to Kubernetes versions > 1.19" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set server.ingress.pathType=Prefix \ + --kube-version 1.20.0 \ + . | tee /dev/stderr | + yq -r '.spec.rules[0].http.paths[0].pathType' | tee /dev/stderr) + [ "${actual}" = "Prefix" ] +} diff --git a/values.yaml b/values.yaml index 6abc909..44869da 100644 --- a/values.yaml +++ b/values.yaml @@ -275,6 +275,10 @@ server: # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation ingressClassName: "" + # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. + pathType: Prefix + # When HA mode is enabled and K8s service registration is being used, # configure the ingress to point to the Vault active service. activeService: true From a186036e7daf9f69b364c2ef11847d36906d5d16 Mon Sep 17 00:00:00 2001 From: Gary Frederick Date: Mon, 25 Oct 2021 13:58:15 -0700 Subject: [PATCH 14/19] changelog++ (#636) --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56ea96e..a20c68b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ ## Unreleased +## 0.17.1 (October 25th, 2021) + +Improvements: + * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634) + ## 0.17.0 (October 21st, 2021) KNOWN ISSUES: From 4db9e831ad735826fe3bd799fad8f8d2149c3836 Mon Sep 17 00:00:00 2001 From: Gary Frederick Date: Mon, 25 Oct 2021 15:31:07 -0700 Subject: [PATCH 15/19] v0.17.1 (#637) --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 094ab89..7a4e86f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vault -version: 0.17.0 +version: 0.17.1 appVersion: 1.8.4 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart From c47ff33551b967f99f66fbd0c088865afcdfe655 Mon Sep 17 00:00:00 2001 From: Kaito Ii Date: Sat, 6 Nov 2021 11:07:25 +0900 Subject: [PATCH 16/19] add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran --- CHANGELOG.md | 3 +++ templates/injector-deployment.yaml | 4 ++++ test/unit/injector-deployment.bats | 29 +++++++++++++++++++++++++++-- values.schema.json | 3 +++ values.yaml | 1 + 5 files changed, 38 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a20c68b..e9c2857 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) + ## 0.17.1 (October 25th, 2021) Improvements: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f4a796b..0cc1382 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -109,6 +109,10 @@ spec: value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" + {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} + - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL + value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" + {{- end }} {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 0f475df..3bae2af 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -168,7 +168,7 @@ load _helpers [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } -@test "injector/deployment: manual TLS adds volume mount" { +@test "injector/deployment: manual TLS adds volume mount" { cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -695,4 +695,29 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] -} \ No newline at end of file +} + +@test "injector/deployment: agent default template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "injector/deployment: can set agent template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.templateConfig.staticSecretRenderInterval=1m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "1m" ] +} diff --git a/values.schema.json b/values.schema.json index 4ddbedf..162c773 100644 --- a/values.schema.json +++ b/values.schema.json @@ -205,6 +205,9 @@ "properties": { "exitOnRetryFailure": { "type": "boolean" + }, + "staticSecretRenderInterval": { + "type": "string" } } } diff --git a/values.yaml b/values.yaml index 44869da..425a082 100644 --- a/values.yaml +++ b/values.yaml @@ -85,6 +85,7 @@ injector: # Default values within Agent's template_config stanza. templateConfig: exitOnRetryFailure: true + staticSecretRenderInterval: "" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" From 21cc21f9cd5fffd4d68413daa5758a50c43a8c4c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Tue, 16 Nov 2021 22:50:16 +0000 Subject: [PATCH 17/19] Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters --- .github/workflows/jira.yaml | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index 0c8e5bf..eb369f3 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -13,21 +13,6 @@ jobs: runs-on: ubuntu-latest name: Jira sync steps: - - name: Check if community user - if: github.event.action == 'opened' - id: vault-team-role - run: | - TEAM=vault - ROLE="$(hub api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')" - if [[ -n ${ROLE} ]]; then - echo "Actor ${{ github.actor }} is a ${TEAM} team member, skipping ticket creation" - else - echo "Actor ${{ github.actor }} is not a ${TEAM} team member" - fi - echo "::set-output name=role::${ROLE}" - env: - GITHUB_TOKEN: ${{ secrets.JIRA_SYNC_GITHUB_TOKEN }} - - name: Login uses: atlassian/gajira-login@v2.0.0 env: @@ -46,7 +31,7 @@ jobs: fi - name: Create ticket - if: github.event.action == 'opened' && !steps.vault-team-role.outputs.role + if: github.event.action == 'opened' uses: tomhjp/gh-action-jira-create@v0.2.0 with: project: VAULT @@ -63,7 +48,7 @@ jobs: uses: tomhjp/gh-action-jira-search@v0.2.1 with: # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and issuetype = "GH Issue" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' + jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - name: Sync comment if: github.event.action == 'created' && steps.search.outputs.issue @@ -77,11 +62,11 @@ jobs: uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: Done + transition: Close - name: Reopen ticket if: github.event.action == 'reopened' && steps.search.outputs.issue uses: atlassian/gajira-transition@v2.0.1 with: issue: ${{ steps.search.outputs.issue }} - transition: "To Do" + transition: "Pending Triage" From 0375b184b33393bb013431ff3717296e30bff713 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 17 Nov 2021 13:06:03 -0800 Subject: [PATCH 18/19] remove support for the leader-elector container (#649) --- CHANGELOG.md | 3 + templates/injector-deployment.yaml | 29 ----- templates/injector-leader-endpoint.yaml | 14 --- templates/injector-role.yaml | 2 +- test/acceptance/injector-leader-elector.bats | 11 +- test/unit/injector-leader-elector.bats | 105 ------------------- values.schema.json | 17 --- values.yaml | 10 -- 8 files changed, 6 insertions(+), 185 deletions(-) delete mode 100644 templates/injector-leader-endpoint.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index e9c2857..99df5a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +CHANGES: +* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) + Improvements: * Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 0cc1382..aefbf08 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -141,35 +141,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/templates/injector-leader-endpoint.yaml b/templates/injector-leader-endpoint.yaml deleted file mode 100644 index 42c4c0a..0000000 --- a/templates/injector-leader-endpoint.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true")}} -# This is created here so it can be cleaned up easily, since if -# the endpoint is left around the leader won't expire for about a minute. -apiVersion: v1 -kind: Endpoints -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader - annotations: - deprecated: "true" - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 446efaf..e7e383d 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} rules: - apiGroups: [""] - resources: ["secrets", "configmaps", "endpoints"] + resources: ["secrets", "configmaps"] verbs: - "create" - "get" diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 6f9f0b4..0f91e02 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -12,8 +12,7 @@ load _helpers helm install "$(name_prefix)" \ --wait \ --timeout=5m \ - --set="injector.replicas=3" \ - --set="injector.leaderElector.useContainer=true" . + --set="injector.replicas=3" . kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) @@ -23,21 +22,15 @@ load _helpers tries=0 until [ $tries -ge 60 ] do - ## The new internal leader mechanism uses a ConfigMap owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name) leader=$(kubectl get pods $owner -o json | jq -r .metadata.name) [ -n "${leader}" ] && [ "${leader}" != "null" ] && break - - ## Also check the old leader-elector container - old_leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" - [ -n "${old_leader}" ] && break - ((++tries)) sleep .5 done # Check the leader name is valid - i.e. one of the 3 pods - [[ " ${pods[@]} " =~ " ${leader} " || " ${pods[@]} " =~ " ${old_leader} " ]] + [[ " ${pods[@]} " =~ " ${leader} " ]] } diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index 75ab298..b6fa4ae 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -166,108 +166,3 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } - -#-------------------------------------------------------------------- -# Old leader-elector container support -# Note: deprecated and will be removed soon - -@test "injector/deployment: leader elector - sidecar is created only when enabled" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - -@test "injector/deployment: leader elector image name is configurable" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.image.repository=SomeOtherImage" \ - --set "injector.leaderElector.image.tag=SomeOtherTag" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:SomeOtherTag" ] -} - -@test "injector/deployment: leader elector TTL is configurable" { - cd `chart_dir` - # Default value 60s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=60s" ] - - # Configured to 30s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.ttl=30s" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=30s" ] -} - -@test "injector/leader-endpoint: created/skipped as appropriate" { - cd `chart_dir` - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "global.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/values.schema.json b/values.schema.json index 162c773..26f1367 100644 --- a/values.schema.json +++ b/values.schema.json @@ -290,23 +290,6 @@ "properties": { "enabled": { "type": "boolean" - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "ttl": { - "type": "string" - }, - "useContainer": { - "type": "boolean" } } }, diff --git a/values.yaml b/values.yaml index 425a082..60add2e 100644 --- a/values.yaml +++ b/values.yaml @@ -37,16 +37,6 @@ injector: # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - # Note: The deployment of the leader-elector container will soon be removed - # from this chart since vault-k8s now uses an internal mechanism to - # determine leadership. - # To enable the deployment of the leader-elector container for use with - # vault-k8s 0.12.0 and earlier, set `useContainer=true` - useContainer: false - image: - repository: "gcr.io/google_containers/leader-elector" - tag: "0.4" - ttl: 60s # If true, will enable a node exporter metrics endpoint at /metrics. metrics: From 9fa25e97c806073c7dd3274a851181cbb3d67868 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 17 Nov 2021 15:46:28 -0800 Subject: [PATCH 19/19] vault-helm 0.18.0 release (#650) --- CHANGELOG.md | 8 ++++++-- Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 6 +++--- 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 99df5a6..c596d51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,14 @@ ## Unreleased +## 0.18.0 (November 17th, 2021) + CHANGES: * Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) +* Vault image default 1.9.0 +* Vault K8s image default 0.14.1 Improvements: -* Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) +* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) ## 0.17.1 (October 25th, 2021) @@ -52,7 +56,7 @@ Improvements: ## 0.14.0 (July 28th, 2021) Features: -* Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) +* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) Improvements: * Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) diff --git a/Chart.yaml b/Chart.yaml index 7a4e86f..91565e3 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.17.1 -appVersion: 1.8.4 +version: 0.18.0 +appVersion: 1.9.0 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index c9a5d19..ee27518 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index b42bb50..c359c1c 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -77,7 +77,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.4_ent' \ + --set='server.image.tag=1.9.0_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index 4db41c2..afbe1f9 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.0-ubi" + tag: "0.14.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.4-ubi" + tag: "1.9.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.8.4-ubi" + tag: "1.9.0-ubi" diff --git a/values.yaml b/values.yaml index 60add2e..5ba57d4 100644 --- a/values.yaml +++ b/values.yaml @@ -49,7 +49,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.0" + tag: "0.14.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.8.4" + tag: "1.9.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -221,7 +221,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.8.4" + tag: "1.9.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent