Add TLS support (#21)

* Add Secret env vars * Add custom path for volume mounting * Add HTTPS support * Add test for tls * Simplify network setup * Make tls_disable true as default * Update values variable to camelCase
2019-08-20 17:40:47 +02:00 · 2019-08-20 17:40:47 +02:00 · c0f5c7acc0
commit c0f5c7acc0
parent e312f00a03
5 changed files with 53 additions and 2 deletions
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -296,3 +296,12 @@ Inject extra environment populated by secrets, if populated
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/* Scheme for health check and local endpoint */}}
+{{- define "vault.scheme" -}}
+{{- if .Values.global.tlsDisable -}}
+{{ "http" }}
+{{- else -}}
+{{ "https" }}
+{{- end -}}
+{{- end -}}
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@ -59,7 +59,7 @@ spec:
                fieldRef:
                  fieldPath: status.podIP
            - name: VAULT_ADDR
-              value: "http://localhost:8200"
+              value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
            - name: SKIP_CHOWN
              value: "true"
            {{ template "vault.envs" . }}
@ -85,7 +85,7 @@ spec:
            #   1 - error
            #   2 - sealed
            exec:
-              command: ["/bin/sh", "-ec", "vault status"]
+              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
            failureThreshold: 2
            initialDelaySeconds: 5
            periodSeconds: 3
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@ -26,6 +26,9 @@ spec:
    - name: http
      port: 8200
      targetPort: 8200
+      {{- if .Values.ui.serviceNodePort }}
+      nodePort: {{ .Values.ui.serviceNodePort }}
+      {{- end }}
  type: {{ .Values.ui.serviceType | default "ClusterIP" }}
 {{- end -}}

--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@ -41,6 +41,42 @@ load _helpers
  [ "${actual}" = "foo" ]
 }

+#--------------------------------------------------------------------
+# TLS
+
+@test "server/ha-StatefulSet: tls disabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+     yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "http://127.0.0.1:8200" ]
+}
+@test "server/ha-StatefulSet: tls enabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+     yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "https://127.0.0.1:8200" ]
+}
+
 #--------------------------------------------------------------------
 # updateStrategy

--- a/values.yaml
+++ b/values.yaml
@ -7,6 +7,8 @@ global:

  # Image is the name (and tag) of the Vault Docker image.
  image: "vault:1.2.1"
+  # TLS for end-to-end encrypted transport
+  tlsDisable: true

 server:
  # Resource requests, limits, etc. for the server cluster placement. This
@ -212,6 +214,7 @@ ui:
  # balancer (for supported K8S installations) to access the UI.
  enabled: false
  serviceType: "ClusterIP"
+  serviceNodePort: null

  # Extra annotations to attach to the ui service
  # This should be a multi-line string mapping directly to the a map of