Add TLS support (#21)

* Add Secret env vars

* Add custom path for volume mounting

* Add HTTPS support

* Add test for tls

* Simplify network setup

* Make tls_disable true as default

* Update values variable to camelCase

templates/_helpers.tpl

@@ -296,3 +296,12 @@ Inject extra environment populated by secrets, if populated
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/* Scheme for health check and local endpoint */}}
+{{- define "vault.scheme" -}}
+{{- if .Values.global.tlsDisable -}}
+{{ "http" }}
+{{- else -}}
+{{ "https" }}
+{{- end -}}
+{{- end -}}

templates/server-statefulset.yaml

@@ -59,7 +59,7 @@ spec:
                 fieldRef:
                   fieldPath: status.podIP
             - name: VAULT_ADDR
-              value: "http://localhost:8200"
+              value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
             - name: SKIP_CHOWN
               value: "true"
             {{ template "vault.envs" . }}
@@ -85,7 +85,7 @@ spec:
             #   1 - error
             #   2 - sealed
             exec:
-              command: ["/bin/sh", "-ec", "vault status"]
+              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
             failureThreshold: 2
             initialDelaySeconds: 5
             periodSeconds: 3

templates/ui-service.yaml

@@ -26,6 +26,9 @@ spec:
     - name: http
       port: 8200
       targetPort: 8200
+      {{- if .Values.ui.serviceNodePort }}
+      nodePort: {{ .Values.ui.serviceNodePort }}
+      {{- end }}
   type: {{ .Values.ui.serviceType | default "ClusterIP" }}
 {{- end -}}
 

test/unit/server-ha-statefulset.bats

@@ -41,6 +41,42 @@ load _helpers
   [ "${actual}" = "foo" ]
 }
 
+#--------------------------------------------------------------------
+# TLS
+
+@test "server/ha-StatefulSet: tls disabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+     yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "http://127.0.0.1:8200" ]
+}
+@test "server/ha-StatefulSet: tls enabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+     yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "https://127.0.0.1:8200" ]
+}
+
 #--------------------------------------------------------------------
 # updateStrategy
 

values.yaml

@@ -7,6 +7,8 @@ global:
 
   # Image is the name (and tag) of the Vault Docker image.
   image: "vault:1.2.1"
+  # TLS for end-to-end encrypted transport
+  tlsDisable: true
 
 server:
   # Resource requests, limits, etc. for the server cluster placement. This
@@ -212,6 +214,7 @@ ui:
   # balancer (for supported K8S installations) to access the UI.
   enabled: false
   serviceType: "ClusterIP"
+  serviceNodePort: null
 
   # Extra annotations to attach to the ui service
   # This should be a multi-line string mapping directly to the a map of