Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

really ugly hack/slash proof-of-concept, forked from consul-helm

Browse source
This commit is contained in:
Clint Shryock 2018-10-02 16:14:57 -05:00
parent a2235339eb
commit d72a939a51
No known key found for this signature in database
GPG key ID: B7C8F9C70EC5CD29
10 changed files with 87 additions and 168 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
templates/dns-service.yaml
View file

@ -1,27 +1,27 @@
# Service for Vault DNS.
# TODO: verify for Vault
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-dns
labels:
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- name: dns-tcp
port: 53
protocol: "TCP"
targetPort: dns-tcp
- name: dns-udp
port: 53
protocol: "UDP"
targetPort: dns-udp
selector:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
hasDNS: "true"
{{- end }}
## TODO: verify for Vault
#{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
#apiVersion: v1
#kind: Service
#metadata:
# name: {{ template "vault.fullname" . }}-dns
# labels:
# app: {{ template "vault.name" . }}
# chart: {{ template "vault.chart" . }}
# heritage: {{ .Release.Service }}
# release: {{ .Release.Name }}
#spec:
# ports:
# - name: dns-tcp
# port: 53
# protocol: "TCP"
# targetPort: dns-tcp
# - name: dns-udp
# port: 53
# protocol: "UDP"
# targetPort: dns-udp
# selector:
# app: {{ template "vault.name" . }}
# release: "{{ .Release.Name }}"
# hasDNS: "true"
#{{- end }}

2
templates/server-config-configmap.yaml
View file

@ -10,6 +10,6 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
extra-from-values.json: |-
extra-from-values.hcl: |-
{{ tpl .Values.server.extraConfig . | indent 4 }}
{{- end }}

10
templates/server-disruptionbudget.yaml
View file

@ -4,17 +4,17 @@
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "consul.fullname" . }}-server
name: {{ template "vault.fullname" . }}-server
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }}
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: server
{{- end }}

31
templates/server-service.yaml
View file

@ -26,35 +26,8 @@ spec:
publishNotReadyAddresses: true
ports:
- name: http
port: 8500
targetPort: 8500
- name: serflan-tcp
protocol: "TCP"
port: 8301
targetPort: 8301
- name: serflan-udp
protocol: "UDP"
port: 8301
targetPort: 8301
- name: serfwan-tcp
protocol: "TCP"
port: 8302
targetPort: 8302
- name: serfwan-udp
protocol: "UDP"
port: 8302
targetPort: 8302
- name: server
port: 8300
targetPort: 8300
- name: dns-tcp
protocol: "TCP"
port: 8600
targetPort: dns-tcp
- name: dns-udp
protocol: "UDP"
port: 8600
targetPort: dns-udp
port: 8200
targetPort: 8200
selector:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"

96
templates/server-statefulset.yaml
View file

@ -13,6 +13,7 @@ spec:
serviceName: {{ template "vault.fullname" . }}-server
podManagementPolicy: Parallel
replicas: {{ .Values.server.replicas }}
# TODO: verify for Vault
{{- if (gt (int .Values.server.updatePartition) 0) }}
updateStrategy:
type: RollingUpdate
@ -25,7 +26,7 @@ spec:
chart: {{ template "vault.chart" . }}
release: {{ .Release.Name }}
component: server
hasDNS: "true"
#hasDNS: "true"
template:
metadata:
labels:
@ -33,7 +34,7 @@ spec:
chart: {{ template "vault.chart" . }}
release: {{ .Release.Name }}
component: server
hasDNS: "true"
#hasDNS: "true"
spec:
affinity:
podAntiAffinity:
@ -62,6 +63,9 @@ spec:
{{- end }}
containers:
- name: vault
securityContext:
fsGroup: 1000
privileged: true
image: "{{ default .Values.global.image .Values.server.image }}"
env:
- name: POD_IP
@ -72,39 +76,13 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
env:
- name: VAULT_ADDR
value: "http://localhost:8200"
command:
- ""
# should give us dev server
#- "/bin/sh"
#- "-ec"
#- |
#vault_FULLNAME="{{template "vault.fullname" . }}"
#exec "hello vault"
#exec /bin/vault agent \
# -advertise="${POD_IP}" \
# -bind=0.0.0.0 \
# -bootstrap-expect={{ .Values.server.bootstrapExpect }} \
# -client=0.0.0.0 \
# -config-dir=/vault/config \
# {{- range .Values.server.extraVolumes }}
# {{- if .load }}
# -config-dir=/vault/userconfig/{{ .name }}
# {{- end }}
# {{- end }}
# -datacenter={{ .Values.global.datacenter }} \
# -data-dir=/vault/data \
# -domain={{ .Values.global.domain }} \
# {{- if .Values.server.connect }}
# -hcl="connect { enabled = true }" \
# {{- end }}
# {{- if .Values.ui.enabled }}
# -ui \
# {{- end }}
# {{- range $index := until (.Values.server.replicas | int) }}
# -retry-join=${vault_FULLNAME}-server-{{ $index }}.${vault_FULLNAME}-server.${NAMESPACE}.svc \
# {{- end }}
# -server
- "vault"
- "server"
- "-config=/vault/config/"
volumeMounts:
- name: data
mountPath: /vault/data
@ -119,40 +97,26 @@ spec:
preStop:
exec:
command:
- /bin/sh
- -c
- vault leave
- vault step-down
ports:
- containerPort: 8500
- containerPort: 8200
name: http
- containerPort: 8301
name: serflan
- containerPort: 8302
name: serfwan
- containerPort: 8300
name: server
- containerPort: 8600
name: dns-tcp
protocol: "TCP"
- containerPort: 8600
name: dns-udp
protocol: "UDP"
readinessProbe:
# NOTE(mitchellh): when our HTTP status endpoints support the
# proper status codes, we should switch to that. This is temporary.
# TODO: verify for Vault
#exec:
# command:
# - "/bin/sh"
# - "-ec"
# - |
# curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
# grep -E '".+"'
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 5
#readinessProbe:
# # NOTE(mitchellh): when our HTTP status endpoints support the
# # proper status codes, we should switch to that. This is temporary.
# # TODO: verify for Vault
# #exec:
# # command:
# # - "/bin/sh"
# # - "-ec"
# # - |
# # curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
# # grep -E '".+"'
# failureThreshold: 2
# initialDelaySeconds: 5
# periodSeconds: 3
# successThreshold: 1
# timeoutSeconds: 5
volumeClaimTemplates:
- metadata:
name: data

31
templates/tests/test-runner.yaml
View file

@ -1,31 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ template "consul.fullname" . }}-test-{{ randAlphaNum 5 | lower }}"
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: consul-test
image: "{{ .Values.global.image }}"
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
command:
- "/bin/sh"
- "-ec"
- |
export VALUE="{{randAlphaNum 24 | lower }}"
export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
consul kv delete _consul_helm_test
consul kv put _consul_helm_test $VALUE
[ `consul kv get _consul_helm_test` = "$VALUE" ]
consul kv delete _consul_helm_test
restartPolicy: Never

2
templates/ui-service.yaml
View file

@ -21,7 +21,7 @@ spec:
ports:
- name: http
port: 80
targetPort: 8500
targetPort: 8200
{{- if .Values.ui.service.type }}
type: {{ .Values.ui.service.type }}
{{- end }}

8
test/terraform/main.tf
View file

@ -3,7 +3,9 @@ locals {
}
provider "google" {
project = "${var.project}"
project = "${var.project}"
region = "us-central1"
credentials = "${file("vault-helm-dev-creds.json")}"
}
resource "random_id" "suffix" {
@ -15,7 +17,7 @@ data "google_container_engine_versions" "main" {
}
resource "google_container_cluster" "cluster" {
name = "consul-k8s-${random_id.suffix.dec}"
name = "vault-helm-dev-${random_id.suffix.dec}"
project = "${var.project}"
enable_legacy_abac = true
initial_node_count = 5
@ -55,7 +57,7 @@ resource "null_resource" "kubectl" {
}
resource "null_resource" "helm" {
count = "${var.init_cli ? 1 : 0 }"
count = "${var.init_cli ? 1 : 0 }"
depends_on = ["null_resource.kubectl"]
triggers {

4
test/terraform/variables.tf
View file

@ -1,4 +1,6 @@
variable "project" {
default = "vault-helm-dev"
description = <<EOF
Google Cloud Project to launch resources in. This project must have GKE
enabled and billing activated. We can't use the GOOGLE_PROJECT environment
@ -12,6 +14,6 @@ variable "zone" {
}
variable "init_cli" {
default = false
default = true
description = "Whether to init the CLI tools kubectl, helm, etc. or not."
}

19
values.yaml
View file

@ -17,7 +17,8 @@ global:
# Image is the name (and tag) of the Vault Docker image for clients and
# servers below. This can be overridden per component.
image: "vault:0.11.1"
#image: "vault:0.11.1"
image: "vault"
# Datacenter is the name of the datacenter that the agents should register
# as. This shouldn't be changed once the Vault cluster is up and running
@ -29,7 +30,7 @@ global:
server:
enabled: "-"
image: null
replicas: 3
replicas: 1
# storage and storageClass are the settings for configuring stateful
# storage for the server pods. storage should be set to the disk size of
@ -46,13 +47,14 @@ server:
# updatePartition is used to control a careful rolling update of Vault
# servers. This should be done particularly when changing the version
# of Vault. Please refer to the documentation for more information.
# TODO: verify for Vaultt
# TODO: verify for Vault
updatePartition: 0
# disruptionBudget enables the creation of a PodDisruptionBudget to
# prevent voluntary degrading of the Vault server cluster.
disruptionBudget:
enabled: true
#enabled: true
enabled: false
# maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here.
@ -61,7 +63,14 @@ server:
# extraConfig is a raw string of extra configuration to set with the
# server. This should be JSON or HCL.
extraConfig: |
{}
ui = true
listener "tcp" {
tls_disable = 1
address = "0.0.0.0:8200"
}
storage "file" {
path = "/vault/data"
}
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is