From d72a939a5104c8622dd2b25ce91e88b8f7c383ea Mon Sep 17 00:00:00 2001
From: Clint Shryock <clint@ctshryock.com>
Date: Tue, 2 Oct 2018 16:14:57 -0500
Subject: [PATCH] really ugly hack/slash proof-of-concept, forked from
 consul-helm

---
 templates/dns-service.yaml             | 52 +++++++-------
 templates/server-config-configmap.yaml |  2 +-
 templates/server-disruptionbudget.yaml | 10 +--
 templates/server-service.yaml          | 31 +--------
 templates/server-statefulset.yaml      | 96 ++++++++------------------
 templates/tests/test-runner.yaml       | 31 ---------
 templates/ui-service.yaml              |  2 +-
 test/terraform/main.tf                 |  8 ++-
 test/terraform/variables.tf            |  4 +-
 values.yaml                            | 19 +++--
 10 files changed, 87 insertions(+), 168 deletions(-)
 delete mode 100644 templates/tests/test-runner.yaml

diff --git a/templates/dns-service.yaml b/templates/dns-service.yaml
index 351cfda..d7ccd3b 100644
--- a/templates/dns-service.yaml
+++ b/templates/dns-service.yaml
@@ -1,27 +1,27 @@
 # Service for Vault DNS.
-# TODO: verify for Vault
-{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-dns
-  labels:
-    app: {{ template "vault.name" . }}
-    chart: {{ template "vault.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-spec:
-  ports:
-    - name: dns-tcp
-      port: 53
-      protocol: "TCP"
-      targetPort: dns-tcp
-    - name: dns-udp
-      port: 53
-      protocol: "UDP"
-      targetPort: dns-udp
-  selector:
-    app: {{ template "vault.name" . }}
-    release: "{{ .Release.Name }}"
-    hasDNS: "true"
-{{- end }}
+## TODO: verify for Vault
+#{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: {{ template "vault.fullname" . }}-dns
+#  labels:
+#    app: {{ template "vault.name" . }}
+#    chart: {{ template "vault.chart" . }}
+#    heritage: {{ .Release.Service }}
+#    release: {{ .Release.Name }}
+#spec:
+#  ports:
+#    - name: dns-tcp
+#      port: 53
+#      protocol: "TCP"
+#      targetPort: dns-tcp
+#    - name: dns-udp
+#      port: 53
+#      protocol: "UDP"
+#      targetPort: dns-udp
+#  selector:
+#    app: {{ template "vault.name" . }}
+#    release: "{{ .Release.Name }}"
+#    hasDNS: "true"
+#{{- end }}
diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml
index 8bd190e..1ab62f7 100644
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@@ -10,6 +10,6 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 data:
-  extra-from-values.json: |-
+  extra-from-values.hcl: |-
 {{ tpl .Values.server.extraConfig . | indent 4 }}
 {{- end }}
diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml
index 0470de7..d825143 100644
--- a/templates/server-disruptionbudget.yaml
+++ b/templates/server-disruptionbudget.yaml
@@ -4,17 +4,17 @@
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
-  name: {{ template "consul.fullname" . }}-server
+  name: {{ template "vault.fullname" . }}-server
   labels:
-    app: {{ template "consul.name" . }}
-    chart: {{ template "consul.chart" . }}
+    app: {{ template "vault.name" . }}
+    chart: {{ template "vault.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
-  maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }}
+  maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
   selector:
     matchLabels:
-      app: {{ template "consul.name" . }}
+      app: {{ template "vault.name" . }}
       release: "{{ .Release.Name }}"
       component: server
 {{- end }}
diff --git a/templates/server-service.yaml b/templates/server-service.yaml
index 884f7ad..7d650d3 100644
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@@ -26,35 +26,8 @@ spec:
   publishNotReadyAddresses: true
   ports:
     - name: http
-      port: 8500
-      targetPort: 8500
-    - name: serflan-tcp
-      protocol: "TCP"
-      port: 8301
-      targetPort: 8301
-    - name: serflan-udp
-      protocol: "UDP"
-      port: 8301
-      targetPort: 8301
-    - name: serfwan-tcp
-      protocol: "TCP"
-      port: 8302
-      targetPort: 8302
-    - name: serfwan-udp
-      protocol: "UDP"
-      port: 8302
-      targetPort: 8302
-    - name: server
-      port: 8300
-      targetPort: 8300
-    - name: dns-tcp
-      protocol: "TCP"
-      port: 8600
-      targetPort: dns-tcp
-    - name: dns-udp
-      protocol: "UDP"
-      port: 8600
-      targetPort: dns-udp
+      port: 8200
+      targetPort: 8200
   selector:
     app: {{ template "vault.name" . }}
     release: "{{ .Release.Name }}"
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index c399efc..c965119 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -13,6 +13,7 @@ spec:
   serviceName: {{ template "vault.fullname" . }}-server
   podManagementPolicy: Parallel
   replicas: {{ .Values.server.replicas }}
+# TODO: verify for Vault
   {{- if (gt (int .Values.server.updatePartition) 0) }}
   updateStrategy:
     type: RollingUpdate
@@ -25,7 +26,7 @@ spec:
       chart: {{ template "vault.chart" . }}
       release: {{ .Release.Name }}
       component: server
-      hasDNS: "true"
+      #hasDNS: "true"
   template:
     metadata:
       labels:
@@ -33,7 +34,7 @@ spec:
         chart: {{ template "vault.chart" . }}
         release: {{ .Release.Name }}
         component: server
-        hasDNS: "true"
+        #hasDNS: "true"
     spec:
       affinity:
         podAntiAffinity:
@@ -62,6 +63,9 @@ spec:
         {{- end }}
       containers:
         - name: vault
+          securityContext:
+            fsGroup: 1000
+            privileged: true
           image: "{{ default .Values.global.image .Values.server.image }}"
           env:
             - name: POD_IP
@@ -72,39 +76,13 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          env:
+            - name: VAULT_ADDR 
+              value: "http://localhost:8200"
           command:
-            - ""
-              # should give us dev server
-              #- "/bin/sh"
-              #- "-ec"
-              #- |
-              #vault_FULLNAME="{{template "vault.fullname" . }}"
-
-              #exec "hello vault"
-              #exec /bin/vault agent \
-              #  -advertise="${POD_IP}" \
-              #  -bind=0.0.0.0 \
-              #  -bootstrap-expect={{ .Values.server.bootstrapExpect }} \
-              #  -client=0.0.0.0 \
-              #  -config-dir=/vault/config \
-              #  {{- range .Values.server.extraVolumes }}
-              #  {{- if .load }}
-              #  -config-dir=/vault/userconfig/{{ .name }}
-              #  {{- end }}
-              #  {{- end }}
-              #  -datacenter={{ .Values.global.datacenter }} \
-              #  -data-dir=/vault/data \
-              #  -domain={{ .Values.global.domain }} \
-              #  {{- if .Values.server.connect }}
-              #  -hcl="connect { enabled = true }" \
-              #  {{- end }}
-              #  {{- if .Values.ui.enabled }}
-              #  -ui \
-              #  {{- end }}
-              #  {{- range $index := until (.Values.server.replicas | int) }}
-              #  -retry-join=${vault_FULLNAME}-server-{{ $index }}.${vault_FULLNAME}-server.${NAMESPACE}.svc \
-              #  {{- end }}
-              #  -server
+            - "vault"
+            - "server"
+            - "-config=/vault/config/"
           volumeMounts:
             - name: data
               mountPath: /vault/data
@@ -119,40 +97,26 @@ spec:
             preStop:
               exec:
                 command:
-                - /bin/sh
-                - -c
-                - vault leave
+                - vault step-down
           ports:
-            - containerPort: 8500
+            - containerPort: 8200
               name: http
-            - containerPort: 8301
-              name: serflan
-            - containerPort: 8302
-              name: serfwan
-            - containerPort: 8300
-              name: server
-            - containerPort: 8600
-              name: dns-tcp
-              protocol: "TCP"
-            - containerPort: 8600
-              name: dns-udp
-              protocol: "UDP"
-          readinessProbe:
-            # NOTE(mitchellh): when our HTTP status endpoints support the
-            # proper status codes, we should switch to that. This is temporary.
-            # TODO: verify for Vault
-            #exec:
-            #  command:
-            #    - "/bin/sh"
-            #    - "-ec"
-            #    - |
-            #      curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
-            #      grep -E '".+"'
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 3
-            successThreshold: 1
-            timeoutSeconds: 5
+          #readinessProbe:
+          #  # NOTE(mitchellh): when our HTTP status endpoints support the
+          #  # proper status codes, we should switch to that. This is temporary.
+          #  # TODO: verify for Vault
+          #  #exec:
+          #  #  command:
+          #  #    - "/bin/sh"
+          #  #    - "-ec"
+          #  #    - |
+          #  #      curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
+          #  #      grep -E '".+"'
+          #  failureThreshold: 2
+          #  initialDelaySeconds: 5
+          #  periodSeconds: 3
+          #  successThreshold: 1
+          #  timeoutSeconds: 5
   volumeClaimTemplates:
     - metadata:
         name: data
diff --git a/templates/tests/test-runner.yaml b/templates/tests/test-runner.yaml
deleted file mode 100644
index 473b873..0000000
--- a/templates/tests/test-runner.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ template "consul.fullname" . }}-test-{{ randAlphaNum 5 | lower }}"
-  labels:
-    app: {{ template "consul.name" . }}
-    chart: {{ template "consul.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-  annotations:
-    "helm.sh/hook": test-success
-spec:
-  containers:
-    - name: consul-test
-      image: "{{ .Values.global.image }}"
-      env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.hostIP
-      command:
-        - "/bin/sh"
-        - "-ec"
-        - |
-            export VALUE="{{randAlphaNum 24 | lower }}"
-            export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
-            consul kv delete _consul_helm_test
-            consul kv put _consul_helm_test $VALUE
-            [ `consul kv get _consul_helm_test` = "$VALUE" ]
-            consul kv delete _consul_helm_test
-  restartPolicy: Never
diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml
index 5246672..6a893bd 100644
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@@ -21,7 +21,7 @@ spec:
   ports:
     - name: http
       port: 80
-      targetPort: 8500
+      targetPort: 8200
   {{- if .Values.ui.service.type }}
   type: {{ .Values.ui.service.type }}
   {{- end }}
diff --git a/test/terraform/main.tf b/test/terraform/main.tf
index a73df6a..df9cf79 100644
--- a/test/terraform/main.tf
+++ b/test/terraform/main.tf
@@ -3,7 +3,9 @@ locals {
 }
 
 provider "google" {
-  project = "${var.project}"
+  project     = "${var.project}"
+  region      = "us-central1"
+  credentials = "${file("vault-helm-dev-creds.json")}"
 }
 
 resource "random_id" "suffix" {
@@ -15,7 +17,7 @@ data "google_container_engine_versions" "main" {
 }
 
 resource "google_container_cluster" "cluster" {
-  name               = "consul-k8s-${random_id.suffix.dec}"
+  name               = "vault-helm-dev-${random_id.suffix.dec}"
   project            = "${var.project}"
   enable_legacy_abac = true
   initial_node_count = 5
@@ -55,7 +57,7 @@ resource "null_resource" "kubectl" {
 }
 
 resource "null_resource" "helm" {
-  count = "${var.init_cli ? 1 : 0 }"
+  count      = "${var.init_cli ? 1 : 0 }"
   depends_on = ["null_resource.kubectl"]
 
   triggers {
diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf
index c64cf06..280a532 100644
--- a/test/terraform/variables.tf
+++ b/test/terraform/variables.tf
@@ -1,4 +1,6 @@
 variable "project" {
+  default = "vault-helm-dev"
+
   description = <<EOF
 Google Cloud Project to launch resources in. This project must have GKE
 enabled and billing activated. We can't use the GOOGLE_PROJECT environment
@@ -12,6 +14,6 @@ variable "zone" {
 }
 
 variable "init_cli" {
-  default = false
+  default     = true
   description = "Whether to init the CLI tools kubectl, helm, etc. or not."
 }
diff --git a/values.yaml b/values.yaml
index 14ce4ed..96f3250 100644
--- a/values.yaml
+++ b/values.yaml
@@ -17,7 +17,8 @@ global:
 
   # Image is the name (and tag) of the Vault Docker image for clients and
   # servers below. This can be overridden per component.
-  image: "vault:0.11.1"
+  #image: "vault:0.11.1"
+  image: "vault"
 
   # Datacenter is the name of the datacenter that the agents should register
   # as. This shouldn't be changed once the Vault cluster is up and running
@@ -29,7 +30,7 @@ global:
 server:
   enabled: "-"
   image: null
-  replicas: 3
+  replicas: 1
 
   # storage and storageClass are the settings for configuring stateful
   # storage for the server pods. storage should be set to the disk size of
@@ -46,13 +47,14 @@ server:
   # updatePartition is used to control a careful rolling update of Vault
   # servers. This should be done particularly when changing the version
   # of Vault. Please refer to the documentation for more information.
-  # TODO: verify for Vaultt 
+  # TODO: verify for Vault
   updatePartition: 0
 
   # disruptionBudget enables the creation of a PodDisruptionBudget to
   # prevent voluntary degrading of the Vault server cluster.
   disruptionBudget:
-    enabled: true
+    #enabled: true
+    enabled: false
 
     # maxUnavailable will default to (n/2)-1 where n is the number of
     # replicas. If you'd like a custom value, you can specify an override here.
@@ -61,7 +63,14 @@ server:
   # extraConfig is a raw string of extra configuration to set with the
   # server. This should be JSON or HCL.
   extraConfig: |
-    {}
+    ui = true
+    listener "tcp" {
+      tls_disable = 1
+      address     = "0.0.0.0:8200"
+    }
+    storage "file" {
+      path = "/vault/data" 
+    }
 
   # extraVolumes is a list of extra volumes to mount. These will be exposed
   # to Vault in the path `/vault/userconfig/<name>/`. The value below is