Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

really ugly hack/slash proof-of-concept, forked from consul-helm

Browse source
This commit is contained in:
Clint Shryock 2018-10-02 16:14:57 -05:00
parent a2235339eb
commit d72a939a51
No known key found for this signature in database
GPG key ID: B7C8F9C70EC5CD29
10 changed files with 87 additions and 168 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
templates/dns-service.yaml
View file

@ -1,27 +1,27 @@
# Service for Vault DNS. # Service for Vault DNS.
# TODO: verify for Vault ## TODO: verify for Vault
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }} #{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1 #apiVersion: v1
kind: Service #kind: Service
metadata: #metadata:
name: {{ template "vault.fullname" . }}-dns # name: {{ template "vault.fullname" . }}-dns
labels: # labels:
app: {{ template "vault.name" . }} # app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }} # chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }} # heritage: {{ .Release.Service }}
release: {{ .Release.Name }} # release: {{ .Release.Name }}
spec: #spec:
ports: # ports:
- name: dns-tcp # - name: dns-tcp
port: 53 # port: 53
protocol: "TCP" # protocol: "TCP"
targetPort: dns-tcp # targetPort: dns-tcp
- name: dns-udp # - name: dns-udp
port: 53 # port: 53
protocol: "UDP" # protocol: "UDP"
targetPort: dns-udp # targetPort: dns-udp
selector: # selector:
app: {{ template "vault.name" . }} # app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}" # release: "{{ .Release.Name }}"
hasDNS: "true" # hasDNS: "true"
{{- end }} #{{- end }}

2
templates/server-config-configmap.yaml
View file

@ -10,6 +10,6 @@ metadata:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
data: data:
extra-from-values.json: |- extra-from-values.hcl: |-
{{ tpl .Values.server.extraConfig . | indent 4 }} {{ tpl .Values.server.extraConfig . | indent 4 }}
{{- end }} {{- end }}

10
templates/server-disruptionbudget.yaml
View file

@ -4,17 +4,17 @@
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ template "consul.fullname" . }}-server name: {{ template "vault.fullname" . }}-server
labels: labels:
app: {{ template "consul.name" . }} app: {{ template "vault.name" . }}
chart: {{ template "consul.chart" . }} chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
selector: selector:
matchLabels: matchLabels:
app: {{ template "consul.name" . }} app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}" release: "{{ .Release.Name }}"
component: server component: server
{{- end }} {{- end }}

31
templates/server-service.yaml
View file

@ -26,35 +26,8 @@ spec:
publishNotReadyAddresses: true publishNotReadyAddresses: true
ports: ports:
- name: http - name: http
port: 8500 port: 8200
targetPort: 8500 targetPort: 8200
- name: serflan-tcp
protocol: "TCP"
port: 8301
targetPort: 8301
- name: serflan-udp
protocol: "UDP"
port: 8301
targetPort: 8301
- name: serfwan-tcp
protocol: "TCP"
port: 8302
targetPort: 8302
- name: serfwan-udp
protocol: "UDP"
port: 8302
targetPort: 8302
- name: server
port: 8300
targetPort: 8300
- name: dns-tcp
protocol: "TCP"
port: 8600
targetPort: dns-tcp
- name: dns-udp
protocol: "UDP"
port: 8600
targetPort: dns-udp
selector: selector:
app: {{ template "vault.name" . }} app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}" release: "{{ .Release.Name }}"

96
templates/server-statefulset.yaml
View file

@ -13,6 +13,7 @@ spec:
serviceName: {{ template "vault.fullname" . }}-server serviceName: {{ template "vault.fullname" . }}-server
podManagementPolicy: Parallel podManagementPolicy: Parallel
replicas: {{ .Values.server.replicas }} replicas: {{ .Values.server.replicas }}
# TODO: verify for Vault
{{- if (gt (int .Values.server.updatePartition) 0) }} {{- if (gt (int .Values.server.updatePartition) 0) }}
updateStrategy: updateStrategy:
type: RollingUpdate type: RollingUpdate
@ -25,7 +26,7 @@ spec:
chart: {{ template "vault.chart" . }} chart: {{ template "vault.chart" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
component: server component: server
hasDNS: "true" #hasDNS: "true"
template: template:
metadata: metadata:
labels: labels:
@ -33,7 +34,7 @@ spec:
chart: {{ template "vault.chart" . }} chart: {{ template "vault.chart" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
component: server component: server
hasDNS: "true" #hasDNS: "true"
spec: spec:
affinity: affinity:
podAntiAffinity: podAntiAffinity:
@ -62,6 +63,9 @@ spec:
{{- end }} {{- end }}
containers: containers:
- name: vault - name: vault
securityContext:
fsGroup: 1000
privileged: true
image: "{{ default .Values.global.image .Values.server.image }}" image: "{{ default .Values.global.image .Values.server.image }}"
env: env:
- name: POD_IP - name: POD_IP
@ -72,39 +76,13 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
env:
- name: VAULT_ADDR
value: "http://localhost:8200"
command: command:
- "" - "vault"
# should give us dev server - "server"
#- "/bin/sh" - "-config=/vault/config/"
#- "-ec"
#- |
#vault_FULLNAME="{{template "vault.fullname" . }}"
#exec "hello vault"
#exec /bin/vault agent \
# -advertise="${POD_IP}" \
# -bind=0.0.0.0 \
# -bootstrap-expect={{ .Values.server.bootstrapExpect }} \
# -client=0.0.0.0 \
# -config-dir=/vault/config \
# {{- range .Values.server.extraVolumes }}
# {{- if .load }}
# -config-dir=/vault/userconfig/{{ .name }}
# {{- end }}
# {{- end }}
# -datacenter={{ .Values.global.datacenter }} \
# -data-dir=/vault/data \
# -domain={{ .Values.global.domain }} \
# {{- if .Values.server.connect }}
# -hcl="connect { enabled = true }" \
# {{- end }}
# {{- if .Values.ui.enabled }}
# -ui \
# {{- end }}
# {{- range $index := until (.Values.server.replicas | int) }}
# -retry-join=${vault_FULLNAME}-server-{{ $index }}.${vault_FULLNAME}-server.${NAMESPACE}.svc \
# {{- end }}
# -server
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /vault/data mountPath: /vault/data
@ -119,40 +97,26 @@ spec:
preStop: preStop:
exec: exec:
command: command:
- /bin/sh - vault step-down
- -c
- vault leave
ports: ports:
- containerPort: 8500 - containerPort: 8200
name: http name: http
- containerPort: 8301 #readinessProbe:
name: serflan # # NOTE(mitchellh): when our HTTP status endpoints support the
- containerPort: 8302 # # proper status codes, we should switch to that. This is temporary.
name: serfwan # # TODO: verify for Vault
- containerPort: 8300 # #exec:
name: server # # command:
- containerPort: 8600 # # - "/bin/sh"
name: dns-tcp # # - "-ec"
protocol: "TCP" # # - |
- containerPort: 8600 # # curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
name: dns-udp # # grep -E '".+"'
protocol: "UDP" # failureThreshold: 2
readinessProbe: # initialDelaySeconds: 5
# NOTE(mitchellh): when our HTTP status endpoints support the # periodSeconds: 3
# proper status codes, we should switch to that. This is temporary. # successThreshold: 1
# TODO: verify for Vault # timeoutSeconds: 5
#exec:
# command:
# - "/bin/sh"
# - "-ec"
# - |
# curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
# grep -E '".+"'
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 5
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: data name: data

31
templates/tests/test-runner.yaml
View file

@ -1,31 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ template "consul.fullname" . }}-test-{{ randAlphaNum 5 | lower }}"
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: consul-test
image: "{{ .Values.global.image }}"
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
command:
- "/bin/sh"
- "-ec"
- |
export VALUE="{{randAlphaNum 24 | lower }}"
export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
consul kv delete _consul_helm_test
consul kv put _consul_helm_test $VALUE
[ `consul kv get _consul_helm_test` = "$VALUE" ]
consul kv delete _consul_helm_test
restartPolicy: Never

2
templates/ui-service.yaml
View file

@ -21,7 +21,7 @@ spec:
ports: ports:
- name: http - name: http
port: 80 port: 80
targetPort: 8500 targetPort: 8200
{{- if .Values.ui.service.type }} {{- if .Values.ui.service.type }}
type: {{ .Values.ui.service.type }} type: {{ .Values.ui.service.type }}
{{- end }} {{- end }}

8
test/terraform/main.tf
View file

@ -3,7 +3,9 @@ locals {
} }
provider "google" { provider "google" {
project = "${var.project}" project = "${var.project}"
region = "us-central1"
credentials = "${file("vault-helm-dev-creds.json")}"
} }
resource "random_id" "suffix" { resource "random_id" "suffix" {
@ -15,7 +17,7 @@ data "google_container_engine_versions" "main" {
} }
resource "google_container_cluster" "cluster" { resource "google_container_cluster" "cluster" {
name = "consul-k8s-${random_id.suffix.dec}" name = "vault-helm-dev-${random_id.suffix.dec}"
project = "${var.project}" project = "${var.project}"
enable_legacy_abac = true enable_legacy_abac = true
initial_node_count = 5 initial_node_count = 5
@ -55,7 +57,7 @@ resource "null_resource" "kubectl" {
} }
resource "null_resource" "helm" { resource "null_resource" "helm" {
count = "${var.init_cli ? 1 : 0 }" count = "${var.init_cli ? 1 : 0 }"
depends_on = ["null_resource.kubectl"] depends_on = ["null_resource.kubectl"]
triggers { triggers {

4
test/terraform/variables.tf
View file

@ -1,4 +1,6 @@
variable "project" { variable "project" {
default = "vault-helm-dev"
description = <<EOF description = <<EOF
Google Cloud Project to launch resources in. This project must have GKE Google Cloud Project to launch resources in. This project must have GKE
enabled and billing activated. We can't use the GOOGLE_PROJECT environment enabled and billing activated. We can't use the GOOGLE_PROJECT environment
@ -12,6 +14,6 @@ variable "zone" {
} }
variable "init_cli" { variable "init_cli" {
default = false default = true
description = "Whether to init the CLI tools kubectl, helm, etc. or not." description = "Whether to init the CLI tools kubectl, helm, etc. or not."
} }

19
values.yaml
View file

@ -17,7 +17,8 @@ global:
# Image is the name (and tag) of the Vault Docker image for clients and # Image is the name (and tag) of the Vault Docker image for clients and
# servers below. This can be overridden per component. # servers below. This can be overridden per component.
image: "vault:0.11.1" #image: "vault:0.11.1"
image: "vault"
# Datacenter is the name of the datacenter that the agents should register # Datacenter is the name of the datacenter that the agents should register
# as. This shouldn't be changed once the Vault cluster is up and running # as. This shouldn't be changed once the Vault cluster is up and running
@ -29,7 +30,7 @@ global:
server: server:
enabled: "-" enabled: "-"
image: null image: null
replicas: 3 replicas: 1
# storage and storageClass are the settings for configuring stateful # storage and storageClass are the settings for configuring stateful
# storage for the server pods. storage should be set to the disk size of # storage for the server pods. storage should be set to the disk size of
@ -46,13 +47,14 @@ server:
# updatePartition is used to control a careful rolling update of Vault # updatePartition is used to control a careful rolling update of Vault
# servers. This should be done particularly when changing the version # servers. This should be done particularly when changing the version
# of Vault. Please refer to the documentation for more information. # of Vault. Please refer to the documentation for more information.
# TODO: verify for Vaultt # TODO: verify for Vault
updatePartition: 0 updatePartition: 0
# disruptionBudget enables the creation of a PodDisruptionBudget to # disruptionBudget enables the creation of a PodDisruptionBudget to
# prevent voluntary degrading of the Vault server cluster. # prevent voluntary degrading of the Vault server cluster.
disruptionBudget: disruptionBudget:
enabled: true #enabled: true
enabled: false
# maxUnavailable will default to (n/2)-1 where n is the number of # maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here. # replicas. If you'd like a custom value, you can specify an override here.
@ -61,7 +63,14 @@ server:
# extraConfig is a raw string of extra configuration to set with the # extraConfig is a raw string of extra configuration to set with the
# server. This should be JSON or HCL. # server. This should be JSON or HCL.
extraConfig: | extraConfig: |
{} ui = true
listener "tcp" {
tls_disable = 1
address = "0.0.0.0:8200"
}
storage "file" {
path = "/vault/data"
}
# extraVolumes is a list of extra volumes to mount. These will be exposed # extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is # to Vault in the path `/vault/userconfig/<name>/`. The value below is