Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.
* configure the agent port
* add unit test
* remove default
* remove default
* Update values.yaml
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* fix serviceaccount and clusterrole name reference (full name)
* add server.enabled option, align with documentation
* add unit tests
* update server.enabled behaviour to explicit true and update tests
* don't set VAULT_DEV_ROOT_TOKEN_ID by default in dev mode
* don't template environment variables that no longer exist
* fix tests after removing VAULT_DEV_ROOT_TOKEN_ID env variable
* removed a typo
* allow overriding VAULT_DEV_ROOT_TOKEN_ID in dev mode
* correct ambiguous description
* don't set default values in templates for visibility, update tests and set uncomment devRootToken in values.yaml
* Update devRootToken description
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.
We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].
These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.
User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.
refs #376
[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
* Add configuration options for Vault UI service
- Configure to select active Vault pod only
- Configure to not publish unready address
* Create active label only on HA
* Make serviceAccount name a configuration option
Follow Helm Best Practices when defining serviceAccount names
https://helm.sh/docs/chart_best_practices/#using-rbac-resources
* Use enabled instead of create for consistency
* Add unit tests for user-defined service account name
* ServiceAccount under server
Co-authored-by: David Holsgrove <david@apnic.net>
* Update ServiceAccount in RoleBindings
to address https://github.com/hashicorp/vault-helm/pull/56#pullrequestreview-297856433
Co-authored-by: David Holsgrove <david@apnic.net>
* Update tests for helm template arg --show-only
Co-authored-by: David Holsgrove <david@apnic.net>
* Fix server-serviceaccount tests
* serviceAccount: rename enabled to create
* statefulSet: add tests for serviceAccount
Co-authored-by: Nick Satterly <nick@diabol.se>
Co-authored-by: David Holsgrove <david@apnic.net>
This annotation has been deprecated since Kuberneets 1.8 and the
publishNotReadyAddresses parameter replacing it has been correctly
implemented in Kubernetes 1.11 (see https://github.com/kubernetes/kubernetes/pull/63742)
* Initial commit
* Added openshift flag
* added self signed certificate for service annotation
* added OpenShift flag
* Added OpenShift flag
* cleanup
* Cleanup
* Further cleanup
* Further cleanup
* reverted security context on injector
* Extra corrections
* cleanup
* Removed Raft config for OpenShift, removed generated certs for ha and standby services
* Add openshift flag to global block, route disabled by default, condition for injector in network policy
* Added Unit tests for OpenShift
* Fixed unit test for HA statefulset for OpenShift
* Removed debug log level from stateful set
* Added port 8201 to networkpolicy
* Updated injector image
* Add openshift beta support
* Add openshift beta support
* Remove comments from configs
* Remove vault-k8s note from values
* Change route to use active service when HA
Co-authored-by: Radu Domnu <radu.domnu@sixdx.com>
Co-authored-by: Radu Domnu <radu.domnu@gmail.com>
The apiVersion `extensions/v1beta1` for ingresses has been removed in Kubernetes 1.16 and the new `networking.k8s.io/v1beta1` has to be used now. This conditional keeps compatibility with older Kubernetes versions while using the new apiVersion when available.
Changed/added helper functions to detect if the annotations value
is a string or yaml, and apply `tpl` or `toYaml`
accordingly. Defaults are left as `{}` since yaml is more likely
to be used with helm on the command line. This means a warning
will be shown when setting an annotation to a multi-line
string (which has been the existing behavior).
* Change config specification
As it is right now, the specification of the config is done through an
string. When using storage backends like PostgreSQL, the password for the
database has to be included in the config variable of the values file.
This change allows to specify the configuration through a map, making
the chart GitOps friendly. Now, sensitive values can be stored in a
different values file or passed on deployment time with --set.
To have a very generic specification:
- I've assumed that the combination stanza (eg. storage) name (eg. file)
is unique.
- Quoted values for all stanza parameters. I tested a generated
configuration in a vault docker image and it seems to work just fine.
* Change config format to json
* Add conditional formatting
* Add config for raft mode
* use port names that map to vault.scheme
* prefix internal/replication port names with vault.scheme
* port names must be 'no more than 15 characters'
* test vault server service port names are prefixed with vault scheme
* test vault server statefulset port names are prefixed with vault scheme
* test vault ui service port names are prefixed with vault scheme
* formatting: replace double quote with single quote
* uncomment accidentally-commented lines
* always set internal port name to https-internal, since it is always https
* prefix headless service internal port name with https
`Values.server.service.annotations` are now being treated as multi-line
strings, to match the other annotations in the chart, and to support
templating within the annotations.
Annotations for various objects were either multi-line strings or yaml
maps strings, so this is making them all multi-line strings for
consistency. Also updated the doc comment for namespaceSelector, since
it's being read as a yaml map (toYaml).
Adds affinity, tolerations, and nodeSelector options for the
injector deployment that are separate from those options on the vault
server statefulset.
Co-authored-by: Sergei Shishov <sergei.shishov@dubizzle.com>
Uses Values.injector.externalVaultAddr to control the vault address
env variable and server yaml rendering.
If injector.externalVaultAddr is empty, both the injector and vault
are deployed, with the injector using the local vault. If
injector.externalVaultAddr is not empty, only the injector is
deployed, and it uses the vault at the address specified in
injector.externalVaultAddr.
Update chart and tests to Helm 3
Co-authored-by: Matt Piekunka <mpiekunk@users.noreply.github.com>
Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com>
livenessProbe
* Set the scheme for vault.scheme to ensure that the check works if tls enabled or not
* Allow a configurable value initialDelaySeconds rather than the set 5 seconds
* Set the default initialDelaySeconds to 60 seconds before the probe starts to allow for vault unsealing
* Set the path to /v1/sys/health?standbyok=true to ensure a 200 response on standbys
readinessProbe
* Set the path comment to /v1/sys/health?standbyok=true to ensure a 200 response on standbys
* Set the scheme for vault.scheme to ensure that the check works if tls enabled or not
* Statefulset liveness probe path check set to /v1/sys/health?standbyok=true
* Server Statefulset test added for livenessProbe.initialDelaySeconds
