VAULT-571 Matching documented behavior and consul
Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:
> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.
(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)
We also simplified the chart logic using a few template helpers.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Prepare default values for MutatingWebhookConfiguration #691
* Add values.yaml values to injector-mutating-webhook.yaml #691
* Duplicate and deprecate top-level webhook settings and put them in a webhook object
* Made the new values default with the fallback to the old values.yaml
* Fix _helpers.tpl to support both old and new webhook annotations
* Add new tests and deprecate old ones for injector webhook configuration
* Old tests now work with old values.yaml
* Add all new fields showing that they have priority over old ones
* Add deprecation note to injector.failurePolicy #691
* Add some tests on top of #396
* convert server-route.yaml to unix newlines
* changelog
Co-authored-by: André Becker <andre@arestless.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Fix test typo
* Add basic server-test Pod tests
- This covers all existing functionality that matches what's
present in server-statefulset.bats
* Fix server-test helm hook Pod rendering
- Properly adhere to the global.enabled flag and the presence of
the injector.externalVaultAddr setting, the same way that
the servers StatefulSet behaves
* Add volumes and env vars to helm hook test pod
- Uses the same extraEnvironmentVars, volumes and volumeMounts set on
the server statefulset to configure the Vault server test pod used by
the helm test hook
- This is necessary in situations where TLS is configured, but the
certificates are not affiliated with the k8s CA / part of k8s PKI
- Fixes GH-665
* make staticSecretRenderInterval default to empty string
* update values schema to add staticSecretRenderInterval
* add test for default value
* adding changelog entry
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Adds the leader-elector container support that was removed in
PR #568. The new vault-k8s uses an internal mechanism for leader
determination, so this is just for backwards compatibility, and can
be removed in the near future.
* mark the endpoint as deprecated
* add a new useContainer option for leaderElector
Default to not deploying the old leader-elector container, unless
injector.leaderElector.useContainer is `true`.
* add configurable values for providersDir and kubeletRootDir
Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.
change maxUnavailable from `null` to `integer` to enable upgrade from
0.11.0 to 0.12.0 when using the specific variable.
* Also allow null value
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* add test for server.ha.disruptionBudget.maxUnavailable
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* configure the agent port
* add unit test
* remove default
* remove default
* Update values.yaml
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* fix serviceaccount and clusterrole name reference (full name)
* add server.enabled option, align with documentation
* add unit tests
* update server.enabled behaviour to explicit true and update tests
* don't set VAULT_DEV_ROOT_TOKEN_ID by default in dev mode
* don't template environment variables that no longer exist
* fix tests after removing VAULT_DEV_ROOT_TOKEN_ID env variable
* removed a typo
* allow overriding VAULT_DEV_ROOT_TOKEN_ID in dev mode
* correct ambiguous description
* don't set default values in templates for visibility, update tests and set uncomment devRootToken in values.yaml
* Update devRootToken description
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.
We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].
These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.
User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.
refs #376
[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
* Add configuration options for Vault UI service
- Configure to select active Vault pod only
- Configure to not publish unready address
* Create active label only on HA
* Make serviceAccount name a configuration option
Follow Helm Best Practices when defining serviceAccount names
https://helm.sh/docs/chart_best_practices/#using-rbac-resources
* Use enabled instead of create for consistency
* Add unit tests for user-defined service account name
* ServiceAccount under server
Co-authored-by: David Holsgrove <david@apnic.net>
* Update ServiceAccount in RoleBindings
to address https://github.com/hashicorp/vault-helm/pull/56#pullrequestreview-297856433
Co-authored-by: David Holsgrove <david@apnic.net>
* Update tests for helm template arg --show-only
Co-authored-by: David Holsgrove <david@apnic.net>
* Fix server-serviceaccount tests
* serviceAccount: rename enabled to create
* statefulSet: add tests for serviceAccount
Co-authored-by: Nick Satterly <nick@diabol.se>
Co-authored-by: David Holsgrove <david@apnic.net>
This annotation has been deprecated since Kuberneets 1.8 and the
publishNotReadyAddresses parameter replacing it has been correctly
implemented in Kubernetes 1.11 (see https://github.com/kubernetes/kubernetes/pull/63742)
* Initial commit
* Added openshift flag
* added self signed certificate for service annotation
* added OpenShift flag
* Added OpenShift flag
* cleanup
* Cleanup
* Further cleanup
* Further cleanup
* reverted security context on injector
* Extra corrections
* cleanup
* Removed Raft config for OpenShift, removed generated certs for ha and standby services
* Add openshift flag to global block, route disabled by default, condition for injector in network policy
* Added Unit tests for OpenShift
* Fixed unit test for HA statefulset for OpenShift
* Removed debug log level from stateful set
* Added port 8201 to networkpolicy
* Updated injector image
* Add openshift beta support
* Add openshift beta support
* Remove comments from configs
* Remove vault-k8s note from values
* Change route to use active service when HA
Co-authored-by: Radu Domnu <radu.domnu@sixdx.com>
Co-authored-by: Radu Domnu <radu.domnu@gmail.com>
Changed/added helper functions to detect if the annotations value
is a string or yaml, and apply `tpl` or `toYaml`
accordingly. Defaults are left as `{}` since yaml is more likely
to be used with helm on the command line. This means a warning
will be shown when setting an annotation to a multi-line
string (which has been the existing behavior).
* use port names that map to vault.scheme
* prefix internal/replication port names with vault.scheme
* port names must be 'no more than 15 characters'
* test vault server service port names are prefixed with vault scheme
* test vault server statefulset port names are prefixed with vault scheme
* test vault ui service port names are prefixed with vault scheme
* formatting: replace double quote with single quote
* uncomment accidentally-commented lines
* always set internal port name to https-internal, since it is always https
* prefix headless service internal port name with https
Annotations for various objects were either multi-line strings or yaml
maps strings, so this is making them all multi-line strings for
consistency. Also updated the doc comment for namespaceSelector, since
it's being read as a yaml map (toYaml).
Adds affinity, tolerations, and nodeSelector options for the
injector deployment that are separate from those options on the vault
server statefulset.
Co-authored-by: Sergei Shishov <sergei.shishov@dubizzle.com>
Uses Values.injector.externalVaultAddr to control the vault address
env variable and server yaml rendering.
If injector.externalVaultAddr is empty, both the injector and vault
are deployed, with the injector using the local vault. If
injector.externalVaultAddr is not empty, only the injector is
deployed, and it uses the vault at the address specified in
injector.externalVaultAddr.
Update chart and tests to Helm 3
Co-authored-by: Matt Piekunka <mpiekunk@users.noreply.github.com>
Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com>
