support collecting Vault server metrics by deploying PrometheusOperator
CustomResources.
Co-authored-by: Sam Weston <weston.sam@gmail.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
csi/server.statefulset: custom security context
This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.
Fixes https://github.com/hashicorp/vault-helm/issues/663.
This also is a way to address https://github.com/hashicorp/vault-helm/pull/599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.
This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750
and builds on the same principles.
Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.
Allow the injector's pod- and container-level securityContext to be
fully specified by the user, via new options
`injector.securityContext.pod` and
`injector.securityContext.container` with more complete
defaults. Deprecates `injector.uid` and `injector.gid`.
If `injector.uid` or `injector.gid` are set by the user, the old pod
securityContext settings will be used. Otherwise the new defaults and
settings are used.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Set default object selector for webhooks to exclude injector itself
If `injector.failurePolicy` is set to `Fail`, there is a race condition
where if the mutating webhook config is setup before the injector, then
the injector can fail to start because it tries to inject itself.
We can work around this by ignoring the injector pod in in the webhook
by default.
Thanks to @joeyslalom for the object selector to exclude the pod.
Fixes https://github.com/hashicorp/vault-k8s/issues/258
* Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it
* Issue-#629 removing extra whitespace I added accidently.
* Issue-#629 fixing extra whitespace added.
* Update values.yaml
Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>
* Issue #629 adding changelog
Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>
VAULT-571 Matching documented behavior and consul
Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:
> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.
(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)
We also simplified the chart logic using a few template helpers.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Prepare default values for MutatingWebhookConfiguration #691
* Add values.yaml values to injector-mutating-webhook.yaml #691
* Duplicate and deprecate top-level webhook settings and put them in a webhook object
* Made the new values default with the fallback to the old values.yaml
* Fix _helpers.tpl to support both old and new webhook annotations
* Add new tests and deprecate old ones for injector webhook configuration
* Old tests now work with old values.yaml
* Add all new fields showing that they have priority over old ones
* Add deprecation note to injector.failurePolicy #691
* Add some tests on top of #396
* convert server-route.yaml to unix newlines
* changelog
Co-authored-by: André Becker <andre@arestless.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Fix test typo
* Add basic server-test Pod tests
- This covers all existing functionality that matches what's
present in server-statefulset.bats
* Fix server-test helm hook Pod rendering
- Properly adhere to the global.enabled flag and the presence of
the injector.externalVaultAddr setting, the same way that
the servers StatefulSet behaves
* Add volumes and env vars to helm hook test pod
- Uses the same extraEnvironmentVars, volumes and volumeMounts set on
the server statefulset to configure the Vault server test pod used by
the helm test hook
- This is necessary in situations where TLS is configured, but the
certificates are not affiliated with the k8s CA / part of k8s PKI
- Fixes GH-665
Ports the bats unit, chart-verifier, and bats acceptance tests to use
github workflows and actions. The acceptance tests run using kind, and
run for multiple k8s versions, on pushes to the main branch.
Adds a SKIP_CSI env check in the CSI acceptance test, set in the
workflow if K8s version is less than 1.16.
Adds kubeAdmConfigPatches to the kind config to allow testing the CSI
provider on K8s versions prior to 1.21.
Updates the Secrets Store CSI driver to 1.0.0 in tests.
Makes the HA Vault tests more robust by waiting for all consul client
pods to be Ready, and waits with a timeout for Vault to start
responding as sealed (since the tests on GitHub runners were often
failing at that point).
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* make staticSecretRenderInterval default to empty string
* update values schema to add staticSecretRenderInterval
* add test for default value
* adding changelog entry
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
GKE's stable K8s version is now 1.19. Also adding VAULT_LICENSE_CI to
the `make test-acceptance` target to make it easier to run the
acceptance tests manually, and mentioned it in the test README.
Adds the leader-elector container support that was removed in
PR #568. The new vault-k8s uses an internal mechanism for leader
determination, so this is just for backwards compatibility, and can
be removed in the near future.
* mark the endpoint as deprecated
* add a new useContainer option for leaderElector
Default to not deploying the old leader-elector container, unless
injector.leaderElector.useContainer is `true`.
* add configurable values for providersDir and kubeletRootDir
Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* Default to hashicorp/vault for vault agent image.
* Add support for running acceptance tests against a kind cluster
* make the injector-leader-elector a bit more reliable when run locally
Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.
change maxUnavailable from `null` to `integer` to enable upgrade from
0.11.0 to 0.12.0 when using the specific variable.
* Also allow null value
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* add test for server.ha.disruptionBudget.maxUnavailable
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Generated the schema using the helm schema-gen plugin, and added extra
data types to fields that allow it, such as annotations, tolerations,
enabled, etc. Enabled the "contains-value-schema" chart-verifier test.
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats
test, and configured to run it in CI. Some verification tests that
haven't been addressed yet are skipped.
* update documentation with running unit tests using container
* promote bats version to 1.3.0
* Update CONTRIBUTING.md
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update CONTRIBUTING.md
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* configure the agent port
* add unit test
* remove default
* remove default
* Update values.yaml
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* fix serviceaccount and clusterrole name reference (full name)
* add server.enabled option, align with documentation
* add unit tests
* update server.enabled behaviour to explicit true and update tests
* don't set VAULT_DEV_ROOT_TOKEN_ID by default in dev mode
* don't template environment variables that no longer exist
* fix tests after removing VAULT_DEV_ROOT_TOKEN_ID env variable
* removed a typo
* allow overriding VAULT_DEV_ROOT_TOKEN_ID in dev mode
* correct ambiguous description
* don't set default values in templates for visibility, update tests and set uncomment devRootToken in values.yaml
* Update devRootToken description
