Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Michal.Wrobel:main
Branches Tags
Michal.Wrobel:main
Michal.Wrobel:bao-2-0-2
Michal.Wrobel:gh-pages
Michal.Wrobel:bao-2-0-1
Michal.Wrobel:release/v0.26.1
Michal.Wrobel:values/default-cluster_name
Michal.Wrobel:generate-docs
Michal.Wrobel:correct-helm-version-check
Michal.Wrobel:helm_gha_migration_test
Michal.Wrobel:tomhjp-patch-1
Michal.Wrobel:topology
Michal.Wrobel:openbao-0.6.0
Michal.Wrobel:openbao-0.5.1
Michal.Wrobel:openbao-0.5.0
Michal.Wrobel:openbao-0.4.0
Michal.Wrobel:openbao-0.3.0
Michal.Wrobel:openbao-0.2.0
Michal.Wrobel:openbao-0.1.0
Michal.Wrobel:v0.27.0
Michal.Wrobel:v0.26.1
Michal.Wrobel:v0.26.0
Michal.Wrobel:v0.25.0
Michal.Wrobel:v0.24.1
Michal.Wrobel:v0.24.0
Michal.Wrobel:v0.23.0
Michal.Wrobel:v0.22.1
Michal.Wrobel:v0.22.0
Michal.Wrobel:v0.21.0
Michal.Wrobel:v0.20.1
Michal.Wrobel:v0.20.0
Michal.Wrobel:v0.19.0
Michal.Wrobel:v0.18.0
Michal.Wrobel:v0.17.1
Michal.Wrobel:v0.17.0
Michal.Wrobel:v0.16.1
Michal.Wrobel:v0.16.0
Michal.Wrobel:v0.15.0
Michal.Wrobel:v0.14.0
Michal.Wrobel:v0.13.0
Michal.Wrobel:v0.12.0
Michal.Wrobel:v0.11.0
Michal.Wrobel:v0.10.0
Michal.Wrobel:v0.9.1
Michal.Wrobel:v0.9.0
Michal.Wrobel:v0.8.0
Michal.Wrobel:v0.7.0
Michal.Wrobel:v0.6.0
Michal.Wrobel:v0.5.0
Michal.Wrobel:v0.4.0
Michal.Wrobel:v0.3.3
Michal.Wrobel:v0.3.2
Michal.Wrobel:v0.3.1
Michal.Wrobel:v0.3.0
Michal.Wrobel:v0.2.1
Michal.Wrobel:v0.2.0
Michal.Wrobel:v0.1.2
Michal.Wrobel:v0.1.1
Michal.Wrobel:v0.1.0
Michal.Wrobel:v0.0.1
..
compare: Michal.Wrobel:openbao-0.3.0
Branches Tags
Michal.Wrobel:main
Michal.Wrobel:bao-2-0-2
Michal.Wrobel:gh-pages
Michal.Wrobel:bao-2-0-1
Michal.Wrobel:release/v0.26.1
Michal.Wrobel:values/default-cluster_name
Michal.Wrobel:generate-docs
Michal.Wrobel:correct-helm-version-check
Michal.Wrobel:helm_gha_migration_test
Michal.Wrobel:tomhjp-patch-1
Michal.Wrobel:topology
Michal.Wrobel:openbao-0.6.0
Michal.Wrobel:openbao-0.5.1
Michal.Wrobel:openbao-0.5.0
Michal.Wrobel:openbao-0.4.0
Michal.Wrobel:openbao-0.3.0
Michal.Wrobel:openbao-0.2.0
Michal.Wrobel:openbao-0.1.0
Michal.Wrobel:v0.27.0
Michal.Wrobel:v0.26.1
Michal.Wrobel:v0.26.0
Michal.Wrobel:v0.25.0
Michal.Wrobel:v0.24.1
Michal.Wrobel:v0.24.0
Michal.Wrobel:v0.23.0
Michal.Wrobel:v0.22.1
Michal.Wrobel:v0.22.0
Michal.Wrobel:v0.21.0
Michal.Wrobel:v0.20.1
Michal.Wrobel:v0.20.0
Michal.Wrobel:v0.19.0
Michal.Wrobel:v0.18.0
Michal.Wrobel:v0.17.1
Michal.Wrobel:v0.17.0
Michal.Wrobel:v0.16.1
Michal.Wrobel:v0.16.0
Michal.Wrobel:v0.15.0
Michal.Wrobel:v0.14.0
Michal.Wrobel:v0.13.0
Michal.Wrobel:v0.12.0
Michal.Wrobel:v0.11.0
Michal.Wrobel:v0.10.0
Michal.Wrobel:v0.9.1
Michal.Wrobel:v0.9.0
Michal.Wrobel:v0.8.0
Michal.Wrobel:v0.7.0
Michal.Wrobel:v0.6.0
Michal.Wrobel:v0.5.0
Michal.Wrobel:v0.4.0
Michal.Wrobel:v0.3.3
Michal.Wrobel:v0.3.2
Michal.Wrobel:v0.3.1
Michal.Wrobel:v0.3.0
Michal.Wrobel:v0.2.1
Michal.Wrobel:v0.2.0
Michal.Wrobel:v0.1.2
Michal.Wrobel:v0.1.1
Michal.Wrobel:v0.1.0
Michal.Wrobel:v0.0.1

No commits in common. "main" and "openbao-0.3.0" have entirely different histories.
main ... openbao-0.

118 changed files with 1543 additions and 939 deletions
Show stats Expand all files Collapse all files

14
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -9,9 +9,9 @@ assignees: ''
<!-- Please reserve GitHub issues for bug reports and feature requests.
**Please note**: We take OpenBao's security and our users' trust very seriously. If
you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker.
Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_ by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
-->
@ -21,10 +21,10 @@ A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Install chart
2. Run bao command
3. See error (openbao logs, etc.)
2. Run vault command
3. See error (vault logs, etc.)
Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output
Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output
**Expected behavior**
A clear and concise description of what you expected to happen.
@ -33,7 +33,7 @@ A clear and concise description of what you expected to happen.
* Kubernetes version:
* Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
* Other configuration options or runtime services (istio, etc.):
* openbao-helm version:
* vault-helm version:
Chart values:

3
.github/ISSUE_TEMPLATE/config.yml vendored
View file

@ -3,4 +3,5 @@
contact_links:
- name: Ask a question
url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org
url: https://discuss.hashicorp.com/c/vault
about: For increased visibility, please post questions on the discussion forum, and tag with `k8s`

2
.github/workflows/acceptance.yaml vendored
View file

@ -18,5 +18,7 @@ jobs:
node_image: kindest/node:v${{ matrix.kind-k8s-version }}
version: v0.22.0
- run: bats --tap --timing ./test/acceptance
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
permissions:
contents: read

6
.github/workflows/tests.yaml vendored
View file

@ -10,14 +10,14 @@ jobs:
chart-verifier:
runs-on: ubuntu-latest
env:
CHART_VERIFIER_VERSION: "1.13.7"
CHART_VERIFIER_VERSION: '1.13.0'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup test tools
uses: ./.github/actions/setup-test-tools
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.22.5"
go-version: '1.21.3'
- run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}"
- run: bats --tap --timing ./test/chart
permissions:

2
CONTRIBUTING.md
View file

@ -123,7 +123,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
start from a clean slate.
**Note:** There is a Terraform configuration in the
[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory
[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
that can be used to quickly bring up a GKE cluster and configure
`kubectl` and `helm` locally. This can be used to quickly spin up a test
cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes

9
Makefile
View file

@ -1,6 +1,6 @@
TEST_IMAGE?=openbao-helm-test
GOOGLE_CREDENTIALS?=openbao-helm-test.json
CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514
TEST_IMAGE?=vault-helm-test
GOOGLE_CREDENTIALS?=vault-helm-test.json
CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
ACCEPTANCE_TESTS?=acceptance
@ -11,7 +11,7 @@ UNIT_TESTS_FILTER?='.*'
LOCAL_ACCEPTANCE_TESTS?=false
# kind cluster name
KIND_CLUSTER_NAME?=openbao-helm
KIND_CLUSTER_NAME?=vault-helm
# kind k8s version
KIND_K8S_VERSION?=v1.29.2
@ -40,6 +40,7 @@ else
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \
-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
-w /helm-test \
$(TEST_IMAGE) \
make acceptance

17
charts/openbao/Chart.yaml
View file

@ -3,23 +3,13 @@
apiVersion: v2
name: openbao
version: 0.6.0
appVersion: v2.0.2
version: 0.3.0
appVersion: v2.0.0-alpha20240329
kubeVersion: ">= 1.27.0-0"
description: Official OpenBao Chart
home: https://github.com/openbao/openbao-helm
icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg
keywords:
[
"vault",
"openbao",
"security",
"encryption",
"secrets",
"management",
"automation",
"infrastructure",
]
keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
sources:
- https://github.com/openbao/openbao-helm
annotations:
@ -27,5 +17,4 @@ annotations:
maintainers:
- name: OpenBao
email: openbao-security@lists.lfedge.org
url: https://openbao.org

56
charts/openbao/README.md
View file

@ -1,6 +1,6 @@
# openbao
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
![Version: 0.3.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: v2.0.0-alpha20240329](https://img.shields.io/badge/AppVersion-v2.0.0--alpha20240329-informational?style=flat-square)
Official OpenBao Chart
@ -9,8 +9,8 @@ Official OpenBao Chart
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| OpenBao | <openbao-security@lists.lfedge.org> | <https://openbao.org> |
|---------|------------------------------------|-----------------------|
| OpenBao | https://lists.lfedge.org/g/openbao | <https://openbao.org> |
## Source Code
@ -29,7 +29,7 @@ Kubernetes: `>= 1.27.0-0`
| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image |
| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image |
| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image |
| csi.agent.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image |
| csi.agent.logFormat | string | `"standard"` | |
| csi.agent.logLevel | string | `"info"` | |
| csi.agent.resources | object | `{}` | |
@ -42,13 +42,13 @@ Kubernetes: `>= 1.27.0-0`
| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | |
| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | |
| csi.debug | bool | `false` | |
| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. |
| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount Vault secrets into volumes similar to the Vault Agent injector, and you can also sync those secrets into Kubernetes secrets. |
| csi.extraArgs | list | `[]` | |
| csi.hmacSecretName | string | `""` | |
| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
| csi.image.registry | string | `"docker.io"` | image registry to use for csi image |
| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image |
| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image |
| csi.image.tag | string | `"1.4.1"` | image tag to use for csi image |
| csi.livenessProbe.failureThreshold | int | `2` | |
| csi.livenessProbe.initialDelaySeconds | int | `5` | |
| csi.livenessProbe.periodSeconds | int | `5` | |
@ -68,10 +68,10 @@ Kubernetes: `>= 1.27.0-0`
| csi.resources | object | `{}` | |
| csi.serviceAccount.annotations | object | `{}` | |
| csi.serviceAccount.extraLabels | object | `{}` | |
| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| csi.volumeMounts | string | `nil` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| csi.volumes | string | `nil` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. |
| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. |
| global.externalVaultAddr | string | `""` | External vault server address for the injector and CSI provider to use. Setting this will disable deployment of a vault server. |
| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. |
| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. |
| global.openshift | bool | `false` | If deploying to OpenShift |
@ -79,7 +79,7 @@ Kubernetes: `>= 1.27.0-0`
| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. |
| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. |
| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport |
| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | |
| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | |
| injector.agentDefaults.cpuLimit | string | `"500m"` | |
| injector.agentDefaults.cpuRequest | string | `"250m"` | |
| injector.agentDefaults.memLimit | string | `"128Mi"` | |
@ -87,18 +87,18 @@ Kubernetes: `>= 1.27.0-0`
| injector.agentDefaults.template | string | `"map"` | |
| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | |
| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | |
| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. |
| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the Vault image to use for the Vault Agent containers. This should be set to the official Vault image. Vault 1.3.1+ is required. |
| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image |
| injector.agentImage.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image |
| injector.annotations | object | `{}` | |
| injector.authPath | string | `"auth/kubernetes"` | |
| injector.certs.caBundle | string | `""` | |
| injector.certs.certName | string | `"tls.crt"` | |
| injector.certs.keyName | string | `"tls.key"` | |
| injector.certs.secretName | string | `nil` | |
| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled |
| injector.enabled | string | `"-"` | True if you want to enable vault agent injection. @default: global.enabled |
| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. |
| injector.extraEnvironmentVars | object | `{}` | |
| injector.extraLabels | object | `{}` | |
@ -107,7 +107,7 @@ Kubernetes: `>= 1.27.0-0`
| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" |
| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image |
| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image |
| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image |
| injector.image.tag | string | `"1.3.1"` | image tag to use for k8s image |
| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. |
| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
@ -147,16 +147,16 @@ Kubernetes: `>= 1.27.0-0`
| injector.webhook.failurePolicy | string | `"Ignore"` | |
| injector.webhook.matchPolicy | string | `"Exact"` | |
| injector.webhook.namespaceSelector | object | `{}` | |
| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"openbao.name\" . }}-agent-injector\n"` | |
| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"vault.name\" . }}-agent-injector\n"` | |
| injector.webhook.timeoutSeconds | int | `30` | |
| injector.webhookAnnotations | object | `{}` | |
| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | |
| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | |
| server.annotations | object | `{}` | |
| server.auditStorage.accessMode | string | `"ReadWriteOnce"` | |
| server.auditStorage.annotations | object | `{}` | |
| server.auditStorage.enabled | bool | `false` | |
| server.auditStorage.labels | object | `{}` | |
| server.auditStorage.mountPath | string | `"/openbao/audit"` | |
| server.auditStorage.mountPath | string | `"/vault/audit"` | |
| server.auditStorage.size | string | `"10Gi"` | |
| server.auditStorage.storageClass | string | `nil` | |
| server.authDelegator.enabled | bool | `true` | |
@ -165,27 +165,27 @@ Kubernetes: `>= 1.27.0-0`
| server.dataStorage.annotations | object | `{}` | |
| server.dataStorage.enabled | bool | `true` | |
| server.dataStorage.labels | object | `{}` | |
| server.dataStorage.mountPath | string | `"/openbao/data"` | |
| server.dataStorage.mountPath | string | `"/vault/data"` | |
| server.dataStorage.size | string | `"10Gi"` | |
| server.dataStorage.storageClass | string | `nil` | |
| server.dev.devRootToken | string | `"root"` | |
| server.dev.enabled | bool | `false` | |
| server.enabled | string | `"-"` | |
| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. |
| server.extraArgs | string | `""` | |
| server.extraContainers | string | `nil` | |
| server.extraEnvironmentVars | object | `{}` | |
| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. |
| server.extraInitContainers | string | `nil` | |
| server.extraLabels | object | `{}` | |
| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. |
| server.extraPorts | string | `nil` | |
| server.extraSecretEnvironmentVars | list | `[]` | |
| server.extraVolumes | list | `[]` | |
| server.ha.apiAddr | string | `nil` | |
| server.ha.clusterAddr | string | `nil` | |
| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"openbao\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"vault\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.ha.disruptionBudget.enabled | bool | `true` | |
| server.ha.disruptionBudget.maxUnavailable | string | `nil` | |
| server.ha.enabled | bool | `false` | |
| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | |
| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/vault/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | |
| server.ha.raft.enabled | bool | `false` | |
| server.ha.raft.setNodeId | bool | `false` | |
| server.ha.replicas | int | `3` | |
@ -194,7 +194,7 @@ Kubernetes: `>= 1.27.0-0`
| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" |
| server.image.registry | string | `"quay.io"` | image registry to use for server image |
| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image |
| server.image.tag | string | `"2.0.2"` | image tag to use for server image |
| server.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for server image |
| server.ingress.activeService | bool | `true` | |
| server.ingress.annotations | object | `{}` | |
| server.ingress.enabled | bool | `false` | |
@ -261,8 +261,8 @@ Kubernetes: `>= 1.27.0-0`
| server.serviceAccount.extraLabels | object | `{}` | |
| server.serviceAccount.name | string | `""` | |
| server.serviceAccount.serviceDiscovery.enabled | bool | `true` | |
| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation |
| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.shareProcessNamespace | bool | `false` | |
| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.standalone.enabled | string | `"-"` | |
| server.statefulSet.annotations | object | `{}` | |
| server.statefulSet.securityContext.container | object | `{}` | |
@ -280,7 +280,7 @@ Kubernetes: `>= 1.27.0-0`
| serverTelemetry.serviceMonitor.interval | string | `"30s"` | |
| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | |
| serverTelemetry.serviceMonitor.selectors | object | `{}` | |
| ui.activeOpenbaoPodOnly | bool | `false` | |
| ui.activeVaultPodOnly | bool | `false` | |
| ui.annotations | object | `{}` | |
| ui.enabled | bool | `false` | |
| ui.externalPort | int | `8200` | |
@ -292,3 +292,5 @@ Kubernetes: `>= 1.27.0-0`
| ui.serviceType | string | `"ClusterIP"` | |
| ui.targetPort | int | `8200` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

2
charts/openbao/templates/NOTES.txt
View file

@ -2,7 +2,7 @@
Thank you for installing OpenBao!
Now that you have deployed OpenBao, you should look over the docs on using
OpenBao with Kubernetes available here:
Vault with Kubernetes available here:
https://openbao.org/docs/

126
charts/openbao/templates/_helpers.tpl
View file

@ -9,7 +9,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). If release name contains chart name it will
be used as a full name.
*/}}
{{- define "openbao.fullname" -}}
{{- define "vault.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
@ -25,28 +25,28 @@ be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openbao.chart" -}}
{{- define "vault.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "openbao.name" -}}
{{- define "vault.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden
*/}}
{{- define "openbao.namespace" -}}
{{- define "vault.namespace" -}}
{{- default .Release.Namespace .Values.global.namespace -}}
{{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "openbao.csiEnabled" -}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -55,7 +55,7 @@ Compute if the csi driver is enabled.
{{/*
Compute if the injector is enabled.
*/}}
{{- define "openbao.injectorEnabled" -}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -64,7 +64,7 @@ Compute if the injector is enabled.
{{/*
Compute if the server is enabled.
*/}}
{{- define "openbao.serverEnabled" -}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -73,7 +73,7 @@ Compute if the server is enabled.
{{/*
Compute if the server serviceaccount is enabled.
*/}}
{{- define "openbao.serverServiceAccountEnabled" -}}
{{- define "vault.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true" )
@ -85,7 +85,7 @@ Compute if the server serviceaccount is enabled.
{{/*
Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
*/}}
{{- define "openbao.serverServiceAccountSecretCreationEnabled" -}}
{{- define "vault.serverServiceAccountSecretCreationEnabled" -}}
{{- $_ := set . "serverServiceAccountSecretCreationEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true")
@ -96,7 +96,7 @@ Compute if the server serviceaccount should have a token created and mounted to
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "openbao.serverAuthDelegator" -}}
{{- define "vault.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator"
(and
(eq (.Values.server.authDelegator.enabled | toString) "true" )
@ -110,15 +110,15 @@ Compute if the server auth delegator serviceaccount is enabled.
{{/*
Compute if the server service is enabled.
*/}}
{{- define "openbao.serverServiceEnabled" -}}
{{- template "openbao.serverEnabled" . -}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the ui is enabled.
*/}}
{{- define "openbao.uiEnabled" -}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -129,7 +129,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
Add a special case for replicas=1, where it should default to 0 as well.
*/}}
{{- define "openbao.pdb.maxUnavailable" -}}
{{- define "vault.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.ha.replicas) 1 -}}
{{ 0 }}
{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
@ -143,8 +143,8 @@ Add a special case for replicas=1, where it should default to 0 as well.
Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "openbao.mode" -}}
{{- template "openbao.serverEnabled" . -}}
{{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
{{- $_ := set . "mode" "external" -}}
{{- else if not .serverEnabled -}}
@ -163,7 +163,7 @@ template logic.
{{/*
Set's the replica count based on the different modes configured by user
*/}}
{{- define "openbao.replicas" -}}
{{- define "vault.replicas" -}}
{{ if eq .mode "standalone" }}
{{- default 1 -}}
{{ else if eq .mode "ha" }}
@ -182,11 +182,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user
defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS).
*/}}
{{- define "openbao.volumes" -}}
{{- define "vault.volumes" -}}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
configMap:
name: {{ template "openbao.fullname" . }}-config
name: {{ template "vault.fullname" . }}-config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
@ -204,31 +204,31 @@ extra volumes the user may have specified (such as a secret with TLS).
{{- end -}}
{{/*
Set's the args for custom command to render the OpenBao configuration
Set's the args for custom command to render the Vault configuration
file with IP addresses to make the out of box experience easier
for users looking to use this chart with Consul Helm.
*/}}
{{- define "openbao.args" -}}
{{- define "vault.args" -}}
{{ if or (eq .mode "standalone") (eq .mode "ha") }}
- |
cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
{{ else if eq .mode "dev" }}
- |
/usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }}
/usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }}
{{ end }}
{{- end -}}
{{/*
Set's additional environment variables based on the mode.
*/}}
{{- define "openbao.envs" -}}
{{- define "vault.envs" -}}
{{ if eq .mode "dev" }}
- name: VAULT_DEV_ROOT_TOKEN_ID
value: {{ .Values.server.dev.devRootToken }}
@ -241,7 +241,7 @@ Set's additional environment variables based on the mode.
Set's which additional volumes should be mounted to the container
based on the mode configured.
*/}}
{{- define "openbao.mounts" -}}
{{- define "vault.mounts" -}}
{{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- name: audit
mountPath: {{ .Values.server.auditStorage.mountPath }}
@ -254,12 +254,12 @@ based on the mode configured.
{{ end }}
{{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
mountPath: /openbao/config
mountPath: /vault/config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }}
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
{{- end }}
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 12}}
@ -271,14 +271,14 @@ Set's up the volumeClaimTemplates when data or audit storage is required. HA
might not use data storage since Consul is likely it's backend, however, audit
storage might be desired by the user.
*/}}
{{- define "openbao.volumeclaims" -}}
{{- define "vault.volumeclaims" -}}
{{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
volumeClaimTemplates:
{{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
- metadata:
name: data
{{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }}
{{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.dataVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@ -292,8 +292,8 @@ storage might be desired by the user.
{{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- metadata:
name: audit
{{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }}
{{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.auditVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@ -310,7 +310,7 @@ storage might be desired by the user.
{{/*
Set's the affinity for pod placement when running in standalone and HA modes.
*/}}
{{- define "openbao.affinity" -}}
{{- define "vault.affinity" -}}
{{- if and (ne .mode "dev") .Values.server.affinity }}
affinity:
{{ $tp := typeOf .Values.server.affinity }}
@ -340,7 +340,7 @@ Sets the injector affinity for pod placement
{{/*
Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}}
{{- define "openbao.topologySpreadConstraints" -}}
{{- define "vault.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }}
@ -371,7 +371,7 @@ Sets the injector topologySpreadConstraints for pod placement
{{/*
Sets the toleration for pod placement when running in standalone and HA modes.
*/}}
{{- define "openbao.tolerations" -}}
{{- define "vault.tolerations" -}}
{{- if and (ne .mode "dev") .Values.server.tolerations }}
tolerations:
{{- $tp := typeOf .Values.server.tolerations }}
@ -401,7 +401,7 @@ Sets the injector toleration for pod placement
{{/*
Set's the node selector for pod placement when running in standalone and HA modes.
*/}}
{{- define "openbao.nodeselector" -}}
{{- define "vault.nodeselector" -}}
{{- if and (ne .mode "dev") .Values.server.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.server.nodeSelector }}
@ -446,10 +446,10 @@ Sets the injector deployment update strategy
{{/*
Sets extra pod annotations
*/}}
{{- define "openbao.annotations" }}
{{- define "vault.annotations" }}
annotations:
{{- if .Values.server.includeConfigAnnotation }}
openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }}
{{- end }}
{{- if .Values.server.annotations }}
{{- $tp := typeOf .Values.server.annotations }}
@ -555,7 +555,7 @@ securityContext for the statefulset pod template.
{{- end -}}
{{/*
securityContext for the statefulset openbao container
securityContext for the statefulset vault container
*/}}
{{- define "server.statefulSet.securityContext.container" -}}
{{- if .Values.server.statefulSet.securityContext.container }}
@ -622,7 +622,7 @@ Set's the injector webhook objectSelector
{{/*
Sets extra ui service annotations
*/}}
{{- define "openbao.ui.annotations" -}}
{{- define "vault.ui.annotations" -}}
{{- if .Values.ui.annotations }}
annotations:
{{- $tp := typeOf .Values.ui.annotations }}
@ -637,9 +637,9 @@ Sets extra ui service annotations
{{/*
Create the name of the service account to use
*/}}
{{- define "openbao.serviceAccount.name" -}}
{{- define "vault.serviceAccount.name" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }}
{{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
@ -648,7 +648,7 @@ Create the name of the service account to use
{{/*
Sets extra service account annotations
*/}}
{{- define "openbao.serviceAccount.annotations" -}}
{{- define "vault.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.server.serviceAccount.annotations }}
@ -663,7 +663,7 @@ Sets extra service account annotations
{{/*
Sets extra ingress annotations
*/}}
{{- define "openbao.ingress.annotations" -}}
{{- define "vault.ingress.annotations" -}}
{{- if .Values.server.ingress.annotations }}
annotations:
{{- $tp := typeOf .Values.server.ingress.annotations }}
@ -678,7 +678,7 @@ Sets extra ingress annotations
{{/*
Sets extra route annotations
*/}}
{{- define "openbao.route.annotations" -}}
{{- define "vault.route.annotations" -}}
{{- if .Values.server.route.annotations }}
annotations:
{{- $tp := typeOf .Values.server.route.annotations }}
@ -691,9 +691,9 @@ Sets extra route annotations
{{- end -}}
{{/*
Sets extra openbao server Service annotations
Sets extra vault server Service annotations
*/}}
{{- define "openbao.service.annotations" -}}
{{- define "vault.service.annotations" -}}
{{- if .Values.server.service.annotations }}
{{- $tp := typeOf .Values.server.service.annotations }}
{{- if eq $tp "string" }}
@ -705,9 +705,9 @@ Sets extra openbao server Service annotations
{{- end -}}
{{/*
Sets extra openbao server Service (active) annotations
Sets extra vault server Service (active) annotations
*/}}
{{- define "openbao.service.active.annotations" -}}
{{- define "vault.service.active.annotations" -}}
{{- if .Values.server.service.active.annotations }}
{{- $tp := typeOf .Values.server.service.active.annotations }}
{{- if eq $tp "string" }}
@ -718,9 +718,9 @@ Sets extra openbao server Service (active) annotations
{{- end }}
{{- end -}}
{{/*
Sets extra openbao server Service annotations
Sets extra vault server Service annotations
*/}}
{{- define "openbao.service.standby.annotations" -}}
{{- define "vault.service.standby.annotations" -}}
{{- if .Values.server.service.standby.annotations }}
{{- $tp := typeOf .Values.server.service.standby.annotations }}
{{- if eq $tp "string" }}
@ -734,7 +734,7 @@ Sets extra openbao server Service annotations
{{/*
Sets PodSecurityPolicy annotations
*/}}
{{- define "openbao.psp.annotations" -}}
{{- define "vault.psp.annotations" -}}
{{- if .Values.global.psp.annotations }}
annotations:
{{- $tp := typeOf .Values.global.psp.annotations }}
@ -749,7 +749,7 @@ Sets PodSecurityPolicy annotations
{{/*
Sets extra statefulset annotations
*/}}
{{- define "openbao.statefulSet.annotations" -}}
{{- define "vault.statefulSet.annotations" -}}
{{- if .Values.server.statefulSet.annotations }}
annotations:
{{- $tp := typeOf .Values.server.statefulSet.annotations }}
@ -764,7 +764,7 @@ Sets extra statefulset annotations
{{/*
Sets VolumeClaim annotations for data volume
*/}}
{{- define "openbao.dataVolumeClaim.annotations" -}}
{{- define "vault.dataVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.dataStorage.annotations }}
@ -779,7 +779,7 @@ Sets VolumeClaim annotations for data volume
{{/*
Sets VolumeClaim labels for data volume
*/}}
{{- define "openbao.dataVolumeClaim.labels" -}}
{{- define "vault.dataVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.dataStorage.labels }}
@ -794,7 +794,7 @@ Sets VolumeClaim labels for data volume
{{/*
Sets VolumeClaim annotations for audit volume
*/}}
{{- define "openbao.auditVolumeClaim.annotations" -}}
{{- define "vault.auditVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.auditStorage.annotations }}
@ -809,7 +809,7 @@ Sets VolumeClaim annotations for audit volume
{{/*
Sets VolumeClaim labels for audit volume
*/}}
{{- define "openbao.auditVolumeClaim.labels" -}}
{{- define "vault.auditVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.auditStorage.labels }}
@ -824,7 +824,7 @@ Sets VolumeClaim labels for audit volume
{{/*
Set's the container resources if the user has set any.
*/}}
{{- define "openbao.resources" -}}
{{- define "vault.resources" -}}
{{- if .Values.server.resources -}}
resources:
{{ toYaml .Values.server.resources | indent 12}}
@ -983,7 +983,7 @@ Sets extra CSI service account annotations
{{/*
Inject extra environment vars in the format key:value, if populated
*/}}
{{- define "openbao.extraEnvironmentVars" -}}
{{- define "vault.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }}
- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
@ -995,7 +995,7 @@ Inject extra environment vars in the format key:value, if populated
{{/*
Inject extra environment populated by secrets, if populated
*/}}
{{- define "openbao.extraSecretEnvironmentVars" -}}
{{- define "vault.extraSecretEnvironmentVars" -}}
{{- if .extraSecretEnvironmentVars -}}
{{- range .extraSecretEnvironmentVars }}
- name: {{ .envName }}
@ -1008,7 +1008,7 @@ Inject extra environment populated by secrets, if populated
{{- end -}}
{{/* Scheme for health check and local endpoint */}}
{{- define "openbao.scheme" -}}
{{- define "vault.scheme" -}}
{{- if .Values.global.tlsDisable -}}
{{ "http" }}
{{- else -}}
@ -1071,7 +1071,7 @@ Supported inputs are Values.ui
{{/*
config file from values
*/}}
{{- define "openbao.config" -}}
{{- define "vault.config" -}}
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}

12
charts/openbao/templates/csi-agent-configmap.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- template "vault.csiEnabled" . -}}
{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
@ -21,7 +21,7 @@ data:
{{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }}
"address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}"
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}"
{{- end }}
}

6
charts/openbao/templates/csi-clusterrole.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:

12
charts/openbao/templates/csi-clusterrolebinding.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
{{- end }}

32
charts/openbao/templates/csi-daemonset.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
@ -27,12 +27,12 @@ spec:
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
@ -43,12 +43,12 @@ spec:
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
{{- template "csi.pod.nodeselector" . }}
{{- template "csi.pod.affinity" . }}
containers:
- name: {{ include "openbao.name" . }}-csi-provider
- name: {{ include "vault.name" . }}-csi-provider
{{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
@ -59,7 +59,7 @@ spec:
{{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }}
- --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key
- --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
@ -71,7 +71,7 @@ spec:
{{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol
@ -102,12 +102,12 @@ spec:
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: {{ include "openbao.name" . }}-agent
image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
- name: {{ include "vault.name" . }}-agent
image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
{{ template "csi.agent.resources" . }}
command:
- bao
- vault
args:
- agent
- -config=/etc/vault/config.hcl
@ -117,9 +117,9 @@ spec:
ports:
- containerPort: 8200
env:
- name: BAO_LOG_LEVEL
- name: VAULT_LOG_LEVEL
value: "{{ .Values.csi.agent.logLevel }}"
- name: BAO_LOG_FORMAT
- name: VAULT_LOG_FORMAT
value: "{{ .Values.csi.agent.logFormat }}"
securityContext:
runAsNonRoot: true
@ -145,7 +145,7 @@ spec:
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-config
configMap:
name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory

10
charts/openbao/templates/csi-role.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-role
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-csi-provider-role
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
@ -22,7 +22,7 @@ rules:
{{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }}
{{- else }}
- {{ include "openbao.name" . }}-csi-provider-hmac-key
- {{ include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
# 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

14
charts/openbao/templates/csi-rolebinding.yaml
View file

@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "openbao.fullname" . }}-csi-provider-role
name: {{ template "vault.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
{{- end }}

8
charts/openbao/templates/csi-serviceaccount.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}

8
charts/openbao/templates/injector-certs-secret.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: openbao-injector-certs
namespace: {{ include "openbao.namespace" . }}
name: vault-injector-certs
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

6
charts/openbao/templates/injector-clusterrole.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:

12
charts/openbao/templates/injector-clusterrolebinding.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-binding
name: {{ template "vault.fullname" . }}-agent-injector-binding
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
{{ end }}

24
charts/openbao/templates/injector-deployment.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
@ -20,14 +20,14 @@ spec:
replicas: {{ .Values.injector.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{ template "injector.strategy" . }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- if .Values.injector.extraLabels -}}
@ -42,7 +42,7 @@ spec:
{{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }}
serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector"
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }}
@ -64,12 +64,12 @@ spec:
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
- name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }}
- name: AGENT_INJECT_TLS_CERT_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
@ -77,9 +77,9 @@ spec:
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }}
- name: AGENT_INJECT_TLS_AUTO
value: {{ template "openbao.fullname" . }}-agent-injector-cfg
value: {{ template "vault.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc
{{- end }}
- name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }}
@ -125,7 +125,7 @@ spec:
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }}
{{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }}
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME
valueFrom:
fieldRef:

10
charts/openbao/templates/injector-disruptionbudget.yaml
View file

@ -7,18 +7,18 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}

10
charts/openbao/templates/injector-mutating-webhook.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
@ -12,9 +12,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-cfg
name: {{ template "vault.fullname" . }}-agent-injector-cfg
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "injector.webhookAnnotations" . }}
@ -27,8 +27,8 @@ webhooks:
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "openbao.fullname" . }}-agent-injector-svc
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }}
path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules:

8
charts/openbao/templates/injector-network-policy.yaml
View file

@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
ingress:

10
charts/openbao/templates/injector-psp-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-psp
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
@ -20,6 +20,6 @@ rules:
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "openbao.fullname" . }}-agent-injector
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

12
charts/openbao/templates/injector-psp-rolebinding.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-psp
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "openbao.fullname" . }}-agent-injector-psp
name: {{ template "vault.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-agent-injector
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

8
charts/openbao/templates/injector-psp.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.psp.annotations" . }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.

8
charts/openbao/templates/injector-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:

14
charts/openbao/templates/injector-rolebinding.yaml
View file

@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
{{- end }}
{{- end }}

10
charts/openbao/templates/injector-service.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-svc
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.service.annotations" . }}
@ -21,7 +21,7 @@ spec:
port: 443
targetPort: {{ .Values.injector.port }}
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- end }}

8
charts/openbao/templates/injector-serviceaccount.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }}

8
charts/openbao/templates/prometheus-prometheusrules.yaml
View file

@ -10,10 +10,10 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "openbao.fullname" . }}
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,7 +25,7 @@ metadata:
{{- end }}
spec:
groups:
- name: {{ include "openbao.fullname" . }}
- name: {{ include "vault.fullname" . }}
rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }}

20
charts/openbao/templates/prometheus-servicemonitor.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "openbao.fullname" . }}
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,18 +25,18 @@ metadata:
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if eq .mode "ha" }}
openbao-active: "true"
vault-active: "true"
{{- else }}
openbao-internal: "true"
vault-internal: "true"
{{- end }}
endpoints:
- port: {{ include "openbao.scheme" . }}
- port: {{ include "vault.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "openbao.scheme" . | lower }}
scheme: {{ include "vault.scheme" . | lower }}
path: /v1/sys/metrics
params:
format:
@ -45,5 +45,5 @@ spec:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- {{ include "openbao.namespace" . }}
- {{ include "vault.namespace" . }}
{{ end }}

12
charts/openbao/templates/server-clusterrolebinding.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.serverAuthDelegator" . }}
{{ template "vault.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
@ -12,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-server-binding
name: {{ template "vault.fullname" . }}-server-binding
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
@ -24,6 +24,6 @@ roleRef:
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
{{ end }}

14
charts/openbao/templates/server-config-configmap.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
@ -11,20 +11,20 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openbao.fullname" . }}-config
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-config
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.includeConfigAnnotation }}
annotations:
vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }}
{{- end }}
data:
extraconfig-from-values.hcl: |-
{{ template "openbao.config" . }}
{{ template "vault.config" . }}
{{- end }}
{{- end }}
{{- end }}

10
charts/openbao/templates/server-discovery-role.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ include "openbao.namespace" . }}
name: {{ template "openbao.fullname" . }}-discovery-role
namespace: {{ include "vault.namespace" . }}
name: {{ template "vault.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:

16
charts/openbao/templates/server-discovery-rolebinding.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
@ -14,21 +14,21 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-discovery-rolebinding
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "openbao.fullname" . }}-discovery-role
name: {{ template "vault.fullname" . }}-discovery-role
subjects:
- kind: ServiceAccount
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
{{ end }}
{{ end }}
{{ end }}

14
charts/openbao/templates/server-disruptionbudget.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
@ -12,18 +12,18 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }}
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end -}}

26
charts/openbao/templates/server-ha-active-service.yaml
View file

@ -3,27 +3,27 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
# Service for active OpenBao pod
# Service for active Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-active
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-active
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
openbao-active: "true"
vault-active: "true"
annotations:
{{- template "openbao.service.active.annotations" . }}
{{- template "openbao.service.annotations" . }}
{{- template "vault.service.active.annotations" . }}
{{- template "vault.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
@ -42,7 +42,7 @@ spec:
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "openbao.scheme" . }}
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -52,12 +52,12 @@ spec:
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
openbao-active: "true"
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}

24
charts/openbao/templates/server-ha-standby-service.yaml
View file

@ -3,26 +3,26 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
# Service for standby OpenBao pod
# Service for standby Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-standby
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-standby
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{- template "openbao.service.standby.annotations" . }}
{{- template "openbao.service.annotations" . }}
{{- template "vault.service.standby.annotations" . }}
{{- template "vault.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
@ -41,7 +41,7 @@ spec:
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "openbao.scheme" . }}
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -51,12 +51,12 @@ spec:
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
openbao-active: "false"
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}

22
charts/openbao/templates/server-headless-service.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for OpenBao cluster
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-internal
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-internal
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
openbao-internal: "true"
vault-internal: "true"
annotations:
{{ template "openbao.service.annotations" .}}
{{ template "vault.service.annotations" .}}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
@ -33,14 +33,14 @@ spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "{{ include "openbao.scheme" . }}"
- name: "{{ include "vault.scheme" . }}"
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}

16
charts/openbao/templates/server-ingress.yaml
View file

@ -4,12 +4,12 @@ SPDX-License-Identifier: MPL-2.0
*/}}
{{- if not .Values.global.openshift }}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "openbao.fullname" . -}}
{{- template "openbao.serverServiceEnabled" . -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
@ -20,17 +20,17 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "openbao.ingress.annotations" . }}
{{- template "vault.ingress.annotations" . }}
spec:
{{- if .Values.server.ingress.tls }}
tls:

6
charts/openbao/templates/server-network-policy.yaml
View file

@ -7,14 +7,14 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "openbao.fullname" . }}
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
{{- if .Values.server.networkPolicy.egress }}

10
charts/openbao/templates/server-psp-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "openbao.fullname" . }}-psp
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
@ -20,6 +20,6 @@ rules:
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "openbao.fullname" . }}
- {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

12
charts/openbao/templates/server-psp-rolebinding.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-psp
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "openbao.fullname" . }}-psp
name: {{ template "vault.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}
name: {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

8
charts/openbao/templates/server-psp.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "openbao.fullname" . }}
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.psp.annotations" . }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.

12
charts/openbao/templates/server-route.yaml
View file

@ -6,24 +6,24 @@ SPDX-License-Identifier: MPL-2.0
{{- if .Values.global.openshift }}
{{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}}
{{- $serviceName := include "openbao.fullname" . -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.route.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "openbao.route.annotations" . }}
{{- template "vault.route.annotations" . }}
spec:
host: {{ .Values.server.route.host }}
to:

20
charts/openbao/templates/server-service.yaml
View file

@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for OpenBao cluster
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "openbao.service.annotations" .}}
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
@ -40,7 +40,7 @@ spec:
# since this DNS is also used for join operations.
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "openbao.scheme" . }}
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -50,7 +50,7 @@ spec:
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

12
charts/openbao/templates/server-serviceaccount-secret.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }}
{{ template "vault.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "openbao.serviceAccount.name" . }}-token
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.serviceAccount.name" . }}-token
namespace: {{ include "vault.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }}
kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token

12
charts/openbao/templates/server-serviceaccount.yaml
View file

@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.serverServiceAccountEnabled" . }}
{{ template "vault.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.serviceAccount.extraLabels -}}
{{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "openbao.serviceAccount.annotations" . }}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}

94
charts/openbao/templates/server-statefulset.yaml
View file

@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if ne .mode "" }}
{{- if .serverEnabled -}}
# StatefulSet to run the actual openbao server cluster.
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.statefulSet.annotations" . }}
{{- template "vault.statefulSet.annotations" . }}
spec:
serviceName: {{ template "openbao.fullname" . }}-internal
serviceName: {{ template "vault.fullname" . }}-internal
podManagementPolicy: Parallel
replicas: {{ template "openbao.replicas" . }}
replicas: {{ template "vault.replicas" . }}
updateStrategy:
type: {{ .Values.server.updateStrategyType }}
{{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
@ -29,30 +29,30 @@ spec:
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
template:
metadata:
labels:
helm.sh/chart: {{ template "openbao.chart" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }}
helm.sh/chart: {{ template "vault.chart" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if .Values.server.extraLabels -}}
{{- toYaml .Values.server.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "openbao.annotations" . }}
{{ template "vault.annotations" . }}
spec:
{{ template "openbao.affinity" . }}
{{ template "openbao.topologySpreadConstraints" . }}
{{ template "openbao.tolerations" . }}
{{ template "openbao.nodeselector" . }}
{{ template "vault.affinity" . }}
{{ template "vault.topologySpreadConstraints" . }}
{{ template "vault.tolerations" . }}
{{ template "vault.nodeselector" . }}
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "openbao.serviceAccount.name" . }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
{{ end }}
@ -61,7 +61,7 @@ spec:
hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }}
volumes:
{{ template "openbao.volumes" . }}
{{ template "vault.volumes" . }}
- name: home
emptyDir: {}
{{- if .Values.server.hostAliases }}
@ -73,14 +73,14 @@ spec:
{{ toYaml .Values.server.extraInitContainers | nindent 8}}
{{- end }}
containers:
- name: openbao
{{ template "openbao.resources" . }}
- name: vault
{{ template "vault.resources" . }}
image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command:
- "/bin/sh"
- "-ec"
args: {{ template "openbao.args" . }}
args: {{ template "vault.args" . }}
{{- template "server.statefulSet.securityContext.container" . }}
env:
- name: HOST_IP
@ -91,21 +91,21 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: BAO_K8S_POD_NAME
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_K8S_NAMESPACE
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BAO_ADDR
value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200"
- name: BAO_API_ADDR
- name: VAULT_ADDR
value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
- name: VAULT_API_ADDR
{{- if .Values.server.ha.apiAddr }}
value: {{ .Values.server.ha.apiAddr }}
{{- else }}
value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200"
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
{{- end }}
- name: SKIP_CHOWN
value: "true"
@ -115,42 +115,42 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_CLUSTER_ADDR
- name: VAULT_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr | quote }}
{{- else }}
value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201"
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
{{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: BAO_RAFT_NODE_ID
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
- name: HOME
value: "/home/openbao"
value: "/home/vault"
{{- if .Values.server.logLevel }}
- name: BAO_LOG_LEVEL
- name: VAULT_LOG_LEVEL
value: "{{ .Values.server.logLevel }}"
{{- end }}
{{- if .Values.server.logFormat }}
- name: BAO_LOG_FORMAT
- name: VAULT_LOG_FORMAT
value: "{{ .Values.server.logFormat }}"
{{- end }}
{{ template "openbao.envs" . }}
{{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
{{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
volumeMounts:
{{ template "openbao.mounts" . }}
{{ template "vault.mounts" . }}
- name: home
mountPath: /home/openbao
mountPath: /home/vault
ports:
- containerPort: 8200
name: {{ include "openbao.scheme" . }}
name: {{ include "vault.scheme" . }}
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: {{ include "openbao.scheme" . }}-rep
name: {{ include "vault.scheme" . }}-rep
{{- if .Values.server.extraPorts -}}
{{ toYaml .Values.server.extraPorts | nindent 12}}
{{- end }}
@ -160,15 +160,15 @@ spec:
httpGet:
path: {{ .Values.server.readinessProbe.path | quote }}
port: {{ .Values.server.readinessProbe.port }}
scheme: {{ include "openbao.scheme" . | upper }}
scheme: {{ include "vault.scheme" . | upper }}
{{- else }}
# Check status; unsealed openbao servers return 0
# Check status; unsealed vault servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec:
command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
{{- end }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
@ -188,7 +188,7 @@ spec:
httpGet:
path: {{ .Values.server.livenessProbe.path | quote }}
port: {{ .Values.server.livenessProbe.port }}
scheme: {{ include "openbao.scheme" . | upper }}
scheme: {{ include "vault.scheme" . | upper }}
{{- end }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
@ -197,7 +197,7 @@ spec:
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
{{- end }}
lifecycle:
# openbao container doesn't receive SIGTERM from Kubernetes
# Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services).
@ -208,7 +208,7 @@ spec:
# Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made
# to this pod while it's terminating
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)",
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
]
{{- if .Values.server.postStart }}
postStart:
@ -222,7 +222,7 @@ spec:
{{ toYaml .Values.server.extraContainers | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ template "openbao.volumeclaims" . }}
{{ template "vault.volumeclaims" . }}
{{ end }}
{{ end }}
{{ end }}

16
charts/openbao/templates/tests/server-test.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "openbao.fullname" . }}-server-test
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-server-test
namespace: {{ include "vault.namespace" . }}
annotations:
"helm.sh/hook": test
spec:
@ -21,24 +21,24 @@ spec:
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: VAULT_ADDR
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'bao status' output"
echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
bao status -format yaml | grep -E '^sealed: (true|false)' && break
vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'bao status' output"
echo "timed out looking for sealed info in 'vault status' output"
exit 1
fi

22
charts/openbao/templates/ui-service.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.uiEnabled" . -}}
{{- template "vault.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-ui
namespace: {{ include "openbao.namespace" . }}
name: {{ template "vault.fullname" . }}-ui
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-ui
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.ui.annotations" . }}
{{- template "vault.ui.annotations" . }}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.ui.serviceIPFamilyPolicy }}
@ -29,15 +29,15 @@ spec:
{{- end }}
{{- end }}
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }}
openbao-active: "true"
{{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
vault-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "openbao.scheme" . }}
- name: {{ include "vault.scheme" . }}
port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }}

10
charts/openbao/values.openshift.yaml
View file

@ -12,15 +12,13 @@ injector:
tag: "1.3.1-ubi"
agentImage:
registry: "quay.io"
repository: "openbao/openbao"
tag: "v2.0.2-ubi"
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.15.2-ubi"
server:
image:
registry: "quay.io"
repository: "openbao/openbao"
tag: "v2.0.2-ubi"
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.15.2-ubi"
readinessProbe:
path: "/v1/sys/health?uninitcode=204"

13
charts/openbao/values.schema.json
View file

@ -659,6 +659,17 @@
"string"
]
},
"enterpriseLicense": {
"type": "object",
"properties": {
"secretKey": {
"type": "string"
},
"secretName": {
"type": "string"
}
}
},
"extraArgs": {
"type": "string"
},
@ -1152,7 +1163,7 @@
"ui": {
"type": "object",
"properties": {
"activeOpenbaoPodOnly": {
"activeVaultPodOnly": {
"type": "boolean"
},
"annotations": {

245
charts/openbao/values.yaml
View file

@ -1,7 +1,7 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Available parameters and their default values for the OpenBao chart.
# Available parameters and their default values for the Vault chart.
global:
# -- enabled is the master enabled switch. Setting this to true or false
@ -20,8 +20,8 @@ global:
# -- TLS for end-to-end encrypted transport
tlsDisable: true
# -- External openbao server address for the injector and CSI provider to use.
# Setting this will disable deployment of a openbao server.
# -- External vault server address for the injector and CSI provider to use.
# Setting this will disable deployment of a vault server.
externalVaultAddr: ""
# -- If deploying to OpenShift
@ -44,7 +44,7 @@ global:
prometheusOperator: false
injector:
# -- True if you want to enable openbao agent injection. @default: global.enabled
# -- True if you want to enable vault agent injection. @default: global.enabled
enabled: "-"
replicas: 1
@ -71,12 +71,12 @@ injector:
# -- image repo to use for k8s image
repository: "hashicorp/vault-k8s"
# -- image tag to use for k8s image
tag: "1.4.2"
tag: "1.3.1"
# -- image pull policy to use for k8s image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
# -- agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent
# containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is
# -- agentImage sets the repo and tag of the Vault image to use for the Vault Agent
# containers. This should be set to the official Vault image. Vault 1.3.1+ is
# required.
agentImage:
# -- image registry to use for agent image
@ -84,11 +84,11 @@ injector:
# -- image repo to use for agent image
repository: "openbao/openbao"
# -- image tag to use for agent image
tag: "2.0.2"
tag: "2.0.0-alpha20240329"
# -- image pull policy to use for agent image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
# The default values for the injected OpenBao Agent containers.
# The default values for the injected Vault Agent containers.
agentDefaults:
# For more information on configuring resources, see the K8s documentation:
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@ -145,7 +145,7 @@ injector:
# -- Number of seconds after which the probe times out.
timeoutSeconds: 5
# Mount Path of the OpenBao Kubernetes Auth Method.
# Mount Path of the Vault Kubernetes Auth Method.
authPath: "auth/kubernetes"
# -- Configures the log verbosity of the injector.
@ -155,7 +155,7 @@ injector:
# -- Configures the log format of the injector. Supported log formats: "standard", "json".
logFormat: "standard"
# Configures all OpenBao Agent sidecars to revoke their token when shutting down
# Configures all Vault Agent sidecars to revoke their token when shutting down
revokeOnShutdown: false
webhook:
@ -204,7 +204,7 @@ injector:
- key: app.kubernetes.io/name
operator: NotIn
values:
- {{ template "openbao.name" . }}-agent-injector
- {{ template "vault.name" . }}-agent-injector
# Extra annotations to attach to the webhook
annotations: {}
@ -288,8 +288,7 @@ injector:
# extraEnvironmentVars is a list of extra environment variables to set in the
# injector deployment.
extraEnvironmentVars:
{}
extraEnvironmentVars: {}
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
# Affinity Settings for injector pods
@ -301,7 +300,7 @@ injector:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: webhook
topologyKey: kubernetes.io/hostname
@ -366,8 +365,8 @@ injector:
# type: RollingUpdate
server:
# If true, or "-" with global.enabled true, OpenBao server will be installed.
# See openbao.mode in _helpers.tpl for implementation details.
# If true, or "-" with global.enabled true, Vault server will be installed.
# See vault.mode in _helpers.tpl for implementation details.
enabled: "-"
# Resource requests, limits, etc. for the server cluster placement. This
@ -380,7 +379,7 @@ server:
# -- image repo to use for server image
repository: "openbao/openbao"
# -- image tag to use for server image
tag: "2.0.2"
tag: "2.0.0-alpha20240329"
# -- image pull policy to use for server image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
@ -388,11 +387,11 @@ server:
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategyType: "OnDelete"
# Configure the logging verbosity for the OpenBao server.
# Configure the logging verbosity for the Vault server.
# Supported log levels include: trace, debug, info, warn, error
logLevel: ""
# Configure the logging format for the OpenBao server.
# Configure the logging format for the Vault server.
# Supported log formats include: standard, json
logFormat: ""
@ -406,16 +405,14 @@ server:
# cpu: 250m
# Ingress allows ingress services to be created to allow external access
# from Kubernetes to access OpenBao pods.
# from Kubernetes to access Vault pods.
# If deployment is on OpenShift, the following block is ignored.
# In order to expose the service, use the route section below
ingress:
enabled: false
labels:
{}
labels: {}
# traffic: external
annotations:
{}
annotations: {}
# |
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
@ -432,7 +429,7 @@ server:
pathType: Prefix
# When HA mode is enabled and K8s service registration is being used,
# configure the ingress to point to the OpenBao active service.
# configure the ingress to point to the Vault active service.
activeService: true
hosts:
- host: chart-example.local
@ -462,7 +459,7 @@ server:
enabled: false
# When HA mode is enabled and K8s service registration is being used,
# configure the route to point to the OpenBao active service.
# configure the route to point to the Vault active service.
activeService: true
labels: {}
@ -476,15 +473,14 @@ server:
# authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth
# method. See https://openbao.org/docs/auth/kubernetes
# method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
authDelegator:
enabled: true
# -- extraInitContainers is a list of init containers. Specified as a YAML list.
# extraInitContainers is a list of init containers. Specified as a YAML list.
# This is useful if you need to run a script to provision TLS certificates or
# write out configuration files in a dynamic way.
extraInitContainers:
[]
extraInitContainers: null
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
# # which is defined in the volumes value.
# - name: oauthapp
@ -503,17 +499,16 @@ server:
# extraContainers is a list of sidecar containers. Specified as a YAML list.
extraContainers: null
# -- shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers
# This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
shareProcessNamespace: false
# -- extraArgs is a string containing additional OpenBao server arguments.
# extraArgs is a string containing additional Vault server arguments.
extraArgs: ""
# -- extraPorts is a list of extra ports. Specified as a YAML list.
# extraPorts is a list of extra ports. Specified as a YAML list.
# This is useful if you need to add additional ports to the statefulset in dynamic way.
extraPorts:
[]
extraPorts: null
# - containerPort: 8300
# name: http-monitoring
@ -542,7 +537,7 @@ server:
execCommand: []
# - /bin/sh
# - -c
# - /openbao/userconfig/mylivenessscript/run.sh
# - /vault/userconfig/mylivenessscript/run.sh
# Path for the livenessProbe to use httpGet as the livenessProbe handler
path: "/v1/sys/health?standbyok=true"
# Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
@ -571,33 +566,30 @@ server:
postStart: []
# - /bin/sh
# - -c
# - /openbao/userconfig/myscript/run.sh
# - /vault/userconfig/myscript/run.sh
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
extraEnvironmentVars:
{}
extraEnvironmentVars: {}
# GOOGLE_REGION: global
# GOOGLE_PROJECT: myproject
# GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars:
[]
extraSecretEnvironmentVars: []
# - envName: AWS_SECRET_ACCESS_KEY
# secretName: openbao
# secretName: vault
# secretKey: AWS_SECRET_ACCESS_KEY
# Deprecated: please use 'volumes' instead.
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes:
[]
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# path: null # default is `/openbao/userconfig`
# path: null # default is `/vault/userconfig`
# volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
@ -623,7 +615,7 @@ server:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
@ -679,25 +671,25 @@ server:
annotations: {}
# Add an annotation to the server configmap and the statefulset pods,
# vaultproject.io/config-checksum, that is a hash of the OpenBao configuration.
# vaultproject.io/config-checksum, that is a hash of the Vault configuration.
# This can be used together with an OnDelete deployment strategy to help
# identify which pods still need to be deleted during a deployment to pick up
# any configuration changes.
configAnnotation: false
# Enables a headless service to be used by the OpenBao Statefulset
# Enables a headless service to be used by the Vault Statefulset
service:
enabled: true
# Enable or disable the openbao-active service, which selects OpenBao pods that
# have labeled themselves as the cluster leader with `openbao-active: "true"`.
# Enable or disable the vault-active service, which selects Vault pods that
# have labeled themselves as the cluster leader with `vault-active: "true"`.
active:
enabled: true
# Extra annotations for the service definition. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the active service.
annotations: {}
# Enable or disable the openbao-standby service, which selects OpenBao pods that
# have labeled themselves as a cluster follower with `openbao-active: "false"`.
# Enable or disable the vault-standby service, which selects Vault pods that
# have labeled themselves as a cluster follower with `vault-active: "false"`.
standby:
enabled: true
# Extra annotations for the service definition. This can either be YAML or a
@ -705,19 +697,19 @@ server:
# to the standby service.
annotations: {}
# If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
# When disabled, services may select OpenBao pods not deployed from the chart.
# Does not affect the headless openbao-internal service with `ClusterIP: None`
# When disabled, services may select Vault pods not deployed from the chart.
# Does not affect the headless vault-internal service with `ClusterIP: None`
instanceSelector:
enabled: true
# clusterIP controls whether a Cluster IP address is attached to the
# OpenBao service within Kubernetes. By default, the OpenBao service will
# Vault service within Kubernetes. By default, the Vault service will
# be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round-robin
# load balancer.
# clusterIP: None
# Configures the service type for the main OpenBao service. Can be ClusterIP
# Configures the service type for the main Vault service. Can be ClusterIP
# or NodePort.
# type: ClusterIP
@ -761,7 +753,7 @@ server:
# will be random if left blank.
# standbyNodePort: 30002
# Port on which OpenBao server is listening
# Port on which Vault server is listening
port: 8200
# Target port to which the service should be mapped to
targetPort: 8200
@ -770,15 +762,15 @@ server:
# to the service.
annotations: {}
# This configures the OpenBao Statefulset to create a PVC for data
# This configures the Vault Statefulset to create a PVC for data
# storage when using the file or raft backend storage engines.
# See https://openbao.org/docs/configuration/storage to know more
# See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
dataStorage:
enabled: true
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/openbao/data"
mountPath: "/vault/data"
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
@ -797,17 +789,17 @@ server:
# whenScaled: Retain
persistentVolumeClaimRetentionPolicy: {}
# This configures the OpenBao Statefulset to create a PVC for audit
# logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must
# This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized, and unsealed, Vault must
# be configured to use this for audit logs. This will be mounted to
# /openbao/audit
# See https://openbao.org/docs/audit to know more
# /vault/audit
# See https://developer.hashicorp.com/vault/docs/audit to know more
auditStorage:
enabled: false
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/openbao/audit"
mountPath: "/vault/audit"
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
@ -818,18 +810,18 @@ server:
# Labels to apply to the PVC
labels: {}
# Run OpenBao in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with OpenBao without
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
# needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting.
# See https://openbao.org/docs/concepts/dev-server to know more
# See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
dev:
enabled: false
# Set VAULT_DEV_ROOT_TOKEN_ID value
devRootToken: "root"
# Run OpenBao in "standalone" mode. This is the default mode that will deploy if
# Run Vault in "standalone" mode. This is the default mode that will deploy if
# no arguments are given to helm. This requires a PVC for data storage to use
# the "file" backend. This mode is not highly available and should not be scaled
# past a single replica.
@ -837,14 +829,14 @@ server:
enabled: "-"
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /openbao/data
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL.
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
@ -858,17 +850,17 @@ server:
#}
}
storage "file" {
path = "/openbao/data"
path = "/vault/data"
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "openbao-helm-dev"
# project = "vault-helm-dev"
# region = "global"
# key_ring = "openbao-helm-unseal-kr"
# crypto_key = "openbao-helm-unseal-key"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics in your config.
@ -877,30 +869,31 @@ server:
# disable_hostname = true
#}
# Run OpenBao in "HA" mode. There are no storage requirements unless the audit log
# persistence is required. In HA mode OpenBao will configure itself to use Consul
# Run Vault in "HA" mode. There are no storage requirements unless the audit log
# persistence is required. In HA mode Vault will configure itself to use Consul
# for its storage backend. The default configuration provided will work the Consul
# Helm project by default. It is possible to manually configure OpenBao to use a
# Helm project by default. It is possible to manually configure Vault to use a
# different HA backend.
ha:
enabled: false
replicas: 3
# Set the api_addr configuration for OpenBao HA
# See https://openbao.org/docs/configuration#api_addr
# Set the api_addr configuration for Vault HA
# See https://developer.hashicorp.com/vault/docs/configuration#api_addr
# If set to null, this will be set to the Pod IP Address
apiAddr: null
# Set the cluster_addr confuguration for OpenBao HA
# See https://openbao.org/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201
# Set the cluster_addr confuguration for Vault HA
# See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
clusterAddr: null
# Enables OpenBao's integrated Raft storage. Unlike the typical HA modes where
# OpenBao's persistence is external (such as Consul), enabling Raft mode will create
# persistent volumes for OpenBao to store data according to the configuration under server.dataStorage.
# The OpenBao cluster will coordinate leader elections and failovers internally.
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where
# Vault's persistence is external (such as Consul), enabling Raft mode will create
# persistent volumes for Vault to store data according to the configuration under server.dataStorage.
# The Vault cluster will coordinate leader elections and failovers internally.
raft:
# Enables Raft integrated storage
enabled: false
# Set the Node Raft ID to the name of the pod
@ -909,7 +902,7 @@ server:
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
@ -924,7 +917,7 @@ server:
}
storage "raft" {
path = "/openbao/data"
path = "/vault/data"
}
service_registration "kubernetes" {}
@ -936,7 +929,7 @@ server:
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
@ -946,7 +939,7 @@ server:
cluster_address = "[::]:8201"
}
storage "consul" {
path = "openbao"
path = "vault"
address = "HOST_IP:8500"
}
@ -956,10 +949,10 @@ server:
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "openbao-helm-dev-246514"
# project = "vault-helm-dev-246514"
# region = "global"
# key_ring = "openbao-helm-unseal-kr"
# crypto_key = "openbao-helm-unseal-key"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics.
@ -980,7 +973,7 @@ server:
maxUnavailable: null
# Definition of the serviceAccount used to run Vault.
# These options are also used when using an external OpenBao server to validate
# These options are also used when using an external Vault server to validate
# Kubernetes tokens.
serviceAccount:
# Specifies whether a service account should be created
@ -1002,12 +995,12 @@ server:
# This should be a YAML map of the labels to apply to the serviceAccount
extraLabels: {}
# Enable or disable a service account role binding with the permissions required for
# OpenBao's Kubernetes service_registration config option.
# See https://openbao.org/docs/configuration/service-registration/kubernetes
# Vault's Kubernetes service_registration config option.
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
serviceDiscovery:
enabled: true
# Settings for the statefulSet used to run OpenBao.
# Settings for the statefulSet used to run Vault.
statefulSet:
# Extra annotations for the statefulSet. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
@ -1034,17 +1027,17 @@ server:
# Should the server pods run on the host network
hostNetwork: false
# OpenBao UI
# Vault UI
ui:
# True if you want to create a Service entry for the OpenBao UI.
# True if you want to create a Service entry for the Vault UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
enabled: false
publishNotReadyAddresses: true
# The service should only contain selectors for active OpenBao pod
activeOpenbaoPodOnly: false
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: false
serviceType: "ClusterIP"
serviceNodePort: null
externalPort: 8200
@ -1089,8 +1082,8 @@ csi:
# Requires installing the secrets-store-csi-driver separately, see:
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
#
# With the driver and provider installed, you can mount OpenBao secrets into volumes
# similar to the OpenBao Agent injector, and you can also sync those secrets into
# With the driver and provider installed, you can mount Vault secrets into volumes
# similar to the Vault Agent injector, and you can also sync those secrets into
# Kubernetes secrets.
enabled: false
@ -1100,24 +1093,24 @@ csi:
# -- image repo to use for csi image
repository: "hashicorp/vault-csi-provider"
# -- image tag to use for csi image
tag: "1.4.0"
tag: "1.4.1"
# -- image pull policy to use for csi image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
# -- volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumes: []
volumes: null
# - name: tls
# secret:
# secretName: openbao-tls
# secretName: vault-tls
# -- volumeMounts is a list of volumeMounts for the main server container. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumeMounts: []
volumeMounts: null
# - name: tls
# mountPath: "/openbao/tls"
# mountPath: "/vault/tls"
# readOnly: true
resources: {}
@ -1190,7 +1183,7 @@ csi:
# -- image repo to use for agent image
repository: "openbao/openbao"
# -- image tag to use for agent image
tag: "2.0.2"
tag: "2.0.0-alpha20240329"
# -- image pull policy to use for agent image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
@ -1248,20 +1241,20 @@ csi:
debug: false
# Pass arbitrary additional arguments to vault-csi-provider.
# See https://openbao.org/docs/platform/k8s/csi/configurations#command-line-arguments
# See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
# for the available command line flags.
extraArgs: []
# OpenBao is able to collect and publish various runtime metrics.
# Vault is able to collect and publish various runtime metrics.
# Enabling this feature requires setting adding `telemetry{}` stanza to
# the OpenBao configuration. There are a few examples included in the `config` sections above.
# the Vault configuration. There are a few examples included in the `config` sections above.
#
# For more information see:
# https://openbao.org/docs/configuration/telemetry
# https://openbao.org/docs/internals/telemetry
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
# https://developer.hashicorp.com/vault/docs/internals/telemetry
serverTelemetry:
# Enable support for the Prometheus Operator. Currently, this chart does not support
# authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included
# authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included
# in the `listener "tcp"{}` stanza
# telemetry {
# unauthenticated_metrics_access = "true"
@ -1269,7 +1262,7 @@ serverTelemetry:
#
# See the `standalone.config` for a more complete example of this.
#
# In addition, a top level `telemetry{}` stanza must also be included in the OpenBao configuration:
# In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
#
# example:
# telemetry {
@ -1277,7 +1270,7 @@ serverTelemetry:
# disable_hostname = true
# }
#
# Configuration for monitoring the OpenBao server.
# Configuration for monitoring the Vault server.
serviceMonitor:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
@ -1289,7 +1282,7 @@ serverTelemetry:
# https://github.com/prometheus-operator/prometheus-operator
# https://github.com/prometheus-operator/kube-prometheus
# Enable deployment of the OpenBao Server ServiceMonitor CustomResource.
# Enable deployment of the Vault Server ServiceMonitor CustomResource.
enabled: false
# Selector labels to add to the ServiceMonitor.
@ -1321,15 +1314,15 @@ serverTelemetry:
rules: []
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of OpenBao is over 500ms on average over the last 5 minutes.
# message: The response time of Vault is over 500ms on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
# for: 5m
# labels:
# severity: warning
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of OpenBao is over 1s on average over the last 10 minutes.
# message: The response time of Vault is over 1s on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
# for: 10m
# for: 5m
# labels:
# severity: critical

24
test/acceptance/_helpers.bash
View file

@ -3,15 +3,15 @@
# name_prefix returns the prefix of the resources within Kubernetes.
name_prefix() {
printf "openbao"
printf "vault"
}
# chart_dir returns the directory for the chart
chart_dir() {
echo ${BATS_TEST_DIRNAME}/../../charts/openbao
echo ${BATS_TEST_DIRNAME}/../..
}
# helm_install installs the openbao chart. This will source overridable
# helm_install installs the vault chart. This will source overridable
# values from the "values.yaml" file in this directory. This can be set
# by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful.
@ -22,11 +22,11 @@ helm_install() {
fi
helm install -f ${values} \
--name openbao \
${BATS_TEST_DIRNAME}/../../charts/openbao
--name vault \
${BATS_TEST_DIRNAME}/../..
}
# helm_install_ha installs the openbao chart using HA mode. This will source
# helm_install_ha installs the vault chart using HA mode. This will source
# overridable values from the "values.yaml" file in this directory. This can be
# set by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful.
@ -37,10 +37,10 @@ helm_install_ha() {
fi
helm install -f ${values} \
--name openbao \
--name vault \
--set 'server.enabled=false' \
--set 'serverHA.enabled=true' \
${BATS_TEST_DIRNAME}/../../charts/openbao
${BATS_TEST_DIRNAME}/../..
}
# wait for consul to be ready
@ -52,7 +52,7 @@ wait_for_sealed_vault() {
POD_NAME=$1
check() {
sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed')
sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed')
if [ "$sealed_status" == "true" ]; then
return 0
fi
@ -61,15 +61,15 @@ wait_for_sealed_vault() {
for i in $(seq 60); do
if check ${POD_NAME}; then
echo "OpenBao on ${POD_NAME} is running."
echo "Vault on ${POD_NAME} is running."
return
fi
echo "Waiting for OpenBao on ${POD_NAME} to be running..."
echo "Waiting for Vault on ${POD_NAME} to be running..."
sleep 2
done
echo "OpenBao on ${POD_NAME} never became running."
echo "Vault on ${POD_NAME} never became running."
return 1
}

2
test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml → test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
View file

@ -1,7 +1,7 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# The "Hello World" OpenBao SecretProviderClass
# The "Hello World" Vault SecretProviderClass
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:

0
test/acceptance/csi-test/openbao-policy.hcl → test/acceptance/csi-test/vault-policy.hcl
View file

32
test/acceptance/csi.bats
View file

@ -18,11 +18,11 @@ load _helpers
--wait --timeout=5m \
--namespace=acceptance \
--set linux.image.pullPolicy="IfNotPresent" \
--set tokenRequests[0].audience="openbao" \
--set tokenRequests[0].audience="vault" \
--set enableSecretRotation=true \
--set rotationPollInterval=5s
# Install OpenBao and OpenBao provider
helm install openbao \
# Install Vault and Vault provider
helm install vault \
--wait --timeout=5m \
--namespace=acceptance \
--set="server.dev.enabled=true" \
@ -31,23 +31,23 @@ load _helpers
--set="csi.agent.logLevel=debug" \
--set="injector.enabled=false" \
.
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider
# Set up k8s auth and a kv secret.
cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
bound_service_account_names=nginx \
bound_service_account_namespaces=acceptance \
policies=kv-policy \
ttl=20m
kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
@ -55,7 +55,7 @@ load _helpers
for i in $(seq 10); do
sleep 2
if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
echo "Agent returned a cached login response"
return
fi
@ -65,8 +65,8 @@ load _helpers
# Print the logs and fail the test
echo "Failed to find a log for the Agent renewing CSI's auth token"
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider
exit 1
}
@ -75,7 +75,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm --namespace=acceptance delete openbao
helm --namespace=acceptance delete vault
helm --namespace=acceptance delete secrets-store-csi-driver
kubectl delete --all pvc
kubectl delete namespace acceptance

2
test/acceptance/helm-test.bats
View file

@ -20,7 +20,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete openbao
helm delete vault
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

6
test/acceptance/injector-leader-elector.bats
View file

@ -13,9 +13,9 @@ load _helpers
--wait \
--timeout=5m \
--set="injector.replicas=3" .
kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m
kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m
pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name'))
pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name'))
[ "${#pods[@]}" == 3 ]
leader=''
@ -45,7 +45,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete openbao
helm delete vault
kubectl delete --all pvc
kubectl delete namespace acceptance
fi

24
test/acceptance/injector-test/bootstrap.sh
View file

@ -5,40 +5,40 @@
OUTPUT=/tmp/output.txt
bao operator init -n 1 -t 1 >> ${OUTPUT?}
vault operator init -n 1 -t 1 >> ${OUTPUT?}
unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
bao operator unseal ${unseal?}
vault operator unseal ${unseal?}
bao login -no-print ${root?}
vault login -no-print ${root?}
bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl
vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl
bao auth enable kubernetes
vault auth enable kubernetes
bao write auth/kubernetes/config \
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bao write auth/kubernetes/role/db-backup \
vault write auth/kubernetes/role/db-backup \
bound_service_account_names=pgdump \
bound_service_account_namespaces=acceptance \
policies=db-backup \
ttl=1h
bao secrets enable database
vault secrets enable database
bao write database/config/postgresql \
vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \
allowed_roles="db-backup" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
username="openbao" \
password="openbao"
username="vault" \
password="vault"
bao write database/roles/db-backup \
vault write database/roles/db-backup \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \

4
test/acceptance/injector-test/pg-deployment.yaml
View file

@ -63,8 +63,8 @@ metadata:
app: postgres
data:
setup.sql: |
CREATE ROLE openbao;
ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao';
CREATE ROLE vault;
ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault';
\c mydb
CREATE SCHEMA app;

18
test/acceptance/injector.bats
View file

@ -9,15 +9,15 @@ load _helpers
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
kubectl create -f ./test/acceptance/injector-test/pg-deployment.yaml
sleep 5
wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")
kubectl create secret generic test \
--from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ../../test/acceptance/injector-test/bootstrap.sh
--from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ./test/acceptance/injector-test/bootstrap.sh
kubectl label secret test app=openbao-agent-demo
kubectl label secret test app=vault-agent-demo
helm install "$(name_prefix)" \
--set="server.extraVolumes[0].type=secret" \
@ -26,20 +26,20 @@ load _helpers
wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
sleep 5
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl create -f ../../test/acceptance/injector-test/job.yaml
kubectl create -f ./test/acceptance/injector-test/job.yaml
wait_for_complete_job "pgdump"
}
@ -48,7 +48,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete openbao
helm delete vault
kubectl delete --all pvc
kubectl delete secret test
kubectl delete job pgdump

2
test/acceptance/server-annotations.bats
View file

@ -8,7 +8,7 @@ load _helpers
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml .
helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml .
wait_for_running $(name_prefix)-0
# service annotations

6
test/acceptance/server-dev.bats
View file

@ -43,11 +43,11 @@ load _helpers
[ "${ports}" == "8201" ]
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
@ -57,7 +57,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete openbao
helm delete vault
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

166
test/acceptance/server-ha-enterprise-dr.bats Normal file
View file

@ -0,0 +1,166 @@
#!/usr/bin/env bats
load _helpers
@test "server/ha-enterprise-raft: testing DR deployment" {
cd `chart_dir`
helm install "$(name_prefix)-east" \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='injector.enabled=false' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-east-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ]
local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0"
sleep 10
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
[ "${secondary_replica_token}" != "" ]
# Install vault-west
helm install "$(name_prefix)-west" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-west-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ]
local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0"
sleep 10
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token}
sleep 10
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl delete pod "${pod?}"
wait_for_running "${pod?}"
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
}
setup() {
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
}
#cleanup
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
helm delete vault-east
helm delete vault-west
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi
}

164
test/acceptance/server-ha-enterprise-perf.bats Normal file
View file

@ -0,0 +1,164 @@
#!/usr/bin/env bats
load _helpers
@test "server/ha-enterprise-raft: testing performance replica deployment" {
cd `chart_dir`
helm install "$(name_prefix)-east" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-east-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ]
local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0"
sleep 30
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
[ "${secondary_replica_token}" != "" ]
# Install vault-west
helm install "$(name_prefix)-west" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-west-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ]
local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0"
sleep 30
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token}
sleep 30
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
}
setup() {
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
}
#cleanup
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
helm delete vault-east
helm delete vault-west
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi
}

28
test/acceptance/server-ha-raft.bats
View file

@ -13,7 +13,7 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
@ -57,9 +57,9 @@ load _helpers
jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ]
# OpenBao Init
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
bao operator init -format=json -n 1 -t 1)
vault operator init -format=json -n 1 -t 1)
local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
@ -67,35 +67,35 @@ load _helpers
local root=$(echo ${init} | jq -r '.root_token')
[ "${root}" != "" ]
kubectl exec -ti openbao-0 -- bao operator unseal ${token}
kubectl exec -ti vault-0 -- vault operator unseal ${token}
wait_for_ready "$(name_prefix)-0"
sleep 5
# OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-0" ]]
then
kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- bao operator unseal ${token}
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${token}
wait_for_ready "${pod}"
fi
done
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-0" -- bao login ${root}
kubectl exec "$(name_prefix)-0" -- vault login ${root}
local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
}
@ -112,9 +112,9 @@ teardown() {
then
# If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app.kubernetes.io/name=openbao
kubectl logs -l app.kubernetes.io/name=vault
fi
helm delete openbao
helm delete vault
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

121
test/acceptance/server-ha.bats Normal file
View file

@ -0,0 +1,121 @@
#!/usr/bin/env bats
load _helpers
@test "server/ha: testing deployment" {
cd `chart_dir`
helm install "$(name_prefix)" \
--set='server.ha.enabled=true' .
wait_for_running $(name_prefix)-0
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Replicas
local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.replicas')
[ "${replicas}" == "3" ]
# Volume Mounts
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts | length')
[ "${volumeCount}" == "2" ]
# Volumes
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.volumes | length')
[ "${volumeCount}" == "2" ]
local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.volumes[0].configMap.name')
[ "${volume}" == "$(name_prefix)-config" ]
# Service
local service=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.clusterIP')
[ "${service}" != "None" ]
local service=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.type')
[ "${service}" == "ClusterIP" ]
local ports=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.ports | length')
[ "${ports}" == "2" ]
local ports=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.ports[0].port')
[ "${ports}" == "8200" ]
local ports=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ]
# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
# setup a consul env
setup() {
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
CONSUL_HELM_VERSION=v0.48.0
K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major)
K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor)
if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then
CONSUL_HELM_VERSION=v0.32.1
fi
helm install consul hashicorp/consul \
--version $CONSUL_HELM_VERSION \
--set 'ui.enabled=false'
wait_for_running_consul
}
#cleanup
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
# If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app=consul
kubectl logs -l app.kubernetes.io/name=vault
fi
helm delete vault
helm delete consul
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi
}

22
test/acceptance/server-telemetry.bats
View file

@ -19,7 +19,7 @@ load _helpers
helm install \
--wait \
--values ../../test/acceptance/server-test/telemetry.yaml \
--values ./test/acceptance/server-test/telemetry.yaml \
"$(name_prefix)" .
wait_for_running $(name_prefix)-0
@ -27,31 +27,31 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
# OpenBao Init
# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
bao operator init -format=json -n 1 -t 1 | \
vault operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- bao operator unseal ${token}
kubectl exec -ti ${pod} -- vault operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
# unfortunately it can take up to 2 minutes for the openbao prometheus job to appear
# unfortunately it can take up to 2 minutes for the vault prometheus job to appear
# TODO: investigate how reduce this.
local job_labels
local tries=0
@ -62,7 +62,7 @@ load _helpers
-- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr )
# Ensure the expected job label was picked up by Prometheus
[ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break
[ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break
((++tries))
sleep .5
@ -72,7 +72,7 @@ load _helpers
# Ensure the expected job is "up"
local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \
-c prometheus \
-- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \
-- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \
tee /dev/stderr )
[ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ]
}

2
test/acceptance/server-test/telemetry.yaml
View file

@ -17,7 +17,7 @@ server:
}
storage "file" {
path = "/openbao/data"
path = "/vault/data"
}
telemetry {

20
test/acceptance/server.bats
View file

@ -15,7 +15,7 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
@ -40,7 +40,7 @@ load _helpers
local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
[ "${mountPath}" == "/openbao/data" ]
[ "${mountPath}" == "/vault/data" ]
# Volumes
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
@ -72,27 +72,27 @@ load _helpers
jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ]
# OpenBao Init
# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
bao operator init -format=json -n 1 -t 1 | \
vault operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- bao operator unseal ${token}
kubectl exec -ti ${pod} -- vault operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
@ -102,7 +102,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete openbao
helm delete vault
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

2
test/chart/_helpers.bash
View file

@ -3,7 +3,7 @@
# chart_dir returns the directory for the chart
chart_dir() {
echo ${BATS_TEST_DIRNAME}/../../charts/openbao
echo ${BATS_TEST_DIRNAME}/../..
}
# check_result checks if the specified test passed

4
test/chart/verifier.bats
View file

@ -5,8 +5,8 @@ load _helpers
setup_file() {
cd `chart_dir`
export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json"
export CHART_VOLUME=openbao-helm-chart-src
local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.7"
export CHART_VOLUME=vault-helm-chart-src
local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1"
# chart-verifier requires an openshift version if a cluster isn't available
local OPENSHIFT_VERSION="4.12"
local DISABLED_TESTS="chart-testing"

2
test/terraform/main.tf
View file

@ -19,7 +19,7 @@ data "google_service_account" "gcpapi" {
}
resource "google_container_cluster" "cluster" {
name = "openbao-helm-dev-${random_id.suffix.dec}"
name = "vault-helm-dev-${random_id.suffix.dec}"
project = "${var.project}"
enable_legacy_abac = true
initial_node_count = 3

2
test/terraform/variables.tf
View file

@ -2,7 +2,7 @@
# SPDX-License-Identifier: MPL-2.0
variable "project" {
default = "openbao-helm-dev-246514"
default = "vault-helm-dev-246514"
description = <<EOF
Google Cloud Project to launch resources in. This project must have GKE

2
test/unit/_helpers.bash
View file

@ -3,5 +3,5 @@
# chart_dir returns the directory for the chart
chart_dir() {
echo ${BATS_TEST_DIRNAME}/../../charts/openbao
echo ${BATS_TEST_DIRNAME}/../..
}

14
test/unit/csi-agent-configmap.bats
View file

@ -18,7 +18,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider-agent-config" ]
[ "${actual}" = "release-name-vault-csi-provider-agent-config" ]
}
@test "csi/Agent-ConfigMap: namespace" {
@ -40,25 +40,25 @@ load _helpers
[ "${actual}" = "bar" ]
}
@test "csi/Agent-ConfigMap: OpenBao addr not affected by injector setting" {
@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \
--release-name not-external-test \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.data["config.hcl"]' | tee /dev/stderr)
echo "${actual}" | grep "http://not-external-test-openbao.default.svc:8200"
echo "${actual}" | grep "http://not-external-test-vault.default.svc:8200"
}
@test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalVaultAddr" {
@test "csi/Agent-ConfigMap: Vault addr correctly set for externalVaultAddr" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \
--set 'global.externalVaultAddr=http://openbao-outside' \
--set 'global.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.data["config.hcl"]' | tee /dev/stderr)
echo "${actual}" | grep "http://openbao-outside"
echo "${actual}" | grep "http://vault-outside"
}

2
test/unit/csi-clusterrole.bats
View file

@ -29,5 +29,5 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
}

4
test/unit/csi-clusterrolebinding.bats
View file

@ -29,7 +29,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.roleRef.name' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
}
# ClusterRoleBinding service account name
@ -40,7 +40,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.subjects[0].name' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider" ]
[ "${actual}" = "release-name-vault-csi-provider" ]
}
# ClusterRoleBinding service account namespace

22
test/unit/csi-daemonset.bats
View file

@ -81,7 +81,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider" ]
[ "${actual}" = "release-name-vault-csi-provider" ]
}
# Image
@ -101,13 +101,13 @@ load _helpers
local actual=$(echo $object |
yq -r '.[0].image' | tee /dev/stderr)
[ "${actual}" = "docker.io/Image1:0.0.1" ]
[ "${actual}" = "Image1:0.0.1" ]
local actual=$(echo $object |
yq -r '.[0].imagePullPolicy' | tee /dev/stderr)
[ "${actual}" = "PullPolicy1" ]
local actual=$(echo $object |
yq -r '.[1].image' | tee /dev/stderr)
[ "${actual}" = "quay.io/Image2:0.0.2" ]
[ "${actual}" = "Image2:0.0.2" ]
local actual=$(echo $object |
yq -r '.[1].imagePullPolicy' | tee /dev/stderr)
[ "${actual}" = "PullPolicy2" ]
@ -196,7 +196,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr)
[ "${actual}" = "--hmac-secret-name=openbao-csi-provider-hmac-key" ]
[ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
@ -666,7 +666,7 @@ load _helpers
local object=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'global.externalVaultAddr=http://openbao-outside' \
--set 'global.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
@ -682,13 +682,13 @@ load _helpers
--set 'csi.enabled=true' \
--set 'csi.agent.enabled=false' \
--release-name not-external-test \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://not-external-test-openbao.default.svc:8200" ]
[ "${value}" = "http://not-external-test-vault.default.svc:8200" ]
}
@test "csi/daemonset: with global.externalVaultAddr" {
@ -697,13 +697,13 @@ load _helpers
--show-only templates/csi-daemonset.yaml \
--set 'csi.enabled=true' \
--set 'csi.agent.enabled=false' \
--set 'global.externalVaultAddr=http://openbao-outside' \
--set 'global.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://openbao-outside" ]
[ "${value}" = "http://vault-outside" ]
}
#--------------------------------------------------------------------
@ -796,7 +796,7 @@ load _helpers
yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "error" ]
}
@ -810,7 +810,7 @@ load _helpers
yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "json" ]
}

4
test/unit/csi-role.bats
View file

@ -18,13 +18,13 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider-role" ]
[ "${actual}" = "release-name-vault-csi-provider-role" ]
local actual=$(helm template \
--show-only templates/csi-role.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr)
[ "${actual}" = "openbao-csi-provider-hmac-key" ]
[ "${actual}" = "vault-csi-provider-hmac-key" ]
}
@test "csi/Role: namespace" {

2
test/unit/csi-rolebinding.bats
View file

@ -18,7 +18,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider-rolebinding" ]
[ "${actual}" = "release-name-vault-csi-provider-rolebinding" ]
}
@test "csi/RoleBinding: namespace" {

2
test/unit/csi-serviceaccount.bats
View file

@ -29,7 +29,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-openbao-csi-provider" ]
[ "${actual}" = "release-name-vault-csi-provider" ]
}
# serviceAccountNamespace namespace

26
test/unit/injector-deployment.bats
View file

@ -69,7 +69,7 @@ load _helpers
--set 'injector.image.tag=1.2.3' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "docker.io/foo:1.2.3" ]
[ "${actual}" = "foo:1.2.3" ]
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
@ -77,7 +77,7 @@ load _helpers
--set 'injector.image.tag=1.2.3' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "docker.io/foo:1.2.3" ]
[ "${actual}" = "foo:1.2.3" ]
}
@test "injector/deployment: default imagePullPolicy" {
@ -186,7 +186,7 @@ load _helpers
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "release-name-openbao-agent-injector-cfg" ]
[ "${value}" = "release-name-vault-agent-injector-cfg" ]
# helm template does uses current context namespace and ignores namespace flags, so
# discover the targeted namespace so we can check the rendered value correctly.
@ -194,7 +194,7 @@ load _helpers
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "release-name-openbao-agent-injector-svc,release-name-openbao-agent-injector-svc.${namespace:-default},release-name-openbao-agent-injector-svc.${namespace:-default}.svc" ]
[ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ]
}
@test "injector/deployment: manual TLS adds volume mount" {
@ -202,7 +202,7 @@ load _helpers
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'injector.certs.secretName=openbao-tls' \
--set 'injector.certs.secretName=vault-tls' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr)
@ -219,40 +219,40 @@ load _helpers
cd `chart_dir`
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://openbao-outside" ]
[ "${value}" = "http://vault-outside" ]
}
@test "injector/deployment: with global.externalVaultAddr" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'global.externalVaultAddr=http://openbao-outside' \
--set 'global.externalVaultAddr=http://vault-outside' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://openbao-outside" ]
[ "${value}" = "http://vault-outside" ]
}
@test "injector/deployment: global.externalVaultAddr takes precendence over injector.externalVaultAddr" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'global.externalVaultAddr=http://global-openbao-outside' \
--set 'injector.externalVaultAddr=http://injector-openbao-outside' \
--set 'global.externalVaultAddr=http://global-vault-outside' \
--set 'injector.externalVaultAddr=http://injector-vault-outside' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://global-openbao-outside" ]
[ "${value}" = "http://global-vault-outside" ]
}
@test "injector/deployment: without externalVaultAddr" {
@ -266,7 +266,7 @@ load _helpers
local value=$(echo $object |
yq -r 'map(select(.name=="AGENT_INJECT_VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://not-external-test-openbao.default.svc:8200" ]
[ "${value}" = "http://not-external-test-vault.default.svc:8200" ]
}
@test "injector/deployment: default authPath" {

2
test/unit/injector-disruptionbudget.bats
View file

@ -55,7 +55,7 @@ load _helpers
local actual=$(helm template \
--show-only templates/injector-disruptionbudget.yaml \
--set 'injector.podDisruptionBudget.minAvailable=2' \
--kube-version 1.27.5 \
--kube-version 1.22.5 \
. | tee /dev/stderr |
yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
[ "${actual}" = "true" ]

8
test/unit/injector-psp.bats
View file

@ -51,9 +51,9 @@ load _helpers
--show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations=openbao-is: amazing' \
--set 'global.psp.annotations=vault-is: amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
}
@ -63,8 +63,8 @@ load _helpers
--show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations.openbao-is=amazing' \
--set 'global.psp.annotations.vault-is=amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
}

4
test/unit/injector-service.bats
View file

@ -76,8 +76,8 @@ load _helpers
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-service.yaml \
--set 'injector.service.annotations=openBaoIsAwesome: true' \
--set 'injector.service.annotations=vaultIsAwesome: true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

4
test/unit/injector-serviceaccount.bats
View file

@ -42,8 +42,8 @@ load _helpers
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-serviceaccount.yaml \
--set 'injector.serviceAccount.annotations=openBaoIsAwesome: true' \
--set 'injector.serviceAccount.annotations=vaultIsAwesome: true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

2
test/unit/prometheus-prometheusrules.bats
View file

@ -32,7 +32,7 @@ load _helpers
[ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ]
[ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-openbao" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-vault" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].rules[0].foo')" = "bar" ]
[ "$(echo "$output" | yq -r '.spec.groups[0].rules[1].baz')" = "qux" ]

2
test/unit/server-clusterrolebinding.bats
View file

@ -66,7 +66,7 @@ load _helpers
local actual=$( (helm template \
--show-only templates/server-clusterrolebinding.yaml \
--set 'server.enabled=false' \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]

2
test/unit/server-configmap.bats
View file

@ -134,7 +134,7 @@ load _helpers
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-config-configmap.yaml \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]

10
test/unit/server-dev-statefulset.bats
View file

@ -27,7 +27,7 @@ load _helpers
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.dev.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
@ -43,7 +43,7 @@ load _helpers
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "quay.io/foo:1.2.3" ]
[ "${actual}" = "foo:1.2.3" ]
}
@test "server/ha-StatefulSet: image tag defaults to latest" {
@ -56,7 +56,7 @@ load _helpers
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "quay.io/foo:latest" ]
[ "${actual}" = "foo:latest" ]
}
#--------------------------------------------------------------------
@ -184,7 +184,7 @@ load _helpers
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/openbao/userconfig/foo" ]
[ "${actual}" = "/vault/userconfig/foo" ]
}
@test "server/dev-StatefulSet: adds extra secret volume" {
@ -222,7 +222,7 @@ load _helpers
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/openbao/userconfig/foo" ]
[ "${actual}" = "/vault/userconfig/foo" ]
}
@test "server/dev-StatefulSet: no storageClass on claim by default" {

20
test/unit/server-ha-active-service.bats
View file

@ -7,9 +7,9 @@ load _helpers
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.annotations=openBaoIsAwesome: true' \
--set 'server.service.annotations=vaultIsAwesome: true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@ -18,9 +18,9 @@ load _helpers
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.active.annotations=openBaoIsAwesome: true' \
--set 'server.service.active.annotations=vaultIsAwesome: true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ha-active-Service: with both annotations set" {
@ -28,14 +28,14 @@ load _helpers
local object=$(helm template \
--show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.active.annotations=openBaoIsAwesome: true' \
--set 'server.service.annotations=openbaoIsNotAwesome: false' \
--set 'server.service.active.annotations=vaultIsAwesome: true' \
--set 'server.service.annotations=vaultIsNotAwesome: false' \
. | tee /dev/stderr |
yq -r '.metadata' | tee /dev/stderr)
local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr)
actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ha-active-Service: disable with ha.enabled false" {
@ -192,7 +192,7 @@ load _helpers
[ "${actual}" = "null" ]
}
@test "server/ha-active-Service: openbao port name is http, when tlsDisable is true" {
@test "server/ha-active-Service: vault port name is http, when tlsDisable is true" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \
@ -203,7 +203,7 @@ load _helpers
[ "${actual}" = "http" ]
}
@test "server/ha-active-Service: openbao port name is https, when tlsDisable is false" {
@test "server/ha-active-Service: vault port name is https, when tlsDisable is false" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \

4
test/unit/server-ha-disruptionbudget.bats
View file

@ -47,7 +47,7 @@ load _helpers
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-disruptionbudget.yaml \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
@ -123,7 +123,7 @@ load _helpers
--show-only templates/server-disruptionbudget.yaml \
--set 'server.ha.enabled=true' \
--set 'server.ha.replicas=1' \
--kube-version 1.27.5 \
--kube-version 1.22.5 \
. | tee /dev/stderr |
yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
[ "${actual}" = "true" ]

28
test/unit/server-ha-standby-service.bats
View file

@ -7,9 +7,9 @@ load _helpers
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.annotations=openBaoIsAwesome: true' \
--set 'server.service.annotations=vaultIsAwesome: true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@ -18,9 +18,9 @@ load _helpers
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.annotations.openBaoIsAwesome=true' \
--set 'server.service.annotations.vaultIsAwesome=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@ -29,9 +29,9 @@ load _helpers
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.standby.annotations=openBaoIsAwesome: true' \
--set 'server.service.standby.annotations=vaultIsAwesome: true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@ -40,9 +40,9 @@ load _helpers
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.standby.annotations.openBaoIsAwesome=true' \
--set 'server.service.standby.annotations.vaultIsAwesome=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ha-standby-Service: with both annotations set" {
@ -50,14 +50,14 @@ load _helpers
local object=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--set 'server.service.standby.annotations=openBaoIsAwesome: true' \
--set 'server.service.annotations=openbaoIsNotAwesome: false' \
--set 'server.service.standby.annotations=vaultIsAwesome: true' \
--set 'server.service.annotations=vaultIsNotAwesome: false' \
. | tee /dev/stderr |
yq -r '.metadata' | tee /dev/stderr)
local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr)
local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr)
actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ha-standby-Service: disable with ha.enabled false" {
@ -214,7 +214,7 @@ load _helpers
[ "${actual}" = "null" ]
}
@test "server/ha-standby-Service: openbao port name is http, when tlsDisable is true" {
@test "server/ha-standby-Service: vault port name is http, when tlsDisable is true" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
@ -225,7 +225,7 @@ load _helpers
[ "${actual}" = "http" ]
}
@test "server/ha-standby-Service: openbao port name is https, when tlsDisable is false" {
@test "server/ha-standby-Service: vault port name is https, when tlsDisable is false" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \

46
test/unit/server-ha-statefulset.bats
View file

@ -27,7 +27,7 @@ load _helpers
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \
--set 'injector.externalVaultAddr=http://openbao-outside' \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'server.ha.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
@ -43,7 +43,7 @@ load _helpers
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "quay.io/foo:1.2.3" ]
[ "${actual}" = "foo:1.2.3" ]
}
@test "server/ha-StatefulSet: image tag defaults to latest" {
@ -56,7 +56,7 @@ load _helpers
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "quay.io/foo:latest" ]
[ "${actual}" = "foo:latest" ]
}
#--------------------------------------------------------------------
@ -71,7 +71,7 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "http://127.0.0.1:8200" ]
}
@ -84,7 +84,7 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "https://127.0.0.1:8200" ]
}
@ -266,7 +266,7 @@ load _helpers
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/openbao/userconfig/foo" ]
[ "${actual}" = "/vault/userconfig/foo" ]
}
@test "server/ha-StatefulSet: adds extra volume custom mount path" {
@ -347,7 +347,7 @@ load _helpers
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/openbao/userconfig/foo" ]
[ "${actual}" = "/vault/userconfig/foo" ]
}
#--------------------------------------------------------------------
@ -407,7 +407,7 @@ load _helpers
}
#--------------------------------------------------------------------
# BAO_API_ADDR renders
# VAULT_API_ADDR renders
@test "server/ha-StatefulSet: api addr renders to Pod IP by default" {
cd `chart_dir`
@ -418,7 +418,7 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'http://$(POD_IP):8200' ]
}
@ -432,12 +432,12 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = "https://example.com:8200" ]
}
#--------------------------------------------------------------------
# BAO_CLUSTER_ADDR renders
# VAULT_CLUSTER_ADDR renders
@test "server/ha-StatefulSet: clusterAddr not set" {
cd `chart_dir`
@ -449,8 +449,8 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ]
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ]
}
@test "server/ha-StatefulSet: clusterAddr set to null" {
@ -464,8 +464,8 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ]
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ]
}
@test "server/ha-StatefulSet: clusterAddr set to custom url" {
@ -479,7 +479,7 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'https://test.example.com:8201' ]
}
@ -489,18 +489,18 @@ load _helpers
--show-only templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
--set 'server.ha.raft.enabled=true' \
--set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-openbao-internal:8201' \
--set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'http://$(HOSTNAME).release-name-openbao-internal:8201' ]
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
[ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ]
}
@test "server/ha-StatefulSet: clusterAddr gets quoted" {
cd `chart_dir`
local customUrl='http://$(HOSTNAME).release-name-openbao-internal:8201'
local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201'
local rendered=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
@ -511,11 +511,11 @@ load _helpers
local value=$(echo $rendered |
yq -Y '.' | tee /dev/stderr)
[ "${value}" = 'value: "http://$(HOSTNAME).release-name-openbao-internal:8201"' ]
[ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ]
}
#--------------------------------------------------------------------
# BAO_RAFT_NODE_ID renders
# VAULT_RAFT_NODE_ID renders
@test "server/ha-StatefulSet: raft node ID renders" {
cd `chart_dir`
@ -528,7 +528,7 @@ local value=$(echo $rendered |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local value=$(echo $object |
yq -r 'map(select(.name=="BAO_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr)
yq -r 'map(select(.name=="VAULT_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr)
[ "${value}" = "metadata.name" ]
}

22
test/unit/server-headless-service.bats
View file

@ -74,3 +74,25 @@ load _helpers
yq '.spec.ipFamilies' -c | tee /dev/stderr)
[ "${actual}" = '["IPv4","IPv6"]' ]
}
@test "server/headless-Service: Assert ipFamilyPolicy is not set if version below 1.23" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-headless-service.yaml \
--kube-version 1.22.0 \
--set 'server.service.ipFamilyPolicy=PreferDualStack' \
. | tee /dev/stderr |
yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/headless-Service: Assert ipFamilies is not set if version below 1.23" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-headless-service.yaml \
--kube-version 1.22.0 \
--set 'server.service.ipFamilies={IPv4,IPv6}' \
. | tee /dev/stderr |
yq -r '.spec.ipFamilies' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

Some files were not shown because too many files have changed in this diff Show more