Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Michal.Wrobel:main
Branches Tags
Michal.Wrobel:main
Michal.Wrobel:bao-2-0-2
Michal.Wrobel:gh-pages
Michal.Wrobel:bao-2-0-1
Michal.Wrobel:release/v0.26.1
Michal.Wrobel:values/default-cluster_name
Michal.Wrobel:generate-docs
Michal.Wrobel:correct-helm-version-check
Michal.Wrobel:helm_gha_migration_test
Michal.Wrobel:tomhjp-patch-1
Michal.Wrobel:topology
Michal.Wrobel:openbao-0.6.0
Michal.Wrobel:openbao-0.5.1
Michal.Wrobel:openbao-0.5.0
Michal.Wrobel:openbao-0.4.0
Michal.Wrobel:openbao-0.3.0
Michal.Wrobel:openbao-0.2.0
Michal.Wrobel:openbao-0.1.0
Michal.Wrobel:v0.27.0
Michal.Wrobel:v0.26.1
Michal.Wrobel:v0.26.0
Michal.Wrobel:v0.25.0
Michal.Wrobel:v0.24.1
Michal.Wrobel:v0.24.0
Michal.Wrobel:v0.23.0
Michal.Wrobel:v0.22.1
Michal.Wrobel:v0.22.0
Michal.Wrobel:v0.21.0
Michal.Wrobel:v0.20.1
Michal.Wrobel:v0.20.0
Michal.Wrobel:v0.19.0
Michal.Wrobel:v0.18.0
Michal.Wrobel:v0.17.1
Michal.Wrobel:v0.17.0
Michal.Wrobel:v0.16.1
Michal.Wrobel:v0.16.0
Michal.Wrobel:v0.15.0
Michal.Wrobel:v0.14.0
Michal.Wrobel:v0.13.0
Michal.Wrobel:v0.12.0
Michal.Wrobel:v0.11.0
Michal.Wrobel:v0.10.0
Michal.Wrobel:v0.9.1
Michal.Wrobel:v0.9.0
Michal.Wrobel:v0.8.0
Michal.Wrobel:v0.7.0
Michal.Wrobel:v0.6.0
Michal.Wrobel:v0.5.0
Michal.Wrobel:v0.4.0
Michal.Wrobel:v0.3.3
Michal.Wrobel:v0.3.2
Michal.Wrobel:v0.3.1
Michal.Wrobel:v0.3.0
Michal.Wrobel:v0.2.1
Michal.Wrobel:v0.2.0
Michal.Wrobel:v0.1.2
Michal.Wrobel:v0.1.1
Michal.Wrobel:v0.1.0
Michal.Wrobel:v0.0.1
..
compare: Michal.Wrobel:topology
Branches Tags
Michal.Wrobel:main
Michal.Wrobel:bao-2-0-2
Michal.Wrobel:gh-pages
Michal.Wrobel:bao-2-0-1
Michal.Wrobel:release/v0.26.1
Michal.Wrobel:values/default-cluster_name
Michal.Wrobel:generate-docs
Michal.Wrobel:correct-helm-version-check
Michal.Wrobel:helm_gha_migration_test
Michal.Wrobel:tomhjp-patch-1
Michal.Wrobel:topology
Michal.Wrobel:openbao-0.6.0
Michal.Wrobel:openbao-0.5.1
Michal.Wrobel:openbao-0.5.0
Michal.Wrobel:openbao-0.4.0
Michal.Wrobel:openbao-0.3.0
Michal.Wrobel:openbao-0.2.0
Michal.Wrobel:openbao-0.1.0
Michal.Wrobel:v0.27.0
Michal.Wrobel:v0.26.1
Michal.Wrobel:v0.26.0
Michal.Wrobel:v0.25.0
Michal.Wrobel:v0.24.1
Michal.Wrobel:v0.24.0
Michal.Wrobel:v0.23.0
Michal.Wrobel:v0.22.1
Michal.Wrobel:v0.22.0
Michal.Wrobel:v0.21.0
Michal.Wrobel:v0.20.1
Michal.Wrobel:v0.20.0
Michal.Wrobel:v0.19.0
Michal.Wrobel:v0.18.0
Michal.Wrobel:v0.17.1
Michal.Wrobel:v0.17.0
Michal.Wrobel:v0.16.1
Michal.Wrobel:v0.16.0
Michal.Wrobel:v0.15.0
Michal.Wrobel:v0.14.0
Michal.Wrobel:v0.13.0
Michal.Wrobel:v0.12.0
Michal.Wrobel:v0.11.0
Michal.Wrobel:v0.10.0
Michal.Wrobel:v0.9.1
Michal.Wrobel:v0.9.0
Michal.Wrobel:v0.8.0
Michal.Wrobel:v0.7.0
Michal.Wrobel:v0.6.0
Michal.Wrobel:v0.5.0
Michal.Wrobel:v0.4.0
Michal.Wrobel:v0.3.3
Michal.Wrobel:v0.3.2
Michal.Wrobel:v0.3.1
Michal.Wrobel:v0.3.0
Michal.Wrobel:v0.2.1
Michal.Wrobel:v0.2.0
Michal.Wrobel:v0.1.2
Michal.Wrobel:v0.1.1
Michal.Wrobel:v0.1.0
Michal.Wrobel:v0.0.1

10 commits
main ... topology

Author SHA1 Message Date
Christopher Swenson
4c752a9f1d
Merge branch 'main' into topology 2022-04-28 10:26:20 -07:00
Eric Miller
fb3126b864 Allow topologySpreadConstraints to be a string 2021-11-30 15:49:12 -06:00
Eric Miller
b67a874090 Merge branch 'main' into topology 2021-11-22 15:29:50 -06:00
Eric Miller
102c29955b Implement injector HA statefulset topology UTs 2021-11-22 15:24:38 -06:00
Eric Miller
567a4386a5 Implement injector statefulset topology spread UTs 2021-11-22 15:21:15 -06:00
Eric Miller
f49ecb6802 Implement injector deployment topology spread UTs 
* also remove string from the relevant schema types
 2021-11-22 15:12:17 -06:00
Eric Miller
8840187301 Add topologySpreadConstraints to values schema 2021-11-22 14:36:11 -06:00
Ellis Tarn
87c3e62030
Update values.yaml 
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
 2021-09-27 15:19:47 -07:00
Ellis Tarn
c77cb1f6a4
Update values.yaml 
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
 2021-09-27 15:19:43 -07:00
Ellis Tarn
18f8db05d9 Implemented support for topology spread constraints 2021-09-17 16:30:49 -07:00
161 changed files with 2109 additions and 5910 deletions
Show stats Expand all files Collapse all files

97
.circleci/config.yml Normal file
View file

@ -0,0 +1,97 @@
version: 2.1
orbs:
slack: circleci/slack@3.4.2
jobs:
bats-unit-test:
docker:
# This image is built from test/docker/Test.dockerfile
- image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
steps:
- checkout
- run: bats ./test/unit -t
chart-verifier:
docker:
- image: docker.mirror.hashicorp.services/cimg/go:1.16
environment:
BATS_VERSION: "1.3.0"
CHART_VERIFIER_VERSION: "1.2.1"
steps:
- checkout
- run:
name: install chart-verifier
command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
- run:
name: install bats
command: |
curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz
tar -zxf /tmp/bats.tgz -C /tmp
sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local
- run:
name: run chart-verifier tests
command: bats ./test/chart -t
acceptance:
docker:
# This image is build from test/docker/Test.dockerfile
- image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
steps:
- checkout
- run:
name: terraform init & apply
command: |
echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json
export GOOGLE_CREDENTIALS=vault-helm-test.json
make provision-cluster
- run:
name: Run acceptance tests
command: bats ./test/acceptance -t
- run:
name: terraform destroy
command: |
export GOOGLE_CREDENTIALS=vault-helm-test.json
make destroy-cluster
when: always
update-helm-charts-index:
docker:
- image: docker.mirror.hashicorp.services/circleci/golang:1.15.3
steps:
- checkout
- run:
name: verify Chart version matches tag version
command: |
GO111MODULE=on go get github.com/mikefarah/yq/v2
git_tag=$(echo "${CIRCLE_TAG#v}")
chart_tag=$(yq r Chart.yaml version)
if [ "${git_tag}" != "${chart_tag}" ]; then
echo "chart version (${chart_tag}) did not match git version (${git_tag})"
exit 1
fi
- run:
name: update helm-charts index
command: |
curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \
-X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
"${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
- slack/status:
fail_only: true
failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}"
workflows:
version: 2
# Note: unit and acceptance tests are now being run in GitHub Actions
update-helm-charts-index:
jobs:
- update-helm-charts-index:
context: helm-charts-trigger-vault
filters:
tags:
only: /^v.*/
branches:
ignore: /.*/

16
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -9,9 +9,9 @@ assignees: ''
<!-- Please reserve GitHub issues for bug reports and feature requests. <!-- Please reserve GitHub issues for bug reports and feature requests.
**Please note**: We take OpenBao's security and our users' trust very seriously. If For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker.
you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org). Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault Helm, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
--> -->
@ -21,19 +21,19 @@ A clear and concise description of what the bug is.
**To Reproduce** **To Reproduce**
Steps to reproduce the behavior: Steps to reproduce the behavior:
1. Install chart 1. Install chart
2. Run bao command 2. Run vault command
3. See error (openbao logs, etc.) 3. See error (vault logs, etc.)
Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output
**Expected behavior** **Expected behavior**
A clear and concise description of what you expected to happen. A clear and concise description of what you expected to happen.
**Environment** **Environment**
* Kubernetes version: * Kubernetes version:
* Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
* Other configuration options or runtime services (istio, etc.): * Other configuration options or runtime services (istio, etc.):
* openbao-helm version: * vault-helm version:
Chart values: Chart values:

6
.github/ISSUE_TEMPLATE/config.yml vendored
View file

@ -1,6 +1,4 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
contact_links: contact_links:
- name: Ask a question - name: Ask a question
url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org url: https://discuss.hashicorp.com/c/vault
about: For increased visibility, please post questions on the discussion forum, and tag with `k8s`

24
.github/actions/setup-test-tools/action.yaml vendored
View file

@ -1,24 +0,0 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: Setup common testing tools
description: Install bats and python-yq
runs:
using: "composite"
steps:
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: '16'
- run: npm install -g bats@${BATS_VERSION}
shell: bash
env:
BATS_VERSION: '1.8.2'
- run: bats -v
shell: bash
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
- run: pip install yq
shell: bash
permissions:
contents: read

7
.github/dependabot.yml vendored
View file

@ -1,7 +0,0 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"

30
.github/workflows/acceptance.yaml vendored
View file

@ -1,22 +1,34 @@
name: Acceptance Tests name: Acceptance Tests
on: [push, workflow_dispatch]
on:
push:
branches:
- main
workflow_dispatch: {}
jobs: jobs:
kind: kind:
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
kind-k8s-version: [1.27.11, 1.28.7, 1.29.2] kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/checkout@v2
- name: Setup test tools - name: Setup test tools
uses: ./.github/actions/setup-test-tools uses: ./.github/workflows/setup-test-tools
- name: Create K8s Kind Cluster - name: Create K8s Kind Cluster
uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0 uses: helm/kind-action@v1.2.0
with: with:
config: test/kind/config.yaml config: test/kind/config.yaml
node_image: kindest/node:v${{ matrix.kind-k8s-version }} node_image: kindest/node:v${{ matrix.kind-k8s-version }}
version: v0.22.0
- run: bats --tap --timing ./test/acceptance # Skip CSI tests if K8s version < 1.16.x
permissions: - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV
contents: read - if: ${{ env.K8S_MINOR < 16 }}
run: echo "SKIP_CSI=true" >> $GITHUB_ENV
- run: bats ./test/acceptance -t
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}

72
.github/workflows/jira.yaml vendored Normal file
View file

@ -0,0 +1,72 @@
on:
issues:
types: [opened, closed, deleted, reopened]
pull_request_target:
types: [opened, closed, reopened]
issue_comment: # Also triggers when commenting on a PR from the conversation view
types: [created]
name: Jira Sync
jobs:
sync:
runs-on: ubuntu-latest
name: Jira sync
steps:
- name: Login
uses: atlassian/gajira-login@v2.0.0
env:
JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
- name: Preprocess
if: github.event.action == 'opened' || github.event.action == 'created'
id: preprocess
run: |
if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
echo "::set-output name=type::PR"
else
echo "::set-output name=type::ISS"
fi
- name: Create ticket
if: github.event.action == 'opened'
uses: tomhjp/gh-action-jira-create@v0.2.0
with:
project: VAULT
issuetype: "GH Issue"
summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}"
description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_"
# customfield_10089 is Issue Link custom field
# customfield_10091 is team custom field
extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "runtime"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}'
- name: Search
if: github.event.action != 'opened'
id: search
uses: tomhjp/gh-action-jira-search@v0.2.1
with:
# cf[10089] is Issue Link custom field
jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
- name: Sync comment
if: github.event.action == 'created' && steps.search.outputs.issue
uses: tomhjp/gh-action-jira-comment@v0.2.0
with:
issue: ${{ steps.search.outputs.issue }}
comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
- name: Close ticket
if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: Close
- name: Reopen ticket
if: github.event.action == 'reopened' && steps.search.outputs.issue
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "Pending Triage"

47
.github/workflows/lint-chart.yml vendored
View file

@ -1,47 +0,0 @@
name: Lint and Test Chart
on:
pull_request:
paths:
- 'charts/**'
permissions:
contents: read
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: "0"
- name: Install Helm
uses: azure/setup-helm@v4
- name: Set up chart-testing
uses: helm/chart-testing-action@v2.6.1
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$changed" ]]; then
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Run chart-testing (lint)
id: lint
if: steps.list-changed.outputs.changed == 'true'
run: ct lint --target-branch ${{ github.event.repository.default_branch }}
- name: Create kind cluster
uses: helm/kind-action@v1.10.0
if: steps.list-changed.outputs.changed == 'true'
- name: Run chart-testing (install)
id: install
if: steps.list-changed.outputs.changed == 'true'
run: ct install --target-branch ${{ github.event.repository.default_branch }}

38
.github/workflows/release-chart.yml vendored
View file

@ -1,38 +0,0 @@
name: Release
on:
push:
branches:
- main
paths:
- 'charts/**'
jobs:
release:
environment: helm-release
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v3.5
id: helm-install
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run chart-releaser
id: helm-release
uses: helm/chart-releaser-action@v1.6.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_GENERATE_RELEASE_NOTES: true

18
.github/workflows/setup-test-tools/action.yaml vendored Normal file
View file

@ -0,0 +1,18 @@
name: Setup common testing tools
description: Install bats and python-yq
runs:
using: "composite"
steps:
- uses: actions/setup-node@v2
with:
node-version: '14'
- run: npm install -g bats@${BATS_VERSION}
shell: bash
env:
BATS_VERSION: '1.5.0'
- run: bats -v
shell: bash
- uses: actions/setup-python@v2
- run: pip install yq
shell: bash

25
.github/workflows/tests.yaml vendored
View file

@ -1,24 +1,25 @@
name: Tests name: Tests
on: [push, workflow_dispatch] on: [push, workflow_dispatch]
jobs: jobs:
bats-unit-tests: bats-unit-tests:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/checkout@v2
- uses: ./.github/actions/setup-test-tools - uses: ./.github/workflows/setup-test-tools
- run: bats --tap --timing ./test/unit - run: bats ./test/unit -t
chart-verifier: chart-verifier:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
CHART_VERIFIER_VERSION: "1.13.7" CHART_VERIFIER_VERSION: '1.2.1'
steps: steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/checkout@v2
- name: Setup test tools - name: Setup test tools
uses: ./.github/actions/setup-test-tools uses: ./.github/workflows/setup-test-tools
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - uses: actions/setup-go@v2
with: with:
go-version: "1.22.5" go-version: '1.17.4'
- run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
- run: bats --tap --timing ./test/chart - run: bats ./test/chart -t
permissions:
contents: read

1
.gitignore vendored
View file

@ -11,4 +11,3 @@ vaul-helm-dev-creds.json
./test/acceptance/values.yaml ./test/acceptance/values.yaml
./test/acceptance/values.yml ./test/acceptance/values.yml
.idea .idea
scratch/

4
.helmignore Normal file
View file

@ -0,0 +1,4 @@
.git/
.terraform/
bin/
test/

153
CHANGELOG.md
View file

@ -1,168 +1,17 @@
## Unreleased ## Unreleased
Bugs:
* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
## 0.27.0 (November 16, 2023)
Changes:
* Default `vault` version updated to 1.15.2
Features:
* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
Improvements:
* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
## 0.26.1 (October 30, 2023)
Bugs:
* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=<some_number>`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961)
## 0.26.0 (October 27, 2023)
Changes:
* Default `vault` version updated to 1.15.1
* Default `vault-k8s` version updated to 1.3.1
* Default `vault-csi-provider` version updated to 1.4.1
* Tested with Kubernetes versions 1.24-1.28
* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966)
Features:
* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833)
* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955)
* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896)
* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923)
Bugs:
* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
Improvements:
* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912)
* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943)
## 0.25.0 (June 26, 2023)
Changes:
* Latest Kubernetes version tested is now 1.27
* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902)
* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
Improvements:
* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862)
* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
Bugs:
* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886)
## 0.24.1 (April 17, 2023)
Bugs:
* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872)
## 0.24.0 (April 6, 2023)
Changes:
* Earliest Kubernetes version tested is now 1.22
* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863)
* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868)
* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
Features:
* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)
* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831)
* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852)
* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
## 0.23.0 (November 28th, 2022)
Changes:
* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
Features:
* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806)
* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813)
Bugs:
* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
## 0.22.1 (October 26th, 2022)
Changes:
* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
## 0.22.0 (September 8th, 2022)
Features:
* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772)
Changes:
* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785)
## 0.21.0 (August 10th, 2022)
CHANGES:
* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
Features:
* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610)
* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753)
## 0.20.1 (May 25th, 2022)
CHANGES:
* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)
Improvements:
* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
Bugs:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
## 0.20.0 (May 16th, 2022)
CHANGES: CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.10.3 * Vault default image to 1.9.3
* CSI provider default image to 1.1.0 * CSI provider default image to 1.1.0
* Vault K8s default image to 0.16.0
* Earliest Kubernetes version tested is now 1.16 * Earliest Kubernetes version tested is now 1.16
* Helm 3.6+ now required
Features:
* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
Improvements: Improvements:
* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) * Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) * Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) * Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)
* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)
## 0.19.0 (January 20th, 2022) ## 0.19.0 (January 20th, 2022)

33
CONTRIBUTING.md
View file

@ -1,8 +1,8 @@
# Contributing to OpenBao Helm # Contributing to Vault Helm
**Please note:** We take OpenBao's security and our users' trust very seriously. **Please note:** We take Vault's security and our users' trust very seriously.
If you believe you have found a security issue in OpenBao, please responsibly If you believe you have found a security issue in Vault, please responsibly
disclose by contacting us at openbao-security@lists.lfedge.org. disclose by contacting us at security@hashicorp.com.
**First:** if you're unsure or afraid of _anything_, just ask or submit the **First:** if you're unsure or afraid of _anything_, just ask or submit the
issue or pull request anyways. You won't be yelled at for giving it your best issue or pull request anyways. You won't be yelled at for giving it your best
@ -12,15 +12,14 @@ rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged, That said, if you want to ensure that a pull request is likely to be merged,
talk to us! You can find out our thoughts and ensure that your contribution talk to us! You can find out our thoughts and ensure that your contribution
won't clash or be obviated by OpenBao's normal direction. A great way to do this won't clash or be obviated by Vault's normal direction. A great way to do this
is via the [Linux Foundation Element chat server][1], or [mailing list][2]. is via the [Vault Discussion Forum][1].
This document will cover what we're looking for in terms of reporting issues. This document will cover what we're looking for in terms of reporting issues.
By addressing all the points we're looking for, it raises the chances we can By addressing all the points we're looking for, it raises the chances we can
quickly merge or address your contributions. quickly merge or address your contributions.
[1]: https://chat.lfx.linuxfoundation.org [1]: https://discuss.hashicorp.com/c/vault
[2]: https://lists.lfedge.org/g/openbao
## Issues ## Issues
@ -34,14 +33,14 @@ quickly merge or address your contributions.
* Provide steps to reproduce the issue, and if possible include the expected * Provide steps to reproduce the issue, and if possible include the expected
results as well as the actual results. Please provide text, not screen shots! results as well as the actual results. Please provide text, not screen shots!
* Respond as promptly as possible to any questions made by the OpenBao * Respond as promptly as possible to any questions made by the Vault
team to your issue. Stale issues will be closed periodically. team to your issue. Stale issues will be closed periodically.
### Issue Lifecycle ### Issue Lifecycle
1. The issue is reported. 1. The issue is reported.
2. The issue is verified and categorized by a OpenBao Helm collaborator. 2. The issue is verified and categorized by a Vault Helm collaborator.
Categorization is done via tags. For example, bugs are marked as "bugs". Categorization is done via tags. For example, bugs are marked as "bugs".
3. Unless it is critical, the issue may be left for a period of time (sometimes 3. Unless it is critical, the issue may be left for a period of time (sometimes
@ -71,25 +70,25 @@ The following are the instructions for running bats tests using a Docker contain
#### Prerequisites #### Prerequisites
* Docker installed * Docker installed
* `openbao-helm` checked out locally * `vault-helm` checked out locally
#### Test #### Test
**Note:** the following commands should be run from the `openbao-helm` directory. **Note:** the following commands should be run from the `vault-helm` directory.
First, build the Docker image for running the tests: First, build the Docker image for running the tests:
```shell ```shell
docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t openbao-helm-test docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test
``` ```
Next, execute the tests with the following commands: Next, execute the tests with the following commands:
```shell ```shell
docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit
``` ```
It's possible to only run specific bats tests using regular expressions. It's possible to only run specific bats tests using regular expressions.
For example, the following will run only tests with "injector" in the name: For example, the following will run only tests with "injector" in the name:
```shell ```shell
docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector" docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector"
``` ```
### Test Manually ### Test Manually
@ -123,7 +122,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
start from a clean slate. start from a clean slate.
**Note:** There is a Terraform configuration in the **Note:** There is a Terraform configuration in the
[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory [`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
that can be used to quickly bring up a GKE cluster and configure that can be used to quickly bring up a GKE cluster and configure
`kubectl` and `helm` locally. This can be used to quickly spin up a test `kubectl` and `helm` locally. This can be used to quickly spin up a test
cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes

14
Chart.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v2
name: vault
version: 0.19.0
appVersion: 1.9.3
kubeVersion: ">= 1.16.0-0"
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
sources:
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault-helm
- https://github.com/hashicorp/vault-k8s
- https://github.com/hashicorp/vault-csi-provider

2
LICENSE → LICENSE.md
View file

@ -1,5 +1,3 @@
Copyright (c) 2018 HashiCorp, Inc.
Mozilla Public License, version 2.0 Mozilla Public License, version 2.0
1. Definitions 1. Definitions

13
Makefile
View file

@ -1,6 +1,6 @@
TEST_IMAGE?=openbao-helm-test TEST_IMAGE?=vault-helm-test
GOOGLE_CREDENTIALS?=openbao-helm-test.json GOOGLE_CREDENTIALS?=vault-helm-test.json
CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514 CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
ACCEPTANCE_TESTS?=acceptance ACCEPTANCE_TESTS?=acceptance
@ -11,10 +11,10 @@ UNIT_TESTS_FILTER?='.*'
LOCAL_ACCEPTANCE_TESTS?=false LOCAL_ACCEPTANCE_TESTS?=false
# kind cluster name # kind cluster name
KIND_CLUSTER_NAME?=openbao-helm KIND_CLUSTER_NAME?=vault-helm
# kind k8s version # kind k8s version
KIND_K8S_VERSION?=v1.29.2 KIND_K8S_VERSION?=v1.20.2
# Generate json schema for chart values. See test/README.md for more details. # Generate json schema for chart values. See test/README.md for more details.
values-schema: values-schema:
@ -40,6 +40,7 @@ else
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \ -e KUBECONFIG=/helm-test/.kube/config \
-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
-w /helm-test \ -w /helm-test \
$(TEST_IMAGE) \ $(TEST_IMAGE) \
make acceptance make acceptance
@ -70,7 +71,7 @@ acceptance:
ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
endif endif
bats --tap --timing test/${ACCEPTANCE_TESTS} bats test/${ACCEPTANCE_TESTS}
# this target is for provisioning the GKE cluster # this target is for provisioning the GKE cluster
# it is run in the docker container above when the test-provision target is invoked # it is run in the docker container above when the test-provision target is invoked

36
README.md
View file

@ -1,12 +1,16 @@
# OpenBao Helm Chart # Vault Helm Chart
> :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If
you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_ you believe you have found a security issue in Vault Helm, _please responsibly disclose_
by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org). by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
This repository contains the OpenBao Helm chart for installing This repository contains the official HashiCorp Helm chart for installing
and configuring OpenBao on Kubernetes. This chart supports multiple use and configuring Vault on Kubernetes. This chart supports multiple use
cases of OpenBao on Kubernetes depending on the values provided. cases of Vault on Kubernetes depending on the values provided.
For full documentation on this Helm chart along with all the ways you can
use Vault with Kubernetes, please see the
[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/).
## Prerequisites ## Prerequisites
@ -16,19 +20,25 @@ this README. Please refer to the Kubernetes and Helm documentation.
The versions required are: The versions required are:
* **Helm 3.12+** - Earliest verison tested * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible
* **Kubernetes 1.28+** - This is the earliest version of Kubernetes tested. it works with earlier versions but this chart is untested for those versions.
* **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is It is possible that this chart works with earlier versions but it is
untested. untested.
## Usage ## Usage
To install the latest version of this chart, add the OpenBao helm repository and run `helm install`: To install the latest version of this chart, add the Hashicorp helm repository
and run `helm install`:
```console ```console
helm repo add openbao https://openbao.github.io/openbao-helm $ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
helm install openbao openbao/openbao $ helm install vault hashicorp/vault
``` ```
Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions. Please see the many options supported in the `values.yaml` file. These are also
fully documented directly on the [Vault
website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more
detailed installation instructions.

28
charts/openbao/.helmignore
View file

@ -1,28 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.terraform/
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# CI and test
.circleci/
.github/
.gitlab-ci.yml
test/

31
charts/openbao/Chart.yaml
View file

@ -1,31 +0,0 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
apiVersion: v2
name: openbao
version: 0.6.0
appVersion: v2.0.2
kubeVersion: ">= 1.27.0-0"
description: Official OpenBao Chart
home: https://github.com/openbao/openbao-helm
icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg
keywords:
[
"vault",
"openbao",
"security",
"encryption",
"secrets",
"management",
"automation",
"infrastructure",
]
sources:
- https://github.com/openbao/openbao-helm
annotations:
charts.openshift.io/name: Openbao
maintainers:
- name: OpenBao
email: openbao-security@lists.lfedge.org
url: https://openbao.org

294
charts/openbao/README.md
View file

@ -1,294 +0,0 @@
# openbao
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
Official OpenBao Chart
**Homepage:** <https://github.com/openbao/openbao-helm>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| OpenBao | <openbao-security@lists.lfedge.org> | <https://openbao.org> |
## Source Code
* <https://github.com/openbao/openbao-helm>
## Requirements
Kubernetes: `>= 1.27.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| csi.agent.enabled | bool | `true` | |
| csi.agent.extraArgs | list | `[]` | |
| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image |
| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image |
| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image |
| csi.agent.logFormat | string | `"standard"` | |
| csi.agent.logLevel | string | `"info"` | |
| csi.agent.resources | object | `{}` | |
| csi.daemonSet.annotations | object | `{}` | |
| csi.daemonSet.extraLabels | object | `{}` | |
| csi.daemonSet.kubeletRootDir | string | `"/var/lib/kubelet"` | |
| csi.daemonSet.providersDir | string | `"/etc/kubernetes/secrets-store-csi-providers"` | |
| csi.daemonSet.securityContext.container | object | `{}` | |
| csi.daemonSet.securityContext.pod | object | `{}` | |
| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | |
| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | |
| csi.debug | bool | `false` | |
| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. |
| csi.extraArgs | list | `[]` | |
| csi.hmacSecretName | string | `""` | |
| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
| csi.image.registry | string | `"docker.io"` | image registry to use for csi image |
| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image |
| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image |
| csi.livenessProbe.failureThreshold | int | `2` | |
| csi.livenessProbe.initialDelaySeconds | int | `5` | |
| csi.livenessProbe.periodSeconds | int | `5` | |
| csi.livenessProbe.successThreshold | int | `1` | |
| csi.livenessProbe.timeoutSeconds | int | `3` | |
| csi.pod.affinity | object | `{}` | |
| csi.pod.annotations | object | `{}` | |
| csi.pod.extraLabels | object | `{}` | |
| csi.pod.nodeSelector | object | `{}` | |
| csi.pod.tolerations | list | `[]` | |
| csi.priorityClassName | string | `""` | |
| csi.readinessProbe.failureThreshold | int | `2` | |
| csi.readinessProbe.initialDelaySeconds | int | `5` | |
| csi.readinessProbe.periodSeconds | int | `5` | |
| csi.readinessProbe.successThreshold | int | `1` | |
| csi.readinessProbe.timeoutSeconds | int | `3` | |
| csi.resources | object | `{}` | |
| csi.serviceAccount.annotations | object | `{}` | |
| csi.serviceAccount.extraLabels | object | `{}` | |
| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. |
| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. |
| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. |
| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. |
| global.openshift | bool | `false` | If deploying to OpenShift |
| global.psp | object | `{"annotations":"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n","enable":false}` | Create PodSecurityPolicy for pods |
| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. |
| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. |
| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport |
| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | |
| injector.agentDefaults.cpuLimit | string | `"500m"` | |
| injector.agentDefaults.cpuRequest | string | `"250m"` | |
| injector.agentDefaults.memLimit | string | `"128Mi"` | |
| injector.agentDefaults.memRequest | string | `"64Mi"` | |
| injector.agentDefaults.template | string | `"map"` | |
| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | |
| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | |
| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. |
| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image |
| injector.annotations | object | `{}` | |
| injector.authPath | string | `"auth/kubernetes"` | |
| injector.certs.caBundle | string | `""` | |
| injector.certs.certName | string | `"tls.crt"` | |
| injector.certs.keyName | string | `"tls.key"` | |
| injector.certs.secretName | string | `nil` | |
| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled |
| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. |
| injector.extraEnvironmentVars | object | `{}` | |
| injector.extraLabels | object | `{}` | |
| injector.failurePolicy | string | `"Ignore"` | |
| injector.hostNetwork | bool | `false` | |
| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" |
| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image |
| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image |
| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image |
| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. |
| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
| injector.livenessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
| injector.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
| injector.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
| injector.logFormat | string | `"standard"` | Configures the log format of the injector. Supported log formats: "standard", "json". |
| injector.logLevel | string | `"info"` | Configures the log verbosity of the injector. Supported log levels include: trace, debug, info, warn, error |
| injector.metrics | object | `{"enabled":false}` | If true, will enable a node exporter metrics endpoint at /metrics. |
| injector.namespaceSelector | object | `{}` | |
| injector.nodeSelector | object | `{}` | |
| injector.objectSelector | object | `{}` | |
| injector.podDisruptionBudget | object | `{}` | |
| injector.port | int | `8080` | Configures the port the injector should listen on |
| injector.priorityClassName | string | `""` | |
| injector.readinessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
| injector.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
| injector.readinessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
| injector.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
| injector.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
| injector.replicas | int | `1` | |
| injector.resources | object | `{}` | |
| injector.revokeOnShutdown | bool | `false` | |
| injector.securityContext.container | object | `{}` | |
| injector.securityContext.pod | object | `{}` | |
| injector.service.annotations | object | `{}` | |
| injector.serviceAccount.annotations | object | `{}` | |
| injector.startupProbe.failureThreshold | int | `12` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
| injector.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
| injector.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
| injector.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
| injector.startupProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
| injector.strategy | object | `{}` | |
| injector.tolerations | list | `[]` | |
| injector.topologySpreadConstraints | list | `[]` | |
| injector.webhook.annotations | object | `{}` | |
| injector.webhook.failurePolicy | string | `"Ignore"` | |
| injector.webhook.matchPolicy | string | `"Exact"` | |
| injector.webhook.namespaceSelector | object | `{}` | |
| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"openbao.name\" . }}-agent-injector\n"` | |
| injector.webhook.timeoutSeconds | int | `30` | |
| injector.webhookAnnotations | object | `{}` | |
| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | |
| server.annotations | object | `{}` | |
| server.auditStorage.accessMode | string | `"ReadWriteOnce"` | |
| server.auditStorage.annotations | object | `{}` | |
| server.auditStorage.enabled | bool | `false` | |
| server.auditStorage.labels | object | `{}` | |
| server.auditStorage.mountPath | string | `"/openbao/audit"` | |
| server.auditStorage.size | string | `"10Gi"` | |
| server.auditStorage.storageClass | string | `nil` | |
| server.authDelegator.enabled | bool | `true` | |
| server.configAnnotation | bool | `false` | |
| server.dataStorage.accessMode | string | `"ReadWriteOnce"` | |
| server.dataStorage.annotations | object | `{}` | |
| server.dataStorage.enabled | bool | `true` | |
| server.dataStorage.labels | object | `{}` | |
| server.dataStorage.mountPath | string | `"/openbao/data"` | |
| server.dataStorage.size | string | `"10Gi"` | |
| server.dataStorage.storageClass | string | `nil` | |
| server.dev.devRootToken | string | `"root"` | |
| server.dev.enabled | bool | `false` | |
| server.enabled | string | `"-"` | |
| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. |
| server.extraContainers | string | `nil` | |
| server.extraEnvironmentVars | object | `{}` | |
| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. |
| server.extraLabels | object | `{}` | |
| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. |
| server.extraSecretEnvironmentVars | list | `[]` | |
| server.extraVolumes | list | `[]` | |
| server.ha.apiAddr | string | `nil` | |
| server.ha.clusterAddr | string | `nil` | |
| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"openbao\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.ha.disruptionBudget.enabled | bool | `true` | |
| server.ha.disruptionBudget.maxUnavailable | string | `nil` | |
| server.ha.enabled | bool | `false` | |
| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | |
| server.ha.raft.enabled | bool | `false` | |
| server.ha.raft.setNodeId | bool | `false` | |
| server.ha.replicas | int | `3` | |
| server.hostAliases | list | `[]` | |
| server.hostNetwork | bool | `false` | |
| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" |
| server.image.registry | string | `"quay.io"` | image registry to use for server image |
| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image |
| server.image.tag | string | `"2.0.2"` | image tag to use for server image |
| server.ingress.activeService | bool | `true` | |
| server.ingress.annotations | object | `{}` | |
| server.ingress.enabled | bool | `false` | |
| server.ingress.extraPaths | list | `[]` | |
| server.ingress.hosts[0].host | string | `"chart-example.local"` | |
| server.ingress.hosts[0].paths | list | `[]` | |
| server.ingress.ingressClassName | string | `""` | |
| server.ingress.labels | object | `{}` | |
| server.ingress.pathType | string | `"Prefix"` | |
| server.ingress.tls | list | `[]` | |
| server.livenessProbe.enabled | bool | `false` | |
| server.livenessProbe.execCommand | list | `[]` | |
| server.livenessProbe.failureThreshold | int | `2` | |
| server.livenessProbe.initialDelaySeconds | int | `60` | |
| server.livenessProbe.path | string | `"/v1/sys/health?standbyok=true"` | |
| server.livenessProbe.periodSeconds | int | `5` | |
| server.livenessProbe.port | int | `8200` | |
| server.livenessProbe.successThreshold | int | `1` | |
| server.livenessProbe.timeoutSeconds | int | `3` | |
| server.logFormat | string | `""` | |
| server.logLevel | string | `""` | |
| server.networkPolicy.egress | list | `[]` | |
| server.networkPolicy.enabled | bool | `false` | |
| server.networkPolicy.ingress[0].from[0].namespaceSelector | object | `{}` | |
| server.networkPolicy.ingress[0].ports[0].port | int | `8200` | |
| server.networkPolicy.ingress[0].ports[0].protocol | string | `"TCP"` | |
| server.networkPolicy.ingress[0].ports[1].port | int | `8201` | |
| server.networkPolicy.ingress[0].ports[1].protocol | string | `"TCP"` | |
| server.nodeSelector | object | `{}` | |
| server.persistentVolumeClaimRetentionPolicy | object | `{}` | |
| server.postStart | list | `[]` | |
| server.preStopSleepSeconds | int | `5` | |
| server.priorityClassName | string | `""` | |
| server.readinessProbe.enabled | bool | `true` | |
| server.readinessProbe.failureThreshold | int | `2` | |
| server.readinessProbe.initialDelaySeconds | int | `5` | |
| server.readinessProbe.periodSeconds | int | `5` | |
| server.readinessProbe.port | int | `8200` | |
| server.readinessProbe.successThreshold | int | `1` | |
| server.readinessProbe.timeoutSeconds | int | `3` | |
| server.resources | object | `{}` | |
| server.route.activeService | bool | `true` | |
| server.route.annotations | object | `{}` | |
| server.route.enabled | bool | `false` | |
| server.route.host | string | `"chart-example.local"` | |
| server.route.labels | object | `{}` | |
| server.route.tls.termination | string | `"passthrough"` | |
| server.service.active.annotations | object | `{}` | |
| server.service.active.enabled | bool | `true` | |
| server.service.annotations | object | `{}` | |
| server.service.enabled | bool | `true` | |
| server.service.externalTrafficPolicy | string | `"Cluster"` | |
| server.service.instanceSelector.enabled | bool | `true` | |
| server.service.ipFamilies | list | `[]` | |
| server.service.ipFamilyPolicy | string | `""` | |
| server.service.port | int | `8200` | |
| server.service.publishNotReadyAddresses | bool | `true` | |
| server.service.standby.annotations | object | `{}` | |
| server.service.standby.enabled | bool | `true` | |
| server.service.targetPort | int | `8200` | |
| server.serviceAccount.annotations | object | `{}` | |
| server.serviceAccount.create | bool | `true` | |
| server.serviceAccount.createSecret | bool | `false` | |
| server.serviceAccount.extraLabels | object | `{}` | |
| server.serviceAccount.name | string | `""` | |
| server.serviceAccount.serviceDiscovery.enabled | bool | `true` | |
| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation |
| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.standalone.enabled | string | `"-"` | |
| server.statefulSet.annotations | object | `{}` | |
| server.statefulSet.securityContext.container | object | `{}` | |
| server.statefulSet.securityContext.pod | object | `{}` | |
| server.terminationGracePeriodSeconds | int | `10` | |
| server.tolerations | list | `[]` | |
| server.topologySpreadConstraints | list | `[]` | |
| server.updateStrategyType | string | `"OnDelete"` | |
| server.volumeMounts | string | `nil` | |
| server.volumes | string | `nil` | |
| serverTelemetry.prometheusRules.enabled | bool | `false` | |
| serverTelemetry.prometheusRules.rules | list | `[]` | |
| serverTelemetry.prometheusRules.selectors | object | `{}` | |
| serverTelemetry.serviceMonitor.enabled | bool | `false` | |
| serverTelemetry.serviceMonitor.interval | string | `"30s"` | |
| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | |
| serverTelemetry.serviceMonitor.selectors | object | `{}` | |
| ui.activeOpenbaoPodOnly | bool | `false` | |
| ui.annotations | object | `{}` | |
| ui.enabled | bool | `false` | |
| ui.externalPort | int | `8200` | |
| ui.externalTrafficPolicy | string | `"Cluster"` | |
| ui.publishNotReadyAddresses | bool | `true` | |
| ui.serviceIPFamilies | list | `[]` | |
| ui.serviceIPFamilyPolicy | string | `""` | |
| ui.serviceNodePort | string | `nil` | |
| ui.serviceType | string | `"ClusterIP"` | |
| ui.targetPort | int | `8200` | |

14
charts/openbao/templates/NOTES.txt
View file

@ -1,14 +0,0 @@
Thank you for installing OpenBao!
Now that you have deployed OpenBao, you should look over the docs on using
OpenBao with Kubernetes available here:
https://openbao.org/docs/
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get manifest {{ .Release.Name }}

34
charts/openbao/templates/csi-agent-configmap.yaml
View file

@ -1,34 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
config.hcl: |
vault {
{{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }}
"address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}"
{{- end }}
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}
{{- end }}

24
charts/openbao/templates/csi-clusterrolebinding.yaml
View file

@ -1,24 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
{{- end }}

157
charts/openbao/templates/csi-daemonset.yaml
View file

@ -1,157 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
type: {{ .Values.csi.daemonSet.updateStrategy.type }}
{{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
rollingUpdate:
maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{ template "csi.daemonSet.securityContext.pod" . }}
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
{{- template "csi.pod.nodeselector" . }}
{{- template "csi.pod.affinity" . }}
containers:
- name: {{ include "openbao.name" . }}-csi-provider
{{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
- --debug={{ .Values.csi.debug }}
{{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }}
- --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key
{{- end }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
{{- end }}
env:
- name: VAULT_ADDR
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
value: "unix:///var/run/vault/agent.sock"
{{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol
mountPath: "/provider"
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-unix-socket
mountPath: /var/run/vault
{{- end }}
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12}}
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: {{ include "openbao.name" . }}-agent
image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
{{ template "csi.agent.resources" . }}
command:
- bao
args:
- agent
- -config=/etc/vault/config.hcl
{{- if .Values.csi.agent.extraArgs }}
{{- toYaml .Values.csi.agent.extraArgs | nindent 12 }}
{{- end }}
ports:
- containerPort: 8200
env:
- name: BAO_LOG_LEVEL
value: "{{ .Values.csi.agent.logLevel }}"
- name: BAO_LOG_FORMAT
value: "{{ .Values.csi.agent.logFormat }}"
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 100
runAsGroup: 1000
volumeMounts:
- name: agent-config
mountPath: /etc/vault/config.hcl
subPath: config.hcl
readOnly: true
- name: agent-unix-socket
mountPath: /var/run/vault
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12 }}
{{- end }}
{{- end }}
volumes:
- name: providervol
hostPath:
path: {{ .Values.csi.daemonSet.providersDir }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-config
configMap:
name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory
{{- end }}
{{- if .Values.csi.volumes }}
{{- toYaml .Values.csi.volumes | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{- end }}

32
charts/openbao/templates/csi-role.yaml
View file

@ -1,32 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-role
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
{{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }}
{{- else }}
- {{ include "openbao.name" . }}-csi-provider-hmac-key
{{- end }}
# 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
{{- end }}

25
charts/openbao/templates/csi-rolebinding.yaml
View file

@ -1,25 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "openbao.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
{{- end }}

30
charts/openbao/templates/injector-clusterrole.yaml
View file

@ -1,30 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
- "get"
- "list"
- "watch"
- "patch"
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- apiGroups: [""]
resources: ["nodes"]
verbs:
- "get"
{{ end }}
{{ end }}

24
charts/openbao/templates/injector-clusterrolebinding.yaml
View file

@ -1,24 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-binding
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
{{ end }}

26
charts/openbao/templates/injector-psp-rolebinding.yaml
View file

@ -1,26 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-psp
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "openbao.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-agent-injector
{{- end }}
{{- end }}

27
charts/openbao/templates/injector-rolebinding.yaml
View file

@ -1,27 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
{{- end }}
{{- end }}

18
charts/openbao/templates/injector-serviceaccount.yaml
View file

@ -1,18 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }}
{{ end }}

31
charts/openbao/templates/prometheus-prometheusrules.yaml
View file

@ -1,31 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ if and (.Values.serverTelemetry.prometheusRules.rules)
(or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
}}
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "openbao.fullname" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
groups:
- name: {{ include "openbao.fullname" . }}
rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }}

49
charts/openbao/templates/prometheus-servicemonitor.yaml
View file

@ -1,49 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "openbao.fullname" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if eq .mode "ha" }}
openbao-active: "true"
{{- else }}
openbao-internal: "true"
{{- end }}
endpoints:
- port: {{ include "openbao.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "openbao.scheme" . | lower }}
path: /v1/sys/metrics
params:
format:
- prometheus
tlsConfig:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- {{ include "openbao.namespace" . }}
{{ end }}

31
charts/openbao/templates/server-config-configmap.yaml
View file

@ -1,31 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openbao.fullname" . }}-config
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.includeConfigAnnotation }}
annotations:
vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
{{- end }}
data:
extraconfig-from-values.hcl: |-
{{ template "openbao.config" . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
charts/openbao/templates/server-discovery-role.yaml
View file

@ -1,26 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ include "openbao.namespace" . }}
name: {{ template "openbao.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}

34
charts/openbao/templates/server-discovery-rolebinding.yaml
View file

@ -1,34 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-discovery-rolebinding
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "openbao.fullname" . }}-discovery-role
subjects:
- kind: ServiceAccount
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
{{ end }}
{{ end }}
{{ end }}

64
charts/openbao/templates/server-ha-active-service.yaml
View file

@ -1,64 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
# Service for active OpenBao pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-active
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
openbao-active: "true"
annotations:
{{- template "openbao.service.active.annotations" . }}
{{- template "openbao.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.activeNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
openbao-active: "true"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

63
charts/openbao/templates/server-ha-standby-service.yaml
View file

@ -1,63 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
# Service for standby OpenBao pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-standby
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{- template "openbao.service.standby.annotations" . }}
{{- template "openbao.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.standbyNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
openbao-active: "false"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

47
charts/openbao/templates/server-headless-service.yaml
View file

@ -1,47 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for OpenBao cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-internal
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
openbao-internal: "true"
annotations:
{{ template "openbao.service.annotations" .}}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "{{ include "openbao.scheme" . }}"
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}
{{- end }}

21
charts/openbao/templates/server-serviceaccount-secret.yaml
View file

@ -1,21 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "openbao.serviceAccount.name" . }}-token
namespace: {{ include "openbao.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token
{{ end }}

22
charts/openbao/templates/server-serviceaccount.yaml
View file

@ -1,22 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.serviceAccount.extraLabels -}}
{{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "openbao.serviceAccount.annotations" . }}
{{ end }}

50
charts/openbao/templates/ui-service.yaml
View file

@ -1,50 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "openbao.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "openbao.fullname" . }}-ui
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.ui.annotations" . }}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.ui.serviceIPFamilyPolicy }}
ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }}
{{- end }}
{{- if .Values.ui.serviceIPFamilies }}
ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }}
openbao-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "openbao.scheme" . }}
port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }}
nodePort: {{ .Values.ui.serviceNodePort }}
{{- end }}
type: {{ .Values.ui.serviceType }}
{{- include "service.externalTrafficPolicy" .Values.ui }}
{{- include "service.loadBalancer" .Values.ui }}
{{- end -}}
{{- end }}

26
charts/openbao/values.openshift.yaml
View file

@ -1,26 +0,0 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# These overrides are appropriate defaults for deploying this chart on OpenShift
global:
openshift: true
injector:
image:
repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
tag: "1.3.1-ubi"
agentImage:
registry: "quay.io"
repository: "openbao/openbao"
tag: "v2.0.2-ubi"
server:
image:
registry: "quay.io"
repository: "openbao/openbao"
tag: "v2.0.2-ubi"
readinessProbe:
path: "/v1/sys/health?uninitcode=204"

14
templates/NOTES.txt Normal file
View file

@ -0,0 +1,14 @@
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://www.vaultproject.io/docs/
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get manifest {{ .Release.Name }}

435
charts/openbao/templates/_helpers.tpl → templates/_helpers.tpl
View file

@ -1,15 +1,10 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{/* {{/*
Create a default fully qualified app name. Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). If release name contains chart name it will this (by the DNS naming spec). If release name contains chart name it will
be used as a full name. be used as a full name.
*/}} */}}
{{- define "openbao.fullname" -}} {{- define "vault.fullname" -}}
{{- if .Values.fullnameOverride -}} {{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}} {{- else -}}
@ -25,28 +20,21 @@ be used as a full name.
{{/* {{/*
Create chart name and version as used by the chart label. Create chart name and version as used by the chart label.
*/}} */}}
{{- define "openbao.chart" -}} {{- define "vault.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/* {{/*
Expand the name of the chart. Expand the name of the chart.
*/}} */}}
{{- define "openbao.name" -}} {{- define "vault.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Allow the release namespace to be overridden
*/}}
{{- define "openbao.namespace" -}}
{{- default .Release.Namespace .Values.global.namespace -}}
{{- end -}}
{{/* {{/*
Compute if the csi driver is enabled. Compute if the csi driver is enabled.
*/}} */}}
{{- define "openbao.csiEnabled" -}} {{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or {{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true") (eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -55,7 +43,7 @@ Compute if the csi driver is enabled.
{{/* {{/*
Compute if the injector is enabled. Compute if the injector is enabled.
*/}} */}}
{{- define "openbao.injectorEnabled" -}} {{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or {{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true") (eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -64,61 +52,24 @@ Compute if the injector is enabled.
{{/* {{/*
Compute if the server is enabled. Compute if the server is enabled.
*/}} */}}
{{- define "openbao.serverEnabled" -}} {{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or {{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true") (eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}} {{- end -}}
{{/*
Compute if the server serviceaccount is enabled.
*/}}
{{- define "openbao.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true" )
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
*/}}
{{- define "openbao.serverServiceAccountSecretCreationEnabled" -}}
{{- $_ := set . "serverServiceAccountSecretCreationEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true")
(eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "openbao.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator"
(and
(eq (.Values.server.authDelegator.enabled | toString) "true" )
(or (eq (.Values.server.serviceAccount.create | toString) "true")
(not (eq .Values.server.serviceAccount.name "")))
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/* {{/*
Compute if the server service is enabled. Compute if the server service is enabled.
*/}} */}}
{{- define "openbao.serverServiceEnabled" -}} {{- define "vault.serverServiceEnabled" -}}
{{- template "openbao.serverEnabled" . -}} {{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} {{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}} {{- end -}}
{{/* {{/*
Compute if the ui is enabled. Compute if the ui is enabled.
*/}} */}}
{{- define "openbao.uiEnabled" -}} {{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or {{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true") (eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -129,7 +80,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster. This defaults to (n/2)-1 where n is the number of members of the server cluster.
Add a special case for replicas=1, where it should default to 0 as well. Add a special case for replicas=1, where it should default to 0 as well.
*/}} */}}
{{- define "openbao.pdb.maxUnavailable" -}} {{- define "vault.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.ha.replicas) 1 -}} {{- if eq (int .Values.server.ha.replicas) 1 -}}
{{ 0 }} {{ 0 }}
{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} {{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
@ -143,9 +94,9 @@ Add a special case for replicas=1, where it should default to 0 as well.
Set the variable 'mode' to the server mode requested by the user to simplify Set the variable 'mode' to the server mode requested by the user to simplify
template logic. template logic.
*/}} */}}
{{- define "openbao.mode" -}} {{- define "vault.mode" -}}
{{- template "openbao.serverEnabled" . -}} {{- template "vault.serverEnabled" . -}}
{{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} {{- if .Values.injector.externalVaultAddr -}}
{{- $_ := set . "mode" "external" -}} {{- $_ := set . "mode" "external" -}}
{{- else if not .serverEnabled -}} {{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}} {{- $_ := set . "mode" "external" -}}
@ -163,15 +114,11 @@ template logic.
{{/* {{/*
Set's the replica count based on the different modes configured by user Set's the replica count based on the different modes configured by user
*/}} */}}
{{- define "openbao.replicas" -}} {{- define "vault.replicas" -}}
{{ if eq .mode "standalone" }} {{ if eq .mode "standalone" }}
{{- default 1 -}} {{- default 1 -}}
{{ else if eq .mode "ha" }} {{ else if eq .mode "ha" }}
{{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} {{- .Values.server.ha.replicas | default 3 -}}
{{- .Values.server.ha.replicas -}}
{{ else }}
{{- 3 -}}
{{- end -}}
{{ else }} {{ else }}
{{- default 1 -}} {{- default 1 -}}
{{ end }} {{ end }}
@ -182,11 +129,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user
defined a custom configuration. Additionally iterates over any defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS). extra volumes the user may have specified (such as a secret with TLS).
*/}} */}}
{{- define "openbao.volumes" -}} {{- define "vault.volumes" -}}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config - name: config
configMap: configMap:
name: {{ template "openbao.fullname" . }}-config name: {{ template "vault.fullname" . }}-config
{{ end }} {{ end }}
{{- range .Values.server.extraVolumes }} {{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }} - name: userconfig-{{ .name }}
@ -201,34 +148,40 @@ extra volumes the user may have specified (such as a secret with TLS).
{{- if .Values.server.volumes }} {{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 8}} {{- toYaml .Values.server.volumes | nindent 8}}
{{- end }} {{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
secret:
secretName: {{ .Values.server.enterpriseLicense.secretName }}
defaultMode: 0440
{{- end }}
{{- end -}} {{- end -}}
{{/* {{/*
Set's the args for custom command to render the OpenBao configuration Set's the args for custom command to render the Vault configuration
file with IP addresses to make the out of box experience easier file with IP addresses to make the out of box experience easier
for users looking to use this chart with Consul Helm. for users looking to use this chart with Consul Helm.
*/}} */}}
{{- define "openbao.args" -}} {{- define "vault.args" -}}
{{ if or (eq .mode "standalone") (eq .mode "ha") }} {{ if or (eq .mode "standalone") (eq .mode "ha") }}
- | - |
cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
{{ else if eq .mode "dev" }} {{ else if eq .mode "dev" }}
- | - |
/usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }} /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }}
{{ end }} {{ end }}
{{- end -}} {{- end -}}
{{/* {{/*
Set's additional environment variables based on the mode. Set's additional environment variables based on the mode.
*/}} */}}
{{- define "openbao.envs" -}} {{- define "vault.envs" -}}
{{ if eq .mode "dev" }} {{ if eq .mode "dev" }}
- name: VAULT_DEV_ROOT_TOKEN_ID - name: VAULT_DEV_ROOT_TOKEN_ID
value: {{ .Values.server.dev.devRootToken }} value: {{ .Values.server.dev.devRootToken }}
@ -241,7 +194,7 @@ Set's additional environment variables based on the mode.
Set's which additional volumes should be mounted to the container Set's which additional volumes should be mounted to the container
based on the mode configured. based on the mode configured.
*/}} */}}
{{- define "openbao.mounts" -}} {{- define "vault.mounts" -}}
{{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- name: audit - name: audit
mountPath: {{ .Values.server.auditStorage.mountPath }} mountPath: {{ .Values.server.auditStorage.mountPath }}
@ -254,16 +207,21 @@ based on the mode configured.
{{ end }} {{ end }}
{{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config - name: config
mountPath: /openbao/config mountPath: /vault/config
{{ end }} {{ end }}
{{- range .Values.server.extraVolumes }} {{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }} - name: userconfig-{{ .name }}
readOnly: true readOnly: true
mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }} mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
{{- end }} {{- end }}
{{- if .Values.server.volumeMounts }} {{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 12}} {{- toYaml .Values.server.volumeMounts | nindent 12}}
{{- end }} {{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
mountPath: /vault/license
readOnly: true
{{- end }}
{{- end -}} {{- end -}}
{{/* {{/*
@ -271,14 +229,13 @@ Set's up the volumeClaimTemplates when data or audit storage is required. HA
might not use data storage since Consul is likely it's backend, however, audit might not use data storage since Consul is likely it's backend, however, audit
storage might be desired by the user. storage might be desired by the user.
*/}} */}}
{{- define "openbao.volumeclaims" -}} {{- define "vault.volumeclaims" -}}
{{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
volumeClaimTemplates: volumeClaimTemplates:
{{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
- metadata: - metadata:
name: data name: data
{{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }} {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }}
spec: spec:
accessModes: accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@ -292,8 +249,7 @@ storage might be desired by the user.
{{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- metadata: - metadata:
name: audit name: audit
{{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }} {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }}
spec: spec:
accessModes: accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@ -310,7 +266,7 @@ storage might be desired by the user.
{{/* {{/*
Set's the affinity for pod placement when running in standalone and HA modes. Set's the affinity for pod placement when running in standalone and HA modes.
*/}} */}}
{{- define "openbao.affinity" -}} {{- define "vault.affinity" -}}
{{- if and (ne .mode "dev") .Values.server.affinity }} {{- if and (ne .mode "dev") .Values.server.affinity }}
affinity: affinity:
{{ $tp := typeOf .Values.server.affinity }} {{ $tp := typeOf .Values.server.affinity }}
@ -340,7 +296,7 @@ Sets the injector affinity for pod placement
{{/* {{/*
Sets the topologySpreadConstraints when running in standalone and HA modes. Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}} */}}
{{- define "openbao.topologySpreadConstraints" -}} {{- define "vault.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints: topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }} {{ $tp := typeOf .Values.server.topologySpreadConstraints }}
@ -371,7 +327,7 @@ Sets the injector topologySpreadConstraints for pod placement
{{/* {{/*
Sets the toleration for pod placement when running in standalone and HA modes. Sets the toleration for pod placement when running in standalone and HA modes.
*/}} */}}
{{- define "openbao.tolerations" -}} {{- define "vault.tolerations" -}}
{{- if and (ne .mode "dev") .Values.server.tolerations }} {{- if and (ne .mode "dev") .Values.server.tolerations }}
tolerations: tolerations:
{{- $tp := typeOf .Values.server.tolerations }} {{- $tp := typeOf .Values.server.tolerations }}
@ -401,7 +357,7 @@ Sets the injector toleration for pod placement
{{/* {{/*
Set's the node selector for pod placement when running in standalone and HA modes. Set's the node selector for pod placement when running in standalone and HA modes.
*/}} */}}
{{- define "openbao.nodeselector" -}} {{- define "vault.nodeselector" -}}
{{- if and (ne .mode "dev") .Values.server.nodeSelector }} {{- if and (ne .mode "dev") .Values.server.nodeSelector }}
nodeSelector: nodeSelector:
{{- $tp := typeOf .Values.server.nodeSelector }} {{- $tp := typeOf .Values.server.nodeSelector }}
@ -446,12 +402,9 @@ Sets the injector deployment update strategy
{{/* {{/*
Sets extra pod annotations Sets extra pod annotations
*/}} */}}
{{- define "openbao.annotations" }} {{- define "vault.annotations" -}}
annotations:
{{- if .Values.server.includeConfigAnnotation }}
openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
{{- end }}
{{- if .Values.server.annotations }} {{- if .Values.server.annotations }}
annotations:
{{- $tp := typeOf .Values.server.annotations }} {{- $tp := typeOf .Values.server.annotations }}
{{- if eq $tp "string" }} {{- if eq $tp "string" }}
{{- tpl .Values.server.annotations . | nindent 8 }} {{- tpl .Values.server.annotations . | nindent 8 }}
@ -491,103 +444,6 @@ Sets extra injector service annotations
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
securityContext for the injector pod level.
*/}}
{{- define "injector.securityContext.pod" -}}
{{- if .Values.injector.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.injector.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
fsGroup: {{ .Values.injector.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the injector container level.
*/}}
{{- define "injector.securityContext.container" -}}
{{- if .Values.injector.securityContext.container}}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.injector.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset pod template.
*/}}
{{- define "server.statefulSet.securityContext.pod" -}}
{{- if .Values.server.statefulSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset openbao container
*/}}
{{- define "server.statefulSet.securityContext.container" -}}
{{- if .Values.server.statefulSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
{{- end -}}
{{/*
Sets extra injector service account annotations
*/}}
{{- define "injector.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/* {{/*
Sets extra injector webhook annotations Sets extra injector webhook annotations
*/}} */}}
@ -603,26 +459,10 @@ Sets extra injector webhook annotations
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
Set's the injector webhook objectSelector
*/}}
{{- define "injector.objectSelector" -}}
{{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}}
{{ if $v }}
objectSelector:
{{- $tp := typeOf $v -}}
{{ if eq $tp "string" }}
{{ tpl $v . | indent 6 | trim }}
{{ else }}
{{ toYaml $v | indent 6 | trim }}
{{ end }}
{{ end }}
{{ end }}
{{/* {{/*
Sets extra ui service annotations Sets extra ui service annotations
*/}} */}}
{{- define "openbao.ui.annotations" -}} {{- define "vault.ui.annotations" -}}
{{- if .Values.ui.annotations }} {{- if .Values.ui.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.ui.annotations }} {{- $tp := typeOf .Values.ui.annotations }}
@ -637,9 +477,9 @@ Sets extra ui service annotations
{{/* {{/*
Create the name of the service account to use Create the name of the service account to use
*/}} */}}
{{- define "openbao.serviceAccount.name" -}} {{- define "vault.serviceAccount.name" -}}
{{- if .Values.server.serviceAccount.create -}} {{- if .Values.server.serviceAccount.create -}}
{{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }} {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}} {{- else -}}
{{ default "default" .Values.server.serviceAccount.name }} {{ default "default" .Values.server.serviceAccount.name }}
{{- end -}} {{- end -}}
@ -648,7 +488,7 @@ Create the name of the service account to use
{{/* {{/*
Sets extra service account annotations Sets extra service account annotations
*/}} */}}
{{- define "openbao.serviceAccount.annotations" -}} {{- define "vault.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.serviceAccount.annotations }} {{- $tp := typeOf .Values.server.serviceAccount.annotations }}
@ -663,7 +503,7 @@ Sets extra service account annotations
{{/* {{/*
Sets extra ingress annotations Sets extra ingress annotations
*/}} */}}
{{- define "openbao.ingress.annotations" -}} {{- define "vault.ingress.annotations" -}}
{{- if .Values.server.ingress.annotations }} {{- if .Values.server.ingress.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.ingress.annotations }} {{- $tp := typeOf .Values.server.ingress.annotations }}
@ -678,7 +518,7 @@ Sets extra ingress annotations
{{/* {{/*
Sets extra route annotations Sets extra route annotations
*/}} */}}
{{- define "openbao.route.annotations" -}} {{- define "vault.route.annotations" -}}
{{- if .Values.server.route.annotations }} {{- if .Values.server.route.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.route.annotations }} {{- $tp := typeOf .Values.server.route.annotations }}
@ -691,9 +531,9 @@ Sets extra route annotations
{{- end -}} {{- end -}}
{{/* {{/*
Sets extra openbao server Service annotations Sets extra vault server Service annotations
*/}} */}}
{{- define "openbao.service.annotations" -}} {{- define "vault.service.annotations" -}}
{{- if .Values.server.service.annotations }} {{- if .Values.server.service.annotations }}
{{- $tp := typeOf .Values.server.service.annotations }} {{- $tp := typeOf .Values.server.service.annotations }}
{{- if eq $tp "string" }} {{- if eq $tp "string" }}
@ -704,37 +544,10 @@ Sets extra openbao server Service annotations
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
Sets extra openbao server Service (active) annotations
*/}}
{{- define "openbao.service.active.annotations" -}}
{{- if .Values.server.service.active.annotations }}
{{- $tp := typeOf .Values.server.service.active.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.service.active.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.service.active.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra openbao server Service annotations
*/}}
{{- define "openbao.service.standby.annotations" -}}
{{- if .Values.server.service.standby.annotations }}
{{- $tp := typeOf .Values.server.service.standby.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.service.standby.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.service.standby.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/* {{/*
Sets PodSecurityPolicy annotations Sets PodSecurityPolicy annotations
*/}} */}}
{{- define "openbao.psp.annotations" -}} {{- define "vault.psp.annotations" -}}
{{- if .Values.global.psp.annotations }} {{- if .Values.global.psp.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.global.psp.annotations }} {{- $tp := typeOf .Values.global.psp.annotations }}
@ -749,7 +562,7 @@ Sets PodSecurityPolicy annotations
{{/* {{/*
Sets extra statefulset annotations Sets extra statefulset annotations
*/}} */}}
{{- define "openbao.statefulSet.annotations" -}} {{- define "vault.statefulSet.annotations" -}}
{{- if .Values.server.statefulSet.annotations }} {{- if .Values.server.statefulSet.annotations }}
annotations: annotations:
{{- $tp := typeOf .Values.server.statefulSet.annotations }} {{- $tp := typeOf .Values.server.statefulSet.annotations }}
@ -764,7 +577,7 @@ Sets extra statefulset annotations
{{/* {{/*
Sets VolumeClaim annotations for data volume Sets VolumeClaim annotations for data volume
*/}} */}}
{{- define "openbao.dataVolumeClaim.annotations" -}} {{- define "vault.dataVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
annotations: annotations:
{{- $tp := typeOf .Values.server.dataStorage.annotations }} {{- $tp := typeOf .Values.server.dataStorage.annotations }}
@ -776,25 +589,10 @@ Sets VolumeClaim annotations for data volume
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
Sets VolumeClaim labels for data volume
*/}}
{{- define "openbao.dataVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.dataStorage.labels }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.dataStorage.labels . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.dataStorage.labels | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/* {{/*
Sets VolumeClaim annotations for audit volume Sets VolumeClaim annotations for audit volume
*/}} */}}
{{- define "openbao.auditVolumeClaim.annotations" -}} {{- define "vault.auditVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
annotations: annotations:
{{- $tp := typeOf .Values.server.auditStorage.annotations }} {{- $tp := typeOf .Values.server.auditStorage.annotations }}
@ -806,25 +604,10 @@ Sets VolumeClaim annotations for audit volume
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
Sets VolumeClaim labels for audit volume
*/}}
{{- define "openbao.auditVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.auditStorage.labels }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.auditStorage.labels . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.auditStorage.labels | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/* {{/*
Set's the container resources if the user has set any. Set's the container resources if the user has set any.
*/}} */}}
{{- define "openbao.resources" -}} {{- define "vault.resources" -}}
{{- if .Values.server.resources -}} {{- if .Values.server.resources -}}
resources: resources:
{{ toYaml .Values.server.resources | indent 12}} {{ toYaml .Values.server.resources | indent 12}}
@ -851,16 +634,6 @@ Sets the container resources if the user has set any.
{{ end }} {{ end }}
{{- end -}} {{- end -}}
{{/*
Sets the container resources for CSI's Agent sidecar if the user has set any.
*/}}
{{- define "csi.agent.resources" -}}
{{- if .Values.csi.agent.resources -}}
resources:
{{ toYaml .Values.csi.agent.resources | indent 12}}
{{ end }}
{{- end -}}
{{/* {{/*
Sets extra CSI daemonset annotations Sets extra CSI daemonset annotations
*/}} */}}
@ -876,37 +649,6 @@ Sets extra CSI daemonset annotations
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
Sets CSI daemonset securityContext for pod template
*/}}
{{- define "csi.daemonSet.securityContext.pod" -}}
{{- if .Values.csi.daemonSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets CSI daemonset securityContext for container
*/}}
{{- define "csi.daemonSet.securityContext.container" -}}
{{- if .Values.csi.daemonSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }}
{{- end }}
{{- end }}
{{- end -}}
{{/* {{/*
Sets the injector toleration for pod placement Sets the injector toleration for pod placement
*/}} */}}
@ -922,34 +664,6 @@ Sets the injector toleration for pod placement
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
Sets the CSI provider nodeSelector for pod placement
*/}}
{{- define "csi.pod.nodeselector" -}}
{{- if .Values.csi.pod.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.csi.pod.nodeSelector }}
{{- if eq $tp "string" }}
{{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the CSI provider affinity for pod placement.
*/}}
{{- define "csi.pod.affinity" -}}
{{- if .Values.csi.pod.affinity }}
affinity:
{{ $tp := typeOf .Values.csi.pod.affinity }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.affinity | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/* {{/*
Sets extra CSI provider pod annotations Sets extra CSI provider pod annotations
*/}} */}}
@ -983,7 +697,7 @@ Sets extra CSI service account annotations
{{/* {{/*
Inject extra environment vars in the format key:value, if populated Inject extra environment vars in the format key:value, if populated
*/}} */}}
{{- define "openbao.extraEnvironmentVars" -}} {{- define "vault.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}} {{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }} {{- range $key, $value := .extraEnvironmentVars }}
- name: {{ printf "%s" $key | replace "." "_" | upper | quote }} - name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
@ -995,7 +709,7 @@ Inject extra environment vars in the format key:value, if populated
{{/* {{/*
Inject extra environment populated by secrets, if populated Inject extra environment populated by secrets, if populated
*/}} */}}
{{- define "openbao.extraSecretEnvironmentVars" -}} {{- define "vault.extraSecretEnvironmentVars" -}}
{{- if .extraSecretEnvironmentVars -}} {{- if .extraSecretEnvironmentVars -}}
{{- range .extraSecretEnvironmentVars }} {{- range .extraSecretEnvironmentVars }}
- name: {{ .envName }} - name: {{ .envName }}
@ -1008,7 +722,7 @@ Inject extra environment populated by secrets, if populated
{{- end -}} {{- end -}}
{{/* Scheme for health check and local endpoint */}} {{/* Scheme for health check and local endpoint */}}
{{- define "openbao.scheme" -}} {{- define "vault.scheme" -}}
{{- if .Values.global.tlsDisable -}} {{- if .Values.global.tlsDisable -}}
{{ "http" }} {{ "http" }}
{{- else -}} {{- else -}}
@ -1067,28 +781,3 @@ Supported inputs are Values.ui
{{- end -}} {{- end -}}
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
config file from values
*/}}
{{- define "openbao.config" -}}
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

11
charts/openbao/templates/csi-clusterrole.yaml → templates/csi-clusterrole.yaml
View file

@ -1,16 +1,11 @@
{{/* {{- template "vault.csiEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:

19
templates/csi-clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
{{- end }}

91
templates/csi-daemonset.yaml Normal file
View file

@ -0,0 +1,91 @@
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
type: {{ .Values.csi.daemonSet.updateStrategy.type }}
{{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
rollingUpdate:
maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
containers:
- name: {{ include "vault.name" . }}-csi-provider
{{ template "csi.resources" . }}
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
- --debug={{ .Values.csi.debug }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
{{- end }}
volumeMounts:
- name: providervol
mountPath: "/provider"
- name: mountpoint-dir
mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
mountPropagation: HostToContainer
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12}}
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
volumes:
- name: providervol
hostPath:
path: {{ .Values.csi.daemonSet.providersDir }}
- name: mountpoint-dir
hostPath:
path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
{{- if .Values.csi.volumes }}
{{- toYaml .Values.csi.volumes | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{- end }}

13
charts/openbao/templates/csi-serviceaccount.yaml → templates/csi-serviceaccount.yaml
View file

@ -1,17 +1,12 @@
{{/* {{- template "vault.csiEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}} {{- if .csiEnabled -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ template "openbao.fullname" . }}-csi-provider name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}} {{- if .Values.csi.serviceAccount.extraLabels -}}

15
charts/openbao/templates/injector-certs-secret.yaml → templates/injector-certs-secret.yaml
View file

@ -1,19 +1,14 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: openbao-injector-certs name: vault-injector-certs
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }} {{- end }}
{{- end }} {{- end }}

19
templates/injector-clusterrole.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
- "get"
- "list"
- "watch"
- "patch"
{{ end }}

19
templates/injector-clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-binding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{ end }}

83
charts/openbao/templates/injector-deployment.yaml → templates/injector-deployment.yaml
View file

@ -1,18 +1,13 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
# Deployment for the injector # Deployment for the injector
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook component: webhook
@ -20,14 +15,14 @@ spec:
replicas: {{ .Values.injector.replicas }} replicas: {{ .Values.injector.replicas }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{ template "injector.strategy" . }} {{ template "injector.strategy" . }}
template: template:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{- if .Values.injector.extraLabels -}} {{- if .Values.injector.extraLabels -}}
@ -42,34 +37,38 @@ spec:
{{- if .Values.injector.priorityClassName }} {{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }} priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }} {{- end }}
serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector" serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }} {{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }} hostNetwork: {{ .Values.injector.hostNetwork }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
{{- end }} {{- end }}
containers: containers:
- name: sidecar-injector - name: sidecar-injector
{{ template "injector.resources" . }} {{ template "injector.resources" . }}
image: "{{ .Values.injector.image.registry | default "docker.io" }}/{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
{{- template "injector.securityContext.container" . }} {{- if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
env: env:
- name: AGENT_INJECT_LISTEN - name: AGENT_INJECT_LISTEN
value: {{ printf ":%v" .Values.injector.port }} value: {{ printf ":%v" .Values.injector.port }}
- name: AGENT_INJECT_LOG_LEVEL - name: AGENT_INJECT_LOG_LEVEL
value: {{ .Values.injector.logLevel | default "info" }} value: {{ .Values.injector.logLevel | default "info" }}
- name: AGENT_INJECT_VAULT_ADDR - name: AGENT_INJECT_VAULT_ADDR
{{- if .Values.global.externalVaultAddr }} {{- if .Values.injector.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}" value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }} {{- else }}
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- end }} {{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH - name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }} value: {{ .Values.injector.authPath }}
- name: AGENT_INJECT_VAULT_IMAGE - name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }} {{- if .Values.injector.certs.secretName }}
- name: AGENT_INJECT_TLS_CERT_FILE - name: AGENT_INJECT_TLS_CERT_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
@ -77,9 +76,9 @@ spec:
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }} {{- else }}
- name: AGENT_INJECT_TLS_AUTO - name: AGENT_INJECT_TLS_AUTO
value: {{ template "openbao.fullname" . }}-agent-injector-cfg value: {{ template "vault.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS - name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
{{- end }} {{- end }}
- name: AGENT_INJECT_LOG_FORMAT - name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }} value: {{ .Values.injector.logFormat | default "standard" }}
@ -109,14 +108,6 @@ spec:
value: "{{ .Values.injector.agentDefaults.memRequest }}" value: "{{ .Values.injector.agentDefaults.memRequest }}"
- name: AGENT_INJECT_MEM_LIMIT - name: AGENT_INJECT_MEM_LIMIT
value: "{{ .Values.injector.agentDefaults.memLimit }}" value: "{{ .Values.injector.agentDefaults.memLimit }}"
{{- if .Values.injector.agentDefaults.ephemeralRequest }}
- name: AGENT_INJECT_EPHEMERAL_REQUEST
value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}"
{{- end }}
{{- if .Values.injector.agentDefaults.ephemeralLimit }}
- name: AGENT_INJECT_EPHEMERAL_LIMIT
value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}"
{{- end }}
- name: AGENT_INJECT_DEFAULT_TEMPLATE - name: AGENT_INJECT_DEFAULT_TEMPLATE
value: "{{ .Values.injector.agentDefaults.template }}" value: "{{ .Values.injector.agentDefaults.template }}"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
@ -125,7 +116,7 @@ spec:
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }} {{- end }}
{{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }} {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -138,31 +129,21 @@ spec:
path: /health/ready path: /health/ready
port: {{ .Values.injector.port }} port: {{ .Values.injector.port }}
scheme: HTTPS scheme: HTTPS
failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} failureThreshold: 2
initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} initialDelaySeconds: 5
periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} periodSeconds: 2
successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} successThreshold: 1
timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} timeoutSeconds: 5
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /health/ready path: /health/ready
port: {{ .Values.injector.port }} port: {{ .Values.injector.port }}
scheme: HTTPS scheme: HTTPS
failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} failureThreshold: 2
initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} initialDelaySeconds: 5
periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} periodSeconds: 2
successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} successThreshold: 1
timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} timeoutSeconds: 5
startupProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }}
successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
{{- if .Values.injector.certs.secretName }} {{- if .Values.injector.certs.secretName }}
volumeMounts: volumeMounts:
- name: webhook-certs - name: webhook-certs

17
charts/openbao/templates/injector-disruptionbudget.yaml → templates/injector-disruptionbudget.yaml
View file

@ -1,24 +1,19 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.injector.podDisruptionBudget }} {{- if .Values.injector.podDisruptionBudget }}
apiVersion: policy/v1 apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
helm.sh/chart: {{ include "openbao.chart" . }} helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook component: webhook
spec: spec:
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}

20
charts/openbao/templates/injector-mutating-webhook.yaml → templates/injector-mutating-webhook.yaml
View file

@ -1,9 +1,4 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
@ -12,9 +7,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }} {{- end }}
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-cfg name: {{ template "vault.fullname" . }}-agent-injector-cfg
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "injector.webhookAnnotations" . }} {{- template "injector.webhookAnnotations" . }}
@ -27,8 +22,8 @@ webhooks:
admissionReviewVersions: ["v1", "v1beta1"] admissionReviewVersions: ["v1", "v1beta1"]
clientConfig: clientConfig:
service: service:
name: {{ template "openbao.fullname" . }}-agent-injector-svc name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
path: "/mutate" path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }} caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules: rules:
@ -40,5 +35,8 @@ webhooks:
namespaceSelector: namespaceSelector:
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }} {{ end }}
{{- template "injector.objectSelector" . -}} {{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }}
objectSelector:
{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}}
{{ end }}
{{ end }} {{ end }}

13
charts/openbao/templates/injector-network-policy.yaml → templates/injector-network-policy.yaml
View file

@ -1,22 +1,17 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }} {{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector name: {{ template "vault.fullname" . }}-agent-injector
labels: labels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
spec: spec:
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
ingress: ingress:

15
charts/openbao/templates/injector-psp-role.yaml → templates/injector-psp-role.yaml
View file

@ -1,18 +1,13 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }} {{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-psp name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:
@ -20,6 +15,6 @@ rules:
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']
resourceNames: resourceNames:
- {{ template "openbao.fullname" . }}-agent-injector - {{ template "vault.fullname" . }}-agent-injector
{{- end }} {{- end }}
{{- end }} {{- end }}

21
templates/injector-psp-rolebinding.yaml Normal file
View file

@ -0,0 +1,21 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

13
charts/openbao/templates/injector-psp.yaml → templates/injector-psp.yaml
View file

@ -1,20 +1,15 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }} {{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector name: {{ template "vault.fullname" . }}-agent-injector
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.psp.annotations" . }} {{- template "vault.psp.annotations" . }}
spec: spec:
privileged: false privileged: false
# Required to prevent escalations to root. # Required to prevent escalations to root.

13
charts/openbao/templates/injector-role.yaml → templates/injector-role.yaml
View file

@ -1,18 +1,13 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:

22
templates/injector-rolebinding.yaml Normal file
View file

@ -0,0 +1,22 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

15
charts/openbao/templates/injector-service.yaml → templates/injector-service.yaml
View file

@ -1,17 +1,12 @@
{{/* {{- template "vault.injectorEnabled" . -}}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}} {{- if .injectorEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "openbao.fullname" . }}-agent-injector-svc name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.service.annotations" . }} {{ template "injector.service.annotations" . }}
@ -21,7 +16,7 @@ spec:
port: 443 port: 443
targetPort: {{ .Values.injector.port }} targetPort: {{ .Values.injector.port }}
selector: selector:
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{- end }} {{- end }}

12
templates/injector-serviceaccount.yaml Normal file
View file

@ -0,0 +1,12 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ end }}

21
charts/openbao/templates/server-clusterrolebinding.yaml → templates/server-clusterrolebinding.yaml
View file

@ -1,10 +1,6 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc. {{- if .serverEnabled -}}
SPDX-License-Identifier: MPL-2.0 {{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
*/}}
{{ template "openbao.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- else }} {{- else }}
@ -12,10 +8,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }} {{- end }}
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "openbao.fullname" . }}-server-binding name: {{ template "vault.fullname" . }}-server-binding
labels: labels:
helm.sh/chart: {{ include "openbao.chart" . }} helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
@ -24,6 +20,7 @@ roleRef:
name: system:auth-delegator name: system:auth-delegator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "openbao.serviceAccount.name" . }} name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }} {{ end }}

40
templates/server-config-configmap.yaml Normal file
View file

@ -0,0 +1,40 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
extraconfig-from-values.hcl: |-
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

21
templates/server-discovery-role.yaml Normal file
View file

@ -0,0 +1,21 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
name: {{ template "vault.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}

29
templates/server-discovery-rolebinding.yaml Normal file
View file

@ -0,0 +1,29 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-discovery-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
{{ end }}

21
charts/openbao/templates/server-disruptionbudget.yaml → templates/server-disruptionbudget.yaml
View file

@ -1,29 +1,24 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" -}} {{- if ne .mode "external" -}}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through # PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes. # voluntary cluster changes.
apiVersion: policy/v1 apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
helm.sh/chart: {{ include "openbao.chart" . }} helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
spec: spec:
maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }} maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
{{- end -}} {{- end -}}

45
templates/server-ha-active-service.yaml Normal file
View file

@ -0,0 +1,45 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for active Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-active
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.nodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}

45
templates/server-ha-standby-service.yaml Normal file
View file

@ -0,0 +1,45 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for standby Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-standby
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.nodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}

33
templates/server-headless-service.yaml Normal file
View file

@ -0,0 +1,33 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-internal
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
spec:
clusterIP: None
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: "{{ include "vault.scheme" . }}"
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}
{{- end }}

36
charts/openbao/templates/server-ingress.yaml → templates/server-ingress.yaml
View file

@ -1,15 +1,10 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if not .Values.global.openshift }} {{- if not .Values.global.openshift }}
{{ template "openbao.mode" . }} {{ template "vault.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}} {{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "openbao.fullname" . -}} {{- $serviceName := include "vault.fullname" . -}}
{{- template "openbao.serverServiceEnabled" . -}} {{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}} {{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
@ -17,20 +12,26 @@ SPDX-License-Identifier: MPL-2.0
{{- $servicePort := .Values.server.service.port -}} {{- $servicePort := .Values.server.service.port -}}
{{- $pathType := .Values.server.ingress.pathType -}} {{- $pathType := .Values.server.ingress.pathType -}}
{{- $kubeVersion := .Capabilities.KubeVersion.Version }} {{- $kubeVersion := .Capabilities.KubeVersion.Version }}
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
apiVersion: networking.k8s.io/v1beta1
{{ else }}
apiVersion: extensions/v1beta1
{{ end }}
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
helm.sh/chart: {{ include "openbao.chart" . }} helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.ingress.labels }} {{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- template "openbao.ingress.annotations" . }} {{- template "vault.ingress.annotations" . }}
spec: spec:
{{- if .Values.server.ingress.tls }} {{- if .Values.server.ingress.tls }}
tls: tls:
@ -55,15 +56,22 @@ spec:
{{- end }} {{- end }}
{{- range (.paths | default (list "/")) }} {{- range (.paths | default (list "/")) }}
- path: {{ . }} - path: {{ . }}
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
pathType: {{ $pathType }} pathType: {{ $pathType }}
{{ end }}
backend: backend:
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
service: service:
name: {{ $serviceName }} name: {{ $serviceName }}
port: port:
number: {{ $servicePort }} number: {{ $servicePort }}
{{ else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{ end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

20
charts/openbao/templates/server-network-policy.yaml → templates/server-network-policy.yaml
View file

@ -1,22 +1,24 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} {{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
labels: labels:
app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
spec: spec:
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
{{- if .Values.server.networkPolicy.egress }} {{- if .Values.server.networkPolicy.egress }}
egress: egress:
{{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}

15
charts/openbao/templates/server-psp-role.yaml → templates/server-psp-role.yaml
View file

@ -1,18 +1,13 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ template "openbao.fullname" . }}-psp name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:
@ -20,6 +15,6 @@ rules:
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']
resourceNames: resourceNames:
- {{ template "openbao.fullname" . }} - {{ template "vault.fullname" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}

17
charts/openbao/templates/server-psp-rolebinding.yaml → templates/server-psp-rolebinding.yaml
View file

@ -1,26 +1,21 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ template "openbao.fullname" . }}-psp name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
kind: Role kind: Role
name: {{ template "openbao.fullname" . }}-psp name: {{ template "vault.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}

13
charts/openbao/templates/server-psp.yaml → templates/server-psp.yaml
View file

@ -1,20 +1,15 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.psp.annotations" . }} {{- template "vault.psp.annotations" . }}
spec: spec:
privileged: false privileged: false
# Required to prevent escalations to root. # Required to prevent escalations to root.

17
charts/openbao/templates/server-route.yaml → templates/server-route.yaml
View file

@ -1,29 +1,24 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.global.openshift }} {{- if .Values.global.openshift }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}} {{- if .Values.server.route.enabled -}}
{{- $serviceName := include "openbao.fullname" . -}} {{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} {{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }} {{- end }}
kind: Route kind: Route
apiVersion: route.openshift.io/v1 apiVersion: route.openshift.io/v1
metadata: metadata:
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
helm.sh/chart: {{ include "openbao.chart" . }} helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.route.labels }} {{- with .Values.server.route.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- template "openbao.route.annotations" . }} {{- template "vault.route.annotations" . }}
spec: spec:
host: {{ .Values.server.route.host }} host: {{ .Values.server.route.host }}
to: to:

35
charts/openbao/templates/server-service.yaml → templates/server-service.yaml
View file

@ -1,37 +1,24 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- template "openbao.serverServiceEnabled" . -}} {{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}} {{- if .serverServiceEnabled -}}
# Service for OpenBao cluster # Service for Vault cluster
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
helm.sh/chart: {{ include "openbao.chart" . }} helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations: annotations:
{{ template "openbao.service.annotations" .}} {{ template "vault.service.annotations" .}}
spec: spec:
{{- if .Values.server.service.type}} {{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }} type: {{ .Values.server.service.type }}
{{- end}} {{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }} {{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }} {{- end }}
@ -40,7 +27,7 @@ spec:
# since this DNS is also used for join operations. # since this DNS is also used for join operations.
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports: ports:
- name: {{ include "openbao.scheme" . }} - name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }} port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }} targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -50,10 +37,8 @@ spec:
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server component: server
{{- end }} {{- end }}
{{- end }} {{- end }}

16
templates/server-serviceaccount.yaml Normal file
View file

@ -0,0 +1,16 @@
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}
{{ end }}

141
charts/openbao/templates/server-statefulset.yaml → templates/server-statefulset.yaml
View file

@ -1,87 +1,81 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if ne .mode "" }} {{- if ne .mode "" }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
# StatefulSet to run the actual openbao server cluster. # StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: {{ template "openbao.fullname" . }} name: {{ template "vault.fullname" . }}
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "openbao.statefulSet.annotations" . }} {{- template "vault.statefulSet.annotations" . }}
spec: spec:
serviceName: {{ template "openbao.fullname" . }}-internal serviceName: {{ template "vault.fullname" . }}-internal
podManagementPolicy: Parallel podManagementPolicy: Parallel
replicas: {{ template "openbao.replicas" . }} replicas: {{ template "vault.replicas" . }}
updateStrategy: updateStrategy:
type: {{ .Values.server.updateStrategyType }} type: {{ .Values.server.updateStrategyType }}
{{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
{{- end }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
template: template:
metadata: metadata:
labels: labels:
helm.sh/chart: {{ template "openbao.chart" . }} helm.sh/chart: {{ template "vault.chart" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
component: server component: server
{{- if .Values.server.extraLabels -}} {{- if .Values.server.extraLabels -}}
{{- toYaml .Values.server.extraLabels | nindent 8 -}} {{- toYaml .Values.server.extraLabels | nindent 8 -}}
{{- end -}} {{- end -}}
{{ template "openbao.annotations" . }} {{ template "vault.annotations" . }}
spec: spec:
{{ template "openbao.affinity" . }} {{ template "vault.affinity" . }}
{{ template "openbao.topologySpreadConstraints" . }} {{ template "vault.topologySpreadConstraints" . }}
{{ template "openbao.tolerations" . }} {{ template "vault.tolerations" . }}
{{ template "openbao.nodeselector" . }} {{ template "vault.nodeselector" . }}
{{- if .Values.server.priorityClassName }} {{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }} {{- end }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "openbao.serviceAccount.name" . }} serviceAccountName: {{ template "vault.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }} {{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true shareProcessNamespace: true
{{ end }} {{ end }}
{{- template "server.statefulSet.securityContext.pod" . }}
{{- if not .Values.global.openshift }} {{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.server.hostNetwork }} securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
{{- end }} {{- end }}
volumes: volumes:
{{ template "openbao.volumes" . }} {{ template "vault.volumes" . }}
- name: home - name: home
emptyDir: {} emptyDir: {}
{{- if .Values.server.hostAliases }}
hostAliases:
{{ toYaml .Values.server.hostAliases | nindent 8}}
{{- end }}
{{- if .Values.server.extraInitContainers }} {{- if .Values.server.extraInitContainers }}
initContainers: initContainers:
{{ toYaml .Values.server.extraInitContainers | nindent 8}} {{ toYaml .Values.server.extraInitContainers | nindent 8}}
{{- end }} {{- end }}
containers: containers:
- name: openbao - name: vault
{{ template "openbao.resources" . }} {{ template "vault.resources" . }}
image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }} imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command: command:
- "/bin/sh" - "/bin/sh"
- "-ec" - "-ec"
args: {{ template "openbao.args" . }} args: {{ template "vault.args" . }}
{{- template "server.statefulSet.securityContext.container" . }} {{- if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
env: env:
- name: HOST_IP - name: HOST_IP
valueFrom: valueFrom:
@ -91,21 +85,21 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: status.podIP fieldPath: status.podIP
- name: BAO_K8S_POD_NAME - name: VAULT_K8S_POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: BAO_K8S_NAMESPACE - name: VAULT_K8S_NAMESPACE
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
- name: BAO_ADDR - name: VAULT_ADDR
value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200" value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
- name: BAO_API_ADDR - name: VAULT_API_ADDR
{{- if .Values.server.ha.apiAddr }} {{- if .Values.server.ha.apiAddr }}
value: {{ .Values.server.ha.apiAddr }} value: {{ .Values.server.ha.apiAddr }}
{{- else }} {{- else }}
value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200" value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
{{- end }} {{- end }}
- name: SKIP_CHOWN - name: SKIP_CHOWN
value: "true" value: "true"
@ -115,60 +109,61 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: BAO_CLUSTER_ADDR - name: VAULT_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }} {{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr | quote }} value: {{ .Values.server.ha.clusterAddr }}
{{- else }} {{- else }}
value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201" value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
{{- end }} {{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: BAO_RAFT_NODE_ID - name: VAULT_RAFT_NODE_ID
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
{{- end }} {{- end }}
- name: HOME - name: HOME
value: "/home/openbao" value: "/home/vault"
{{- if .Values.server.logLevel }} {{- if .Values.server.logLevel }}
- name: BAO_LOG_LEVEL - name: VAULT_LOG_LEVEL
value: "{{ .Values.server.logLevel }}" value: "{{ .Values.server.logLevel }}"
{{- end }} {{- end }}
{{- if .Values.server.logFormat }} {{- if .Values.server.logFormat }}
- name: BAO_LOG_FORMAT - name: VAULT_LOG_FORMAT
value: "{{ .Values.server.logFormat }}" value: "{{ .Values.server.logFormat }}"
{{- end }} {{- end }}
{{ template "openbao.envs" . }} {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
{{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }} - name: VAULT_LICENSE_PATH
{{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }} value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
{{- end }}
{{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
volumeMounts: volumeMounts:
{{ template "openbao.mounts" . }} {{ template "vault.mounts" . }}
- name: home - name: home
mountPath: /home/openbao mountPath: /home/vault
ports: ports:
- containerPort: 8200 - containerPort: 8200
name: {{ include "openbao.scheme" . }} name: {{ include "vault.scheme" . }}
- containerPort: 8201 - containerPort: 8201
name: https-internal name: https-internal
- containerPort: 8202 - containerPort: 8202
name: {{ include "openbao.scheme" . }}-rep name: {{ include "vault.scheme" . }}-rep
{{- if .Values.server.extraPorts -}}
{{ toYaml .Values.server.extraPorts | nindent 12}}
{{- end }}
{{- if .Values.server.readinessProbe.enabled }} {{- if .Values.server.readinessProbe.enabled }}
readinessProbe: readinessProbe:
{{- if .Values.server.readinessProbe.path }} {{- if .Values.server.readinessProbe.path }}
httpGet: httpGet:
path: {{ .Values.server.readinessProbe.path | quote }} path: {{ .Values.server.readinessProbe.path | quote }}
port: {{ .Values.server.readinessProbe.port }} port: 8200
scheme: {{ include "openbao.scheme" . | upper }} scheme: {{ include "vault.scheme" . | upper }}
{{- else }} {{- else }}
# Check status; unsealed openbao servers return 0 # Check status; unsealed vault servers return 0
# The exit code reflects the seal status: # The exit code reflects the seal status:
# 0 - unsealed # 0 - unsealed
# 1 - error # 1 - error
# 2 - sealed # 2 - sealed
exec: exec:
command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"] command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
{{- end }} {{- end }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
@ -178,18 +173,10 @@ spec:
{{- end }} {{- end }}
{{- if .Values.server.livenessProbe.enabled }} {{- if .Values.server.livenessProbe.enabled }}
livenessProbe: livenessProbe:
{{- if .Values.server.livenessProbe.execCommand }}
exec:
command:
{{- range (.Values.server.livenessProbe.execCommand) }}
- {{ . | quote }}
{{- end }}
{{- else }}
httpGet: httpGet:
path: {{ .Values.server.livenessProbe.path | quote }} path: {{ .Values.server.livenessProbe.path | quote }}
port: {{ .Values.server.livenessProbe.port }} port: 8200
scheme: {{ include "openbao.scheme" . | upper }} scheme: {{ include "vault.scheme" . | upper }}
{{- end }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
@ -197,7 +184,7 @@ spec:
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
{{- end }} {{- end }}
lifecycle: lifecycle:
# openbao container doesn't receive SIGTERM from Kubernetes # Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This # and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself # causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services). # from Consul (zombie services).
@ -208,7 +195,7 @@ spec:
# Adding a sleep here to give the pod eviction a # Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made # chance to propagate, so requests will not be made
# to this pod while it's terminating # to this pod while it's terminating
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)", "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
] ]
{{- if .Values.server.postStart }} {{- if .Values.server.postStart }}
postStart: postStart:
@ -222,7 +209,7 @@ spec:
{{ toYaml .Values.server.extraContainers | nindent 8}} {{ toYaml .Values.server.extraContainers | nindent 8}}
{{- end }} {{- end }}
{{- include "imagePullSecrets" . | nindent 6 }} {{- include "imagePullSecrets" . | nindent 6 }}
{{ template "openbao.volumeclaims" . }} {{ template "vault.volumeclaims" . }}
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }} {{ end }}

23
charts/openbao/templates/tests/server-test.yaml → templates/tests/server-test.yaml
View file

@ -1,44 +1,39 @@
{{/* {{ template "vault.mode" . }}
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }} {{- if ne .mode "external" }}
{{- if .serverEnabled -}} {{- if .serverEnabled -}}
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: {{ template "openbao.fullname" . }}-server-test name: "{{ .Release.Name }}-server-test"
namespace: {{ include "openbao.namespace" . }} namespace: {{ .Release.Namespace }}
annotations: annotations:
"helm.sh/hook": test "helm.sh/hook": test
spec: spec:
{{- include "imagePullSecrets" . | nindent 2 }} {{- include "imagePullSecrets" . | nindent 2 }}
containers: containers:
- name: {{ .Release.Name }}-server-test - name: {{ .Release.Name }}-server-test
image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }} imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command: command:
- /bin/sh - /bin/sh
- -c - -c
- | - |
echo "Checking for sealed info in 'bao status' output" echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10 ATTEMPTS=10
n=0 n=0
until [ "$n" -ge $ATTEMPTS ] until [ "$n" -ge $ATTEMPTS ]
do do
echo "Attempt" $n... echo "Attempt" $n...
bao status -format yaml | grep -E '^sealed: (true|false)' && break vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1)) n=$((n+1))
sleep 5 sleep 5
done done
if [ $n -ge $ATTEMPTS ]; then if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'bao status' output" echo "timed out looking for sealed info in 'vault status' output"
exit 1 exit 1
fi fi

37
templates/ui-service.yaml Normal file
View file

@ -0,0 +1,37 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.ui.annotations" . }}
spec:
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
vault-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }}
nodePort: {{ .Values.ui.serviceNodePort }}
{{- end }}
type: {{ .Values.ui.serviceType }}
{{- include "service.externalTrafficPolicy" .Values.ui }}
{{- include "service.loadBalancer" .Values.ui }}
{{- end -}}
{{- end }}

8
test/README.md
View file

@ -1,9 +1,11 @@
# OpenBao Helm Tests # Vault Helm Tests
## Running OpenBao Helm Acceptance tests ## Running Vault Helm Acceptance tests
The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster. The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster.
Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license.
### Running in a GKE cluster ### Running in a GKE cluster
* Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project. * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project.
@ -47,7 +49,7 @@ editing will be required, since several properties accept multiple data types.
## Helm test ## Helm test
OpenBao Helm also contains a simple helm test under Vault Helm also contains a simple helm test under
[templates/tests/](../templates/tests/) that may be run against a helm release: [templates/tests/](../templates/tests/) that may be run against a helm release:
helm test <RELEASE_NAME> helm test <RELEASE_NAME>

29
test/acceptance/_helpers.bash
View file

@ -1,17 +1,14 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# name_prefix returns the prefix of the resources within Kubernetes. # name_prefix returns the prefix of the resources within Kubernetes.
name_prefix() { name_prefix() {
printf "openbao" printf "vault"
} }
# chart_dir returns the directory for the chart # chart_dir returns the directory for the chart
chart_dir() { chart_dir() {
echo ${BATS_TEST_DIRNAME}/../../charts/openbao echo ${BATS_TEST_DIRNAME}/../..
} }
# helm_install installs the openbao chart. This will source overridable # helm_install installs the vault chart. This will source overridable
# values from the "values.yaml" file in this directory. This can be set # values from the "values.yaml" file in this directory. This can be set
# by CI or other environments to do test-specific overrides. Note that its # by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful. # easily possible to break tests this way so be careful.
@ -22,11 +19,11 @@ helm_install() {
fi fi
helm install -f ${values} \ helm install -f ${values} \
--name openbao \ --name vault \
${BATS_TEST_DIRNAME}/../../charts/openbao ${BATS_TEST_DIRNAME}/../..
} }
# helm_install_ha installs the openbao chart using HA mode. This will source # helm_install_ha installs the vault chart using HA mode. This will source
# overridable values from the "values.yaml" file in this directory. This can be # overridable values from the "values.yaml" file in this directory. This can be
# set by CI or other environments to do test-specific overrides. Note that its # set by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful. # easily possible to break tests this way so be careful.
@ -37,10 +34,10 @@ helm_install_ha() {
fi fi
helm install -f ${values} \ helm install -f ${values} \
--name openbao \ --name vault \
--set 'server.enabled=false' \ --set 'server.enabled=false' \
--set 'serverHA.enabled=true' \ --set 'serverHA.enabled=true' \
${BATS_TEST_DIRNAME}/../../charts/openbao ${BATS_TEST_DIRNAME}/../..
} }
# wait for consul to be ready # wait for consul to be ready
@ -52,7 +49,7 @@ wait_for_sealed_vault() {
POD_NAME=$1 POD_NAME=$1
check() { check() {
sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed') sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed')
if [ "$sealed_status" == "true" ]; then if [ "$sealed_status" == "true" ]; then
return 0 return 0
fi fi
@ -61,15 +58,15 @@ wait_for_sealed_vault() {
for i in $(seq 60); do for i in $(seq 60); do
if check ${POD_NAME}; then if check ${POD_NAME}; then
echo "OpenBao on ${POD_NAME} is running." echo "Vault on ${POD_NAME} is running."
return return
fi fi
echo "Waiting for OpenBao on ${POD_NAME} to be running..." echo "Waiting for Vault on ${POD_NAME} to be running..."
sleep 2 sleep 2
done done
echo "OpenBao on ${POD_NAME} never became running." echo "Vault on ${POD_NAME} never became running."
return 1 return 1
} }
@ -144,7 +141,7 @@ wait_for_complete_job() {
# string length. # string length.
kubectl get job $1 -o json | \ kubectl get job $1 -o json | \
jq -r 'select( jq -r 'select(
.status.succeeded == 1 .status.succeeded == 1
) | .metadata.namespace + "/" + .metadata.name' ) | .metadata.namespace + "/" + .metadata.name'
} }

3
test/acceptance/csi-test/nginx.yaml
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount

6
test/acceptance/csi-test/openbao-policy.hcl
View file

@ -1,6 +0,0 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
path "secret/data/kv1" {
capabilities = ["read"]
}

8
test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml → test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
View file

@ -1,8 +1,5 @@
# Copyright (c) HashiCorp, Inc. # The "Hello World" Vault SecretProviderClass
# SPDX-License-Identifier: MPL-2.0 apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
# The "Hello World" OpenBao SecretProviderClass
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass kind: SecretProviderClass
metadata: metadata:
name: vault-kv name: vault-kv
@ -10,6 +7,7 @@ spec:
provider: vault provider: vault
parameters: parameters:
roleName: "kv-role" roleName: "kv-role"
vaultAddress: http://vault:8200
objects: | objects: |
- objectName: "bar" - objectName: "bar"
secretPath: "secret/data/kv1" secretPath: "secret/data/kv1"

3
test/acceptance/csi-test/vault-policy.hcl Normal file
View file

@ -0,0 +1,3 @@
path "secret/data/kv1" {
capabilities = ["read"]
}

76
test/acceptance/csi.bats
View file

@ -2,80 +2,68 @@
load _helpers load _helpers
@test "csi: testing deployment" { check_skip_csi() {
cd `chart_dir` if [ ! -z ${SKIP_CSI} ]; then
skip "Skipping CSI tests"
fi
}
@test "csi: testing deployment" {
check_skip_csi
cd `chart_dir`
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance kubectl create namespace acceptance
# Install Secrets Store CSI driver # Install Secrets Store CSI driver
# Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly CSI_DRIVER_VERSION=1.0.0
# so we can see Agent's cache working. helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \
CSI_DRIVER_VERSION=1.3.2
helm install secrets-store-csi-driver secrets-store-csi-driver \
--repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
--version=$CSI_DRIVER_VERSION \
--wait --timeout=5m \ --wait --timeout=5m \
--namespace=acceptance \ --namespace=acceptance \
--set linux.image.pullPolicy="IfNotPresent" \ --set linux.image.pullPolicy="IfNotPresent" \
--set tokenRequests[0].audience="openbao" \ --set syncSecret.enabled=true
--set enableSecretRotation=true \ # Install Vault and Vault provider
--set rotationPollInterval=5s helm install vault \
# Install OpenBao and OpenBao provider
helm install openbao \
--wait --timeout=5m \ --wait --timeout=5m \
--namespace=acceptance \ --namespace=acceptance \
--set="server.dev.enabled=true" \ --set="server.dev.enabled=true" \
--set="csi.enabled=true" \ --set="csi.enabled=true" \
--set="csi.debug=true" \ --set="injector.enabled=false" .
--set="csi.agent.logLevel=debug" \ kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
--set="injector.enabled=false" \ kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider
.
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
# Set up k8s auth and a kv secret. # Set up k8s auth and a kv secret.
cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
disable_iss_validation=true'
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
bound_service_account_names=nginx \ bound_service_account_names=nginx \
bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
policies=kv-policy \ policies=kv-policy \
ttl=20m ttl=20m
kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
[[ "$result" == "hello1" ]] [[ "$result" == "hello1" ]]
for i in $(seq 10); do
sleep 2
if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
echo "Agent returned a cached login response"
return
fi
echo "Waiting to confirm the Agent is renewing CSI's auth token..."
done
# Print the logs and fail the test
echo "Failed to find a log for the Agent renewing CSI's auth token"
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
exit 1
} }
# Clean up # Clean up
teardown() { teardown() {
check_skip_csi
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm --namespace=acceptance delete openbao helm --namespace=acceptance delete vault
helm --namespace=acceptance delete secrets-store-csi-driver helm --namespace=acceptance delete secrets-store-csi-driver
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance kubectl delete namespace acceptance

2
test/acceptance/helm-test.bats
View file

@ -20,7 +20,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete openbao helm delete vault
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

8
test/acceptance/injector-leader-elector.bats
View file

@ -13,9 +13,9 @@ load _helpers
--wait \ --wait \
--timeout=5m \ --timeout=5m \
--set="injector.replicas=3" . --set="injector.replicas=3" .
kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m
pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name')) pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name'))
[ "${#pods[@]}" == 3 ] [ "${#pods[@]}" == 3 ]
leader='' leader=''
@ -45,8 +45,8 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete openbao helm delete vault
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance kubectl delete namespace acceptance
fi fi
} }

27
test/acceptance/injector-test/bootstrap.sh
View file

@ -1,44 +1,41 @@
#!/bin/sh #!/bin/sh
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
OUTPUT=/tmp/output.txt OUTPUT=/tmp/output.txt
bao operator init -n 1 -t 1 >> ${OUTPUT?} vault operator init -n 1 -t 1 >> ${OUTPUT?}
unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g") unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g") root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
bao operator unseal ${unseal?} vault operator unseal ${unseal?}
bao login -no-print ${root?} vault login -no-print ${root?}
bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl
bao auth enable kubernetes vault auth enable kubernetes
bao write auth/kubernetes/config \ vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bao write auth/kubernetes/role/db-backup \ vault write auth/kubernetes/role/db-backup \
bound_service_account_names=pgdump \ bound_service_account_names=pgdump \
bound_service_account_namespaces=acceptance \ bound_service_account_namespaces=acceptance \
policies=db-backup \ policies=db-backup \
ttl=1h ttl=1h
bao secrets enable database vault secrets enable database
bao write database/config/postgresql \ vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \ plugin_name=postgresql-database-plugin \
allowed_roles="db-backup" \ allowed_roles="db-backup" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
username="openbao" \ username="vault" \
password="openbao" password="vault"
bao write database/roles/db-backup \ vault write database/roles/db-backup \
db_name=postgresql \ db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \ GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \

17
test/acceptance/injector-test/job.yaml
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -32,11 +29,11 @@ spec:
spec: spec:
serviceAccountName: pgdump serviceAccountName: pgdump
containers: containers:
- name: pgdump - name: pgdump
image: postgres:11.5 image: postgres:11.5
command: command:
- "/bin/sh" - "/bin/sh"
- "-ec" - "-ec"
args: args:
- "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
restartPolicy: Never restartPolicy: Never

15
test/acceptance/injector-test/pg-deployment.yaml
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -38,7 +35,7 @@ spec:
- containerPort: 5432 - containerPort: 5432
env: env:
- name: POSTGRES_DB - name: POSTGRES_DB
value: mydb value: mydb
- name: POSTGRES_USER - name: POSTGRES_USER
value: postgres value: postgres
- name: POSTGRES_PASSWORD - name: POSTGRES_PASSWORD
@ -52,7 +49,7 @@ spec:
- name: pgdata - name: pgdata
emptyDir: {} emptyDir: {}
- name: pgconf - name: pgconf
configMap: configMap:
name: "pg-init" name: "pg-init"
--- ---
apiVersion: v1 apiVersion: v1
@ -63,10 +60,10 @@ metadata:
app: postgres app: postgres
data: data:
setup.sql: | setup.sql: |
CREATE ROLE openbao; CREATE ROLE vault;
ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao'; ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault';
\c mydb \c mydb
CREATE SCHEMA app; CREATE SCHEMA app;
CREATE TABLE app.inventory(id int); CREATE TABLE app.inventory(id int);
INSERT INTO app.inventory(id) VALUES (0); INSERT INTO app.inventory(id) VALUES (0);

3
test/acceptance/injector-test/pgdump-policy.hcl
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
path "database/creds/db-backup" { path "database/creds/db-backup" {
capabilities = ["read"] capabilities = ["read"]
} }

24
test/acceptance/injector.bats
View file

@ -4,20 +4,20 @@ load _helpers
@test "injector: testing deployment" { @test "injector: testing deployment" {
cd `chart_dir` cd `chart_dir`
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance kubectl config set-context --current --namespace=acceptance
kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml kubectl create -f ./test/acceptance/injector-test/pg-deployment.yaml
sleep 5 sleep 5
wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")
kubectl create secret generic test \ kubectl create secret generic test \
--from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ../../test/acceptance/injector-test/bootstrap.sh --from-file ./test/acceptance/injector-test/bootstrap.sh
kubectl label secret test app=openbao-agent-demo kubectl label secret test app=vault-agent-demo
helm install "$(name_prefix)" \ helm install "$(name_prefix)" \
--set="server.extraVolumes[0].type=secret" \ --set="server.extraVolumes[0].type=secret" \
@ -26,20 +26,20 @@ load _helpers
wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
sleep 5 sleep 5
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
kubectl create -f ../../test/acceptance/injector-test/job.yaml kubectl create -f ./test/acceptance/injector-test/job.yaml
wait_for_complete_job "pgdump" wait_for_complete_job "pgdump"
} }
@ -48,9 +48,9 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete openbao helm delete vault
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete secret test kubectl delete secret test
kubectl delete job pgdump kubectl delete job pgdump
kubectl delete deployment postgres kubectl delete deployment postgres
kubectl delete namespace acceptance kubectl delete namespace acceptance

2
test/acceptance/server-annotations.bats
View file

@ -8,7 +8,7 @@ load _helpers
kubectl create namespace acceptance kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance kubectl config set-context --current --namespace=acceptance
helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml . helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml .
wait_for_running $(name_prefix)-0 wait_for_running $(name_prefix)-0
# service annotations # service annotations

6
test/acceptance/server-dev.bats
View file

@ -43,11 +43,11 @@ load _helpers
[ "${ports}" == "8201" ] [ "${ports}" == "8201" ]
# Sealed, not initialized # Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' ) jq -r '.sealed' )
[ "${sealed_status}" == "false" ] [ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized') jq -r '.initialized')
[ "${init_status}" == "true" ] [ "${init_status}" == "true" ]
} }
@ -57,7 +57,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]] if [[ ${CLEANUP:-true} == "true" ]]
then then
echo "helm/pvc teardown" echo "helm/pvc teardown"
helm delete openbao helm delete vault
kubectl delete --all pvc kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true kubectl delete namespace acceptance --ignore-not-found=true
fi fi

Some files were not shown because too many files have changed in this diff Show more