Compare commits
20 commits
openbao-0.
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
6f5aa63325 | ||
|
|
766a6a341f | ||
|
|
72b4014e67 | ||
|
|
5f31acad6b | ||
|
|
7a7a5b3711 | ||
|
|
2e7c23ce62 | ||
|
|
4549ad2b10 | ||
|
|
c5b02f372f | ||
|
|
3dd2dec9e3 | ||
|
|
a6d9d9f388 | ||
|
|
f9daaad711 | ||
|
|
100bfce452 | ||
|
|
e0be4ae6de | ||
|
|
4f63aa2373 | ||
|
|
d6a660e868 | ||
|
|
5fba05f8f8 | ||
|
|
5d545983bf | ||
|
|
540d8c5309 | ||
|
|
a6f8ccdfed | ||
|
|
ad8307d533 |
40 changed files with 156 additions and 362 deletions
6
.github/workflows/tests.yaml
vendored
6
.github/workflows/tests.yaml
vendored
|
|
@ -10,14 +10,14 @@ jobs:
|
|||
chart-verifier:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
CHART_VERIFIER_VERSION: '1.13.0'
|
||||
CHART_VERIFIER_VERSION: "1.13.7"
|
||||
steps:
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Setup test tools
|
||||
uses: ./.github/actions/setup-test-tools
|
||||
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
|
||||
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
||||
with:
|
||||
go-version: '1.21.3'
|
||||
go-version: "1.22.5"
|
||||
- run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}"
|
||||
- run: bats --tap --timing ./test/chart
|
||||
permissions:
|
||||
|
|
|
|||
|
|
@ -3,19 +3,29 @@
|
|||
|
||||
apiVersion: v2
|
||||
name: openbao
|
||||
version: 0.4.0
|
||||
appVersion: v2.0.0-alpha20240329
|
||||
version: 0.6.0
|
||||
appVersion: v2.0.2
|
||||
kubeVersion: ">= 1.27.0-0"
|
||||
description: Official OpenBao Chart
|
||||
home: https://github.com/openbao/openbao-helm
|
||||
icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg
|
||||
keywords: ["vault", "openbao", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
|
||||
keywords:
|
||||
[
|
||||
"vault",
|
||||
"openbao",
|
||||
"security",
|
||||
"encryption",
|
||||
"secrets",
|
||||
"management",
|
||||
"automation",
|
||||
"infrastructure",
|
||||
]
|
||||
sources:
|
||||
- https://github.com/openbao/openbao-helm
|
||||
annotations:
|
||||
charts.openshift.io/name: Openbao
|
||||
|
||||
maintainers:
|
||||
- name: OpenBao
|
||||
email: openbao-security@lists.lfedge.org
|
||||
url: https://openbao.org
|
||||
- name: OpenBao
|
||||
email: openbao-security@lists.lfedge.org
|
||||
url: https://openbao.org
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# openbao
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
Official OpenBao Chart
|
||||
|
||||
|
|
@ -29,7 +29,7 @@ Kubernetes: `>= 1.27.0-0`
|
|||
| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
|
||||
| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image |
|
||||
| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image |
|
||||
| csi.agent.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image |
|
||||
| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image |
|
||||
| csi.agent.logFormat | string | `"standard"` | |
|
||||
| csi.agent.logLevel | string | `"info"` | |
|
||||
| csi.agent.resources | object | `{}` | |
|
||||
|
|
@ -48,7 +48,7 @@ Kubernetes: `>= 1.27.0-0`
|
|||
| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
|
||||
| csi.image.registry | string | `"docker.io"` | image registry to use for csi image |
|
||||
| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image |
|
||||
| csi.image.tag | string | `"1.4.1"` | image tag to use for csi image |
|
||||
| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image |
|
||||
| csi.livenessProbe.failureThreshold | int | `2` | |
|
||||
| csi.livenessProbe.initialDelaySeconds | int | `5` | |
|
||||
| csi.livenessProbe.periodSeconds | int | `5` | |
|
||||
|
|
@ -87,11 +87,11 @@ Kubernetes: `>= 1.27.0-0`
|
|||
| injector.agentDefaults.template | string | `"map"` | |
|
||||
| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | |
|
||||
| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | |
|
||||
| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. |
|
||||
| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. |
|
||||
| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
|
||||
| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
|
||||
| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
|
||||
| injector.agentImage.tag | string | `"2.0.0-alpha20240329"` | image tag to use for agent image |
|
||||
| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image |
|
||||
| injector.annotations | object | `{}` | |
|
||||
| injector.authPath | string | `"auth/kubernetes"` | |
|
||||
| injector.certs.caBundle | string | `""` | |
|
||||
|
|
@ -107,7 +107,7 @@ Kubernetes: `>= 1.27.0-0`
|
|||
| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" |
|
||||
| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image |
|
||||
| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image |
|
||||
| injector.image.tag | string | `"1.3.1"` | image tag to use for k8s image |
|
||||
| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image |
|
||||
| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. |
|
||||
| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
|
||||
| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
|
||||
|
|
@ -194,7 +194,7 @@ Kubernetes: `>= 1.27.0-0`
|
|||
| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" |
|
||||
| server.image.registry | string | `"quay.io"` | image registry to use for server image |
|
||||
| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image |
|
||||
| server.image.tag | string | `"2.0.0-alpha20240329"` | image tag to use for server image |
|
||||
| server.image.tag | string | `"2.0.2"` | image tag to use for server image |
|
||||
| server.ingress.activeService | bool | `true` | |
|
||||
| server.ingress.annotations | object | `{}` | |
|
||||
| server.ingress.enabled | bool | `false` | |
|
||||
|
|
@ -292,5 +292,3 @@ Kubernetes: `>= 1.27.0-0`
|
|||
| ui.serviceType | string | `"ClusterIP"` | |
|
||||
| ui.targetPort | int | `8200` | |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ spec:
|
|||
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
|
||||
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
|
||||
- name: {{ include "openbao.name" . }}-agent
|
||||
image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
|
||||
image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
|
||||
{{ template "csi.agent.resources" . }}
|
||||
command:
|
||||
|
|
@ -117,9 +117,9 @@ spec:
|
|||
ports:
|
||||
- containerPort: 8200
|
||||
env:
|
||||
- name: VAULT_LOG_LEVEL
|
||||
- name: BAO_LOG_LEVEL
|
||||
value: "{{ .Values.csi.agent.logLevel }}"
|
||||
- name: VAULT_LOG_FORMAT
|
||||
- name: BAO_LOG_FORMAT
|
||||
value: "{{ .Values.csi.agent.logFormat }}"
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ spec:
|
|||
- name: AGENT_INJECT_VAULT_AUTH_PATH
|
||||
value: {{ .Values.injector.authPath }}
|
||||
- name: AGENT_INJECT_VAULT_IMAGE
|
||||
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
|
||||
value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
|
||||
{{- if .Values.injector.certs.secretName }}
|
||||
- name: AGENT_INJECT_TLS_CERT_FILE
|
||||
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
|
||||
|
|
|
|||
|
|
@ -14,13 +14,13 @@ injector:
|
|||
agentImage:
|
||||
registry: "quay.io"
|
||||
repository: "openbao/openbao"
|
||||
tag: "v2.0.0-alpha20240329-ubi"
|
||||
tag: "v2.0.2-ubi"
|
||||
|
||||
server:
|
||||
image:
|
||||
registry: "quay.io"
|
||||
repository: "openbao/openbao"
|
||||
tag: "v2.0.0-alpha20240329-ubi"
|
||||
tag: "v2.0.2-ubi"
|
||||
|
||||
readinessProbe:
|
||||
path: "/v1/sys/health?uninitcode=204"
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ injector:
|
|||
# -- image repo to use for k8s image
|
||||
repository: "hashicorp/vault-k8s"
|
||||
# -- image tag to use for k8s image
|
||||
tag: "1.3.1"
|
||||
tag: "1.4.2"
|
||||
# -- image pull policy to use for k8s image. if tag is "latest", set to "Always"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
|
|
@ -84,7 +84,7 @@ injector:
|
|||
# -- image repo to use for agent image
|
||||
repository: "openbao/openbao"
|
||||
# -- image tag to use for agent image
|
||||
tag: "2.0.0-alpha20240329"
|
||||
tag: "2.0.2"
|
||||
# -- image pull policy to use for agent image. if tag is "latest", set to "Always"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
|
|
@ -288,7 +288,8 @@ injector:
|
|||
|
||||
# extraEnvironmentVars is a list of extra environment variables to set in the
|
||||
# injector deployment.
|
||||
extraEnvironmentVars: {}
|
||||
extraEnvironmentVars:
|
||||
{}
|
||||
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
|
||||
|
||||
# Affinity Settings for injector pods
|
||||
|
|
@ -379,7 +380,7 @@ server:
|
|||
# -- image repo to use for server image
|
||||
repository: "openbao/openbao"
|
||||
# -- image tag to use for server image
|
||||
tag: "2.0.0-alpha20240329"
|
||||
tag: "2.0.2"
|
||||
# -- image pull policy to use for server image. if tag is "latest", set to "Always"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
|
|
@ -410,9 +411,11 @@ server:
|
|||
# In order to expose the service, use the route section below
|
||||
ingress:
|
||||
enabled: false
|
||||
labels: {}
|
||||
labels:
|
||||
{}
|
||||
# traffic: external
|
||||
annotations: {}
|
||||
annotations:
|
||||
{}
|
||||
# |
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
|
|
@ -473,14 +476,15 @@ server:
|
|||
|
||||
# authDelegator enables a cluster role binding to be attached to the service
|
||||
# account. This cluster role binding can be used to setup Kubernetes auth
|
||||
# method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
|
||||
# method. See https://openbao.org/docs/auth/kubernetes
|
||||
authDelegator:
|
||||
enabled: true
|
||||
|
||||
# -- extraInitContainers is a list of init containers. Specified as a YAML list.
|
||||
# This is useful if you need to run a script to provision TLS certificates or
|
||||
# write out configuration files in a dynamic way.
|
||||
extraInitContainers: []
|
||||
extraInitContainers:
|
||||
[]
|
||||
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
|
||||
# # which is defined in the volumes value.
|
||||
# - name: oauthapp
|
||||
|
|
@ -508,7 +512,8 @@ server:
|
|||
|
||||
# -- extraPorts is a list of extra ports. Specified as a YAML list.
|
||||
# This is useful if you need to add additional ports to the statefulset in dynamic way.
|
||||
extraPorts: []
|
||||
extraPorts:
|
||||
[]
|
||||
# - containerPort: 8300
|
||||
# name: http-monitoring
|
||||
|
||||
|
|
@ -570,14 +575,16 @@ server:
|
|||
|
||||
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
|
||||
# used to include variables required for auto-unseal.
|
||||
extraEnvironmentVars: {}
|
||||
extraEnvironmentVars:
|
||||
{}
|
||||
# GOOGLE_REGION: global
|
||||
# GOOGLE_PROJECT: myproject
|
||||
# GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json
|
||||
|
||||
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
|
||||
# These variables take value from existing Secret objects.
|
||||
extraSecretEnvironmentVars: []
|
||||
extraSecretEnvironmentVars:
|
||||
[]
|
||||
# - envName: AWS_SECRET_ACCESS_KEY
|
||||
# secretName: openbao
|
||||
# secretKey: AWS_SECRET_ACCESS_KEY
|
||||
|
|
@ -586,7 +593,8 @@ server:
|
|||
# extraVolumes is a list of extra volumes to mount. These will be exposed
|
||||
# to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is
|
||||
# an array of objects, examples are shown below.
|
||||
extraVolumes: []
|
||||
extraVolumes:
|
||||
[]
|
||||
# - type: secret (or "configMap")
|
||||
# name: my-secret
|
||||
# path: null # default is `/openbao/userconfig`
|
||||
|
|
@ -651,12 +659,12 @@ server:
|
|||
# port: 443
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector: {}
|
||||
- namespaceSelector: {}
|
||||
ports:
|
||||
- port: 8200
|
||||
protocol: TCP
|
||||
- port: 8201
|
||||
protocol: TCP
|
||||
- port: 8200
|
||||
protocol: TCP
|
||||
- port: 8201
|
||||
protocol: TCP
|
||||
|
||||
# Priority class for server pods
|
||||
priorityClassName: ""
|
||||
|
|
@ -764,7 +772,7 @@ server:
|
|||
|
||||
# This configures the OpenBao Statefulset to create a PVC for data
|
||||
# storage when using the file or raft backend storage engines.
|
||||
# See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
|
||||
# See https://openbao.org/docs/configuration/storage to know more
|
||||
dataStorage:
|
||||
enabled: true
|
||||
# Size of the PVC created
|
||||
|
|
@ -793,7 +801,7 @@ server:
|
|||
# logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must
|
||||
# be configured to use this for audit logs. This will be mounted to
|
||||
# /openbao/audit
|
||||
# See https://developer.hashicorp.com/vault/docs/audit to know more
|
||||
# See https://openbao.org/docs/audit to know more
|
||||
auditStorage:
|
||||
enabled: false
|
||||
# Size of the PVC created
|
||||
|
|
@ -814,7 +822,7 @@ server:
|
|||
# and no initialization. This is useful for experimenting with OpenBao without
|
||||
# needing to unseal, store keys, et. al. All data is lost on restart - do not
|
||||
# use dev mode for anything other than experimenting.
|
||||
# See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
|
||||
# See https://openbao.org/docs/concepts/dev-server to know more
|
||||
dev:
|
||||
enabled: false
|
||||
|
||||
|
|
@ -836,7 +844,7 @@ server:
|
|||
# Note: Configuration files are stored in ConfigMaps so sensitive data
|
||||
# such as passwords should be either mounted through extraSecretEnvironmentVars
|
||||
# or through a Kube secret. For more information see:
|
||||
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
||||
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
||||
config: |
|
||||
ui = true
|
||||
|
||||
|
|
@ -879,12 +887,12 @@ server:
|
|||
replicas: 3
|
||||
|
||||
# Set the api_addr configuration for OpenBao HA
|
||||
# See https://developer.hashicorp.com/vault/docs/configuration#api_addr
|
||||
# See https://openbao.org/docs/configuration#api_addr
|
||||
# If set to null, this will be set to the Pod IP Address
|
||||
apiAddr: null
|
||||
|
||||
# Set the cluster_addr confuguration for OpenBao HA
|
||||
# See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
|
||||
# See https://openbao.org/docs/configuration#cluster_addr
|
||||
# If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201
|
||||
clusterAddr: null
|
||||
|
||||
|
|
@ -893,7 +901,6 @@ server:
|
|||
# persistent volumes for OpenBao to store data according to the configuration under server.dataStorage.
|
||||
# The OpenBao cluster will coordinate leader elections and failovers internally.
|
||||
raft:
|
||||
|
||||
# Enables Raft integrated storage
|
||||
enabled: false
|
||||
# Set the Node Raft ID to the name of the pod
|
||||
|
|
@ -902,7 +909,7 @@ server:
|
|||
# Note: Configuration files are stored in ConfigMaps so sensitive data
|
||||
# such as passwords should be either mounted through extraSecretEnvironmentVars
|
||||
# or through a Kube secret. For more information see:
|
||||
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
||||
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
||||
config: |
|
||||
ui = true
|
||||
|
||||
|
|
@ -929,7 +936,7 @@ server:
|
|||
# Note: Configuration files are stored in ConfigMaps so sensitive data
|
||||
# such as passwords should be either mounted through extraSecretEnvironmentVars
|
||||
# or through a Kube secret. For more information see:
|
||||
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
||||
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
||||
config: |
|
||||
ui = true
|
||||
|
||||
|
|
@ -968,8 +975,8 @@ server:
|
|||
disruptionBudget:
|
||||
enabled: true
|
||||
|
||||
# maxUnavailable will default to (n/2)-1 where n is the number of
|
||||
# replicas. If you'd like a custom value, you can specify an override here.
|
||||
# maxUnavailable will default to (n/2)-1 where n is the number of
|
||||
# replicas. If you'd like a custom value, you can specify an override here.
|
||||
maxUnavailable: null
|
||||
|
||||
# Definition of the serviceAccount used to run Vault.
|
||||
|
|
@ -996,7 +1003,7 @@ server:
|
|||
extraLabels: {}
|
||||
# Enable or disable a service account role binding with the permissions required for
|
||||
# OpenBao's Kubernetes service_registration config option.
|
||||
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
|
||||
# See https://openbao.org/docs/configuration/service-registration/kubernetes
|
||||
serviceDiscovery:
|
||||
enabled: true
|
||||
|
||||
|
|
@ -1093,7 +1100,7 @@ csi:
|
|||
# -- image repo to use for csi image
|
||||
repository: "hashicorp/vault-csi-provider"
|
||||
# -- image tag to use for csi image
|
||||
tag: "1.4.1"
|
||||
tag: "1.4.0"
|
||||
# -- image pull policy to use for csi image. if tag is "latest", set to "Always"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
|
|
@ -1183,7 +1190,7 @@ csi:
|
|||
# -- image repo to use for agent image
|
||||
repository: "openbao/openbao"
|
||||
# -- image tag to use for agent image
|
||||
tag: "2.0.0-alpha20240329"
|
||||
tag: "2.0.2"
|
||||
# -- image pull policy to use for agent image. if tag is "latest", set to "Always"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
|
|
@ -1241,7 +1248,7 @@ csi:
|
|||
debug: false
|
||||
|
||||
# Pass arbitrary additional arguments to vault-csi-provider.
|
||||
# See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
|
||||
# See https://openbao.org/docs/platform/k8s/csi/configurations#command-line-arguments
|
||||
# for the available command line flags.
|
||||
extraArgs: []
|
||||
|
||||
|
|
@ -1250,8 +1257,8 @@ csi:
|
|||
# the OpenBao configuration. There are a few examples included in the `config` sections above.
|
||||
#
|
||||
# For more information see:
|
||||
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
|
||||
# https://developer.hashicorp.com/vault/docs/internals/telemetry
|
||||
# https://openbao.org/docs/configuration/telemetry
|
||||
# https://openbao.org/docs/internals/telemetry
|
||||
serverTelemetry:
|
||||
# Enable support for the Prometheus Operator. Currently, this chart does not support
|
||||
# authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included
|
||||
|
|
@ -1321,8 +1328,8 @@ serverTelemetry:
|
|||
# severity: warning
|
||||
# - alert: vault-HighResponseTime
|
||||
# annotations:
|
||||
# message: The response time of OpenBao is over 1s on average over the last 5 minutes.
|
||||
# message: The response time of OpenBao is over 1s on average over the last 10 minutes.
|
||||
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
|
||||
# for: 5m
|
||||
# for: 10m
|
||||
# labels:
|
||||
# severity: critical
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ helm_install() {
|
|||
|
||||
helm install -f ${values} \
|
||||
--name openbao \
|
||||
${BATS_TEST_DIRNAME}/../..
|
||||
${BATS_TEST_DIRNAME}/../../charts/openbao
|
||||
}
|
||||
|
||||
# helm_install_ha installs the openbao chart using HA mode. This will source
|
||||
|
|
@ -40,7 +40,7 @@ helm_install_ha() {
|
|||
--name openbao \
|
||||
--set 'server.enabled=false' \
|
||||
--set 'serverHA.enabled=true' \
|
||||
${BATS_TEST_DIRNAME}/../..
|
||||
${BATS_TEST_DIRNAME}/../../charts/openbao
|
||||
}
|
||||
|
||||
# wait for consul to be ready
|
||||
|
|
|
|||
|
|
@ -5,9 +5,9 @@
|
|||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: openbao-kv
|
||||
name: vault-kv
|
||||
spec:
|
||||
provider: openbao
|
||||
provider: vault
|
||||
parameters:
|
||||
roleName: "kv-role"
|
||||
objects: |
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ load _helpers
|
|||
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
|
||||
|
||||
# Set up k8s auth and a kv secret.
|
||||
cat ./test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy -
|
||||
cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
|
||||
kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
|
||||
kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
|
||||
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
|
||||
|
|
@ -46,8 +46,8 @@ load _helpers
|
|||
ttl=20m
|
||||
kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
|
||||
|
||||
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
|
||||
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
|
||||
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
|
||||
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
|
||||
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
|
||||
|
||||
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
|
||||
|
|
|
|||
|
|
@ -13,9 +13,9 @@ load _helpers
|
|||
--wait \
|
||||
--timeout=5m \
|
||||
--set="injector.replicas=3" .
|
||||
kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m
|
||||
kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m
|
||||
|
||||
pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name'))
|
||||
pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name'))
|
||||
[ "${#pods[@]}" == 3 ]
|
||||
|
||||
leader=''
|
||||
|
|
@ -49,4 +49,4 @@ teardown() {
|
|||
kubectl delete --all pvc
|
||||
kubectl delete namespace acceptance
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,11 +32,11 @@ spec:
|
|||
spec:
|
||||
serviceAccountName: pgdump
|
||||
containers:
|
||||
- name: pgdump
|
||||
image: postgres:11.5
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-ec"
|
||||
args:
|
||||
- "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout"
|
||||
- name: pgdump
|
||||
image: postgres:11.5
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-ec"
|
||||
args:
|
||||
- "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
|
||||
restartPolicy: Never
|
||||
|
|
|
|||
|
|
@ -9,13 +9,13 @@ load _helpers
|
|||
kubectl create namespace acceptance
|
||||
kubectl config set-context --current --namespace=acceptance
|
||||
|
||||
kubectl create -f ./test/acceptance/injector-test/pg-deployment.yaml
|
||||
kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
|
||||
sleep 5
|
||||
wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")
|
||||
|
||||
kubectl create secret generic test \
|
||||
--from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
|
||||
--from-file ./test/acceptance/injector-test/bootstrap.sh
|
||||
--from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
|
||||
--from-file ../../test/acceptance/injector-test/bootstrap.sh
|
||||
|
||||
kubectl label secret test app=openbao-agent-demo
|
||||
|
||||
|
|
@ -39,7 +39,7 @@ load _helpers
|
|||
[ "${init_status}" == "true" ]
|
||||
|
||||
|
||||
kubectl create -f ./test/acceptance/injector-test/job.yaml
|
||||
kubectl create -f ../../test/acceptance/injector-test/job.yaml
|
||||
wait_for_complete_job "pgdump"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ load _helpers
|
|||
kubectl create namespace acceptance
|
||||
kubectl config set-context --current --namespace=acceptance
|
||||
|
||||
helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml .
|
||||
helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml .
|
||||
wait_for_running $(name_prefix)-0
|
||||
|
||||
# service annotations
|
||||
|
|
|
|||
|
|
@ -1,121 +0,0 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
load _helpers
|
||||
|
||||
@test "server/ha: testing deployment" {
|
||||
cd `chart_dir`
|
||||
|
||||
helm install "$(name_prefix)" \
|
||||
--set='server.ha.enabled=true' .
|
||||
wait_for_running $(name_prefix)-0
|
||||
|
||||
# Sealed, not initialized
|
||||
wait_for_sealed_vault $(name_prefix)-0
|
||||
|
||||
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
|
||||
jq -r '.initialized')
|
||||
[ "${init_status}" == "false" ]
|
||||
|
||||
# Replicas
|
||||
local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
|
||||
jq -r '.spec.replicas')
|
||||
[ "${replicas}" == "3" ]
|
||||
|
||||
# Volume Mounts
|
||||
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
|
||||
jq -r '.spec.template.spec.containers[0].volumeMounts | length')
|
||||
[ "${volumeCount}" == "2" ]
|
||||
|
||||
# Volumes
|
||||
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
|
||||
jq -r '.spec.template.spec.volumes | length')
|
||||
[ "${volumeCount}" == "2" ]
|
||||
|
||||
local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
|
||||
jq -r '.spec.template.spec.volumes[0].configMap.name')
|
||||
[ "${volume}" == "$(name_prefix)-config" ]
|
||||
|
||||
# Service
|
||||
local service=$(kubectl get service "$(name_prefix)" --output json |
|
||||
jq -r '.spec.clusterIP')
|
||||
[ "${service}" != "None" ]
|
||||
|
||||
local service=$(kubectl get service "$(name_prefix)" --output json |
|
||||
jq -r '.spec.type')
|
||||
[ "${service}" == "ClusterIP" ]
|
||||
|
||||
local ports=$(kubectl get service "$(name_prefix)" --output json |
|
||||
jq -r '.spec.ports | length')
|
||||
[ "${ports}" == "2" ]
|
||||
|
||||
local ports=$(kubectl get service "$(name_prefix)" --output json |
|
||||
jq -r '.spec.ports[0].port')
|
||||
[ "${ports}" == "8200" ]
|
||||
|
||||
local ports=$(kubectl get service "$(name_prefix)" --output json |
|
||||
jq -r '.spec.ports[1].port')
|
||||
[ "${ports}" == "8201" ]
|
||||
|
||||
# OpenBao Init
|
||||
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
|
||||
bao operator init -format=json -n 1 -t 1 | \
|
||||
jq -r '.unseal_keys_b64[0]')
|
||||
[ "${token}" != "" ]
|
||||
|
||||
# OpenBao Unseal
|
||||
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
|
||||
for pod in "${pods[@]}"
|
||||
do
|
||||
kubectl exec -ti ${pod} -- bao operator unseal ${token}
|
||||
done
|
||||
|
||||
wait_for_ready "$(name_prefix)-0"
|
||||
|
||||
# Sealed, not initialized
|
||||
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
|
||||
jq -r '.sealed' )
|
||||
[ "${sealed_status}" == "false" ]
|
||||
|
||||
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
|
||||
jq -r '.initialized')
|
||||
[ "${init_status}" == "true" ]
|
||||
}
|
||||
|
||||
# setup a consul env
|
||||
setup() {
|
||||
kubectl delete namespace acceptance --ignore-not-found=true
|
||||
kubectl create namespace acceptance
|
||||
kubectl config set-context --current --namespace=acceptance
|
||||
|
||||
helm repo add hashicorp https://helm.releases.hashicorp.com
|
||||
helm repo update
|
||||
|
||||
CONSUL_HELM_VERSION=v0.48.0
|
||||
|
||||
K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major)
|
||||
K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor)
|
||||
if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then
|
||||
CONSUL_HELM_VERSION=v0.32.1
|
||||
fi
|
||||
helm install consul hashicorp/consul \
|
||||
--version $CONSUL_HELM_VERSION \
|
||||
--set 'ui.enabled=false'
|
||||
|
||||
wait_for_running_consul
|
||||
}
|
||||
|
||||
#cleanup
|
||||
teardown() {
|
||||
if [[ ${CLEANUP:-true} == "true" ]]
|
||||
then
|
||||
# If the test failed, print some debug output
|
||||
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
|
||||
kubectl logs -l app=consul
|
||||
kubectl logs -l app.kubernetes.io/name=openbao
|
||||
fi
|
||||
helm delete openbao
|
||||
helm delete consul
|
||||
kubectl delete --all pvc
|
||||
kubectl delete namespace acceptance --ignore-not-found=true
|
||||
fi
|
||||
}
|
||||
|
|
@ -19,7 +19,7 @@ load _helpers
|
|||
|
||||
helm install \
|
||||
--wait \
|
||||
--values ./test/acceptance/server-test/telemetry.yaml \
|
||||
--values ../../test/acceptance/server-test/telemetry.yaml \
|
||||
"$(name_prefix)" .
|
||||
|
||||
wait_for_running $(name_prefix)-0
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
# chart_dir returns the directory for the chart
|
||||
chart_dir() {
|
||||
echo ${BATS_TEST_DIRNAME}/../..
|
||||
echo ${BATS_TEST_DIRNAME}/../../charts/openbao
|
||||
}
|
||||
|
||||
# check_result checks if the specified test passed
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ setup_file() {
|
|||
cd `chart_dir`
|
||||
export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json"
|
||||
export CHART_VOLUME=openbao-helm-chart-src
|
||||
local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1"
|
||||
local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.7"
|
||||
# chart-verifier requires an openshift version if a cluster isn't available
|
||||
local OPENSHIFT_VERSION="4.12"
|
||||
local DISABLED_TESTS="chart-testing"
|
||||
|
|
|
|||
|
|
@ -30,4 +30,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,4 +61,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.subjects[0].namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -101,13 +101,13 @@ load _helpers
|
|||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "Image1:0.0.1" ]
|
||||
[ "${actual}" = "docker.io/Image1:0.0.1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[0].imagePullPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "PullPolicy1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[1].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "Image2:0.0.2" ]
|
||||
[ "${actual}" = "quay.io/Image2:0.0.2" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[1].imagePullPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "PullPolicy2" ]
|
||||
|
|
@ -796,7 +796,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = "error" ]
|
||||
}
|
||||
|
||||
|
|
@ -810,7 +810,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = "json" ]
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -38,4 +38,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,4 +38,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.subjects[0].namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ load _helpers
|
|||
--set 'injector.image.tag=1.2.3' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "docker.io/foo:1.2.3" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/injector-deployment.yaml \
|
||||
|
|
@ -77,7 +77,7 @@ load _helpers
|
|||
--set 'injector.image.tag=1.2.3' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "docker.io/foo:1.2.3" ]
|
||||
}
|
||||
|
||||
@test "injector/deployment: default imagePullPolicy" {
|
||||
|
|
|
|||
|
|
@ -331,4 +331,4 @@ load _helpers
|
|||
yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr)
|
||||
|
||||
[ "${actual}" = "true" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,4 +53,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,4 +53,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -87,4 +87,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.subjects[0].namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ load _helpers
|
|||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "quay.io/foo:1.2.3" ]
|
||||
}
|
||||
|
||||
@test "server/ha-StatefulSet: image tag defaults to latest" {
|
||||
|
|
@ -56,7 +56,7 @@ load _helpers
|
|||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:latest" ]
|
||||
[ "${actual}" = "quay.io/foo:latest" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
|
|
|
|||
|
|
@ -57,4 +57,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,4 +57,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ load _helpers
|
|||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "quay.io/foo:1.2.3" ]
|
||||
}
|
||||
|
||||
@test "server/ha-StatefulSet: image tag defaults to latest" {
|
||||
|
|
@ -56,7 +56,7 @@ load _helpers
|
|||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:latest" ]
|
||||
[ "${actual}" = "quay.io/foo:latest" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
|
|
@ -71,7 +71,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = "http://127.0.0.1:8200" ]
|
||||
}
|
||||
|
||||
|
|
@ -84,7 +84,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = "https://127.0.0.1:8200" ]
|
||||
}
|
||||
|
||||
|
|
@ -407,7 +407,7 @@ load _helpers
|
|||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# VAULT_API_ADDR renders
|
||||
# BAO_API_ADDR renders
|
||||
|
||||
@test "server/ha-StatefulSet: api addr renders to Pod IP by default" {
|
||||
cd `chart_dir`
|
||||
|
|
@ -418,7 +418,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = 'http://$(POD_IP):8200' ]
|
||||
}
|
||||
|
||||
|
|
@ -432,12 +432,12 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_API_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_API_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = "https://example.com:8200" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# VAULT_CLUSTER_ADDR renders
|
||||
# BAO_CLUSTER_ADDR renders
|
||||
|
||||
@test "server/ha-StatefulSet: clusterAddr not set" {
|
||||
cd `chart_dir`
|
||||
|
|
@ -449,7 +449,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ]
|
||||
}
|
||||
|
||||
|
|
@ -464,7 +464,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ]
|
||||
}
|
||||
|
||||
|
|
@ -479,7 +479,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = 'https://test.example.com:8201' ]
|
||||
}
|
||||
|
||||
|
|
@ -494,7 +494,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = 'http://$(HOSTNAME).release-name-openbao-internal:8201' ]
|
||||
}
|
||||
|
||||
|
|
@ -515,7 +515,7 @@ local value=$(echo $rendered |
|
|||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# VAULT_RAFT_NODE_ID renders
|
||||
# BAO_RAFT_NODE_ID renders
|
||||
|
||||
@test "server/ha-StatefulSet: raft node ID renders" {
|
||||
cd `chart_dir`
|
||||
|
|
@ -528,7 +528,7 @@ local value=$(echo $rendered |
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $object |
|
||||
yq -r 'map(select(.name=="VAULT_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_RAFT_NODE_ID")) | .[] .valueFrom.fieldRef.fieldPath' | tee /dev/stderr)
|
||||
[ "${value}" = "metadata.name" ]
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -74,25 +74,3 @@ load _helpers
|
|||
yq '.spec.ipFamilies' -c | tee /dev/stderr)
|
||||
[ "${actual}" = '["IPv4","IPv6"]' ]
|
||||
}
|
||||
|
||||
@test "server/headless-Service: Assert ipFamilyPolicy is not set if version below 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-headless-service.yaml \
|
||||
--kube-version 1.27.0 \
|
||||
--set 'server.service.ipFamilyPolicy=PreferDualStack' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "server/headless-Service: Assert ipFamilies is not set if version below 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-headless-service.yaml \
|
||||
--kube-version 1.27.0 \
|
||||
--set 'server.service.ipFamilies={IPv4,IPv6}' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.ipFamilies' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
|
@ -127,4 +127,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -127,4 +127,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.namespace' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -487,25 +487,3 @@ load _helpers
|
|||
yq '.spec.ipFamilies' -c | tee /dev/stderr)
|
||||
[ "${actual}" = '["IPv4","IPv6"]' ]
|
||||
}
|
||||
|
||||
@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--kube-version 1.27.0 \
|
||||
--set 'server.service.ipFamilyPolicy=PreferDualStack' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "server/Service: Assert ipFamilies is not set if version below 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-service.yaml \
|
||||
--kube-version 1.27.0 \
|
||||
--set 'server.service.ipFamilies={IPv4,IPv6}' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.ipFamilies' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
|
@ -145,4 +145,4 @@ load _helpers
|
|||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.labels.foo' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ load _helpers
|
|||
--set 'server.image.tag=1.2.3' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "quay.io/foo:1.2.3" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-statefulset.yaml \
|
||||
|
|
@ -114,7 +114,7 @@ load _helpers
|
|||
--set 'server.standalone.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "quay.io/foo:1.2.3" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: image tag defaults to latest" {
|
||||
|
|
@ -125,7 +125,7 @@ load _helpers
|
|||
--set 'server.image.tag=' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:latest" ]
|
||||
[ "${actual}" = "quay.io/foo:latest" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/server-statefulset.yaml \
|
||||
|
|
@ -134,7 +134,7 @@ load _helpers
|
|||
--set 'server.standalone.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:latest" ]
|
||||
[ "${actual}" = "quay.io/foo:latest" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: default imagePullPolicy" {
|
||||
|
|
@ -224,43 +224,11 @@ load _helpers
|
|||
#--------------------------------------------------------------------
|
||||
# persistentVolumeClaimRetentionPolicy
|
||||
|
||||
@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes < 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-s templates/server-statefulset.yaml \
|
||||
--kube-version "1.27" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenDeleted when kubernetes < 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-s templates/server-statefulset.yaml \
|
||||
--kube-version "1.27" \
|
||||
--set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenScaled when kubernetes < 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-s templates/server-statefulset.yaml \
|
||||
--kube-version "1.27" \
|
||||
--set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes >= 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-s templates/server-statefulset.yaml \
|
||||
--kube-version "1.23" \
|
||||
--kube-version "1.27" \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
|
|
@ -270,7 +238,7 @@ load _helpers
|
|||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-s templates/server-statefulset.yaml \
|
||||
--kube-version "1.23" \
|
||||
--kube-version "1.27" \
|
||||
--set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr)
|
||||
|
|
@ -281,7 +249,7 @@ load _helpers
|
|||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-s templates/server-statefulset.yaml \
|
||||
--kube-version "1.23" \
|
||||
--kube-version "1.27" \
|
||||
--set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr)
|
||||
|
|
@ -571,7 +539,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $objects |
|
||||
yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .name' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .name' | tee /dev/stderr)
|
||||
[ "${value}" = "" ]
|
||||
}
|
||||
|
||||
|
|
@ -584,7 +552,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $objects |
|
||||
yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = "debug" ]
|
||||
}
|
||||
|
||||
|
|
@ -599,7 +567,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $objects |
|
||||
yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .name' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .name' | tee /dev/stderr)
|
||||
[ "${value}" = "" ]
|
||||
}
|
||||
|
||||
|
|
@ -612,7 +580,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local value=$(echo $objects |
|
||||
yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
|
||||
yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
|
||||
[ "${value}" = "json" ]
|
||||
}
|
||||
|
||||
|
|
@ -800,7 +768,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "audit")' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr)
|
||||
[ "${actual}" = "/vault/audit" ]
|
||||
[ "${actual}" = "/openbao/audit" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: can configure audit storage mount path" {
|
||||
|
|
@ -825,7 +793,7 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "data")' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr)
|
||||
[ "${actual}" = "/vault/data" ]
|
||||
[ "${actual}" = "/openbao/data" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: can configure data storage mount path" {
|
||||
|
|
@ -1686,7 +1654,7 @@ load _helpers
|
|||
local actual=$(helm template \
|
||||
--show-only templates/server-statefulset.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq '.spec.template.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr)
|
||||
yq '.spec.template.metadata.annotations["openbao.hashicorp.com/config-checksum"] == null' | tee /dev/stderr)
|
||||
[ "${actual}" = "true" ]
|
||||
}
|
||||
|
||||
|
|
@ -1705,7 +1673,7 @@ load _helpers
|
|||
--show-only templates/server-statefulset.yaml \
|
||||
--set 'server.includeConfigAnnotation=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq '.spec.template.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr)
|
||||
yq '.spec.template.metadata.annotations["openbao.hashicorp.com/config-checksum"] == null' | tee /dev/stderr)
|
||||
[ "${actual}" = "false" ]
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ load _helpers
|
|||
--show-only templates/tests/server-test.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "vault-server-test" ]
|
||||
[ "${actual}" = "openbao-server-test" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-server-test-Pod: release metadata.name foo" {
|
||||
|
|
@ -61,7 +61,7 @@ load _helpers
|
|||
--show-only templates/tests/server-test.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.metadata.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo-vault-server-test" ]
|
||||
[ "${actual}" = "foo-openbao-server-test" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-server-test-Pod: default server.standalone.enabled" {
|
||||
|
|
@ -134,7 +134,7 @@ load _helpers
|
|||
--set 'server.image.tag=1.2.3' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "quay.io/foo:1.2.3" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/tests/server-test.yaml \
|
||||
|
|
@ -143,7 +143,7 @@ load _helpers
|
|||
--set 'server.standalone.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:1.2.3" ]
|
||||
[ "${actual}" = "quay.io/foo:1.2.3" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-server-test-Pod: image tag defaults to latest" {
|
||||
|
|
@ -154,7 +154,7 @@ load _helpers
|
|||
--set 'server.image.tag=' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:latest" ]
|
||||
[ "${actual}" = "quay.io/foo:latest" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
--show-only templates/tests/server-test.yaml \
|
||||
|
|
@ -163,7 +163,7 @@ load _helpers
|
|||
--set 'server.standalone.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.containers[0].image' | tee /dev/stderr)
|
||||
[ "${actual}" = "foo:latest" ]
|
||||
[ "${actual}" = "quay.io/foo:latest" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-server-test-Pod: default imagePullPolicy" {
|
||||
|
|
|
|||
|
|
@ -406,27 +406,3 @@ load _helpers
|
|||
yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "PreferDualStack" ]
|
||||
}
|
||||
|
||||
@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/ui-service.yaml \
|
||||
--kube-version 1.27.0 \
|
||||
--set 'ui.enabled=true' \
|
||||
--set 'ui.serviceIPFamilyPolicy=PreferDualStack' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
@test "server/Service: Assert ipFamilies is not set if version below 1.23" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
--show-only templates/ui-service.yaml \
|
||||
--kube-version 1.27.0 \
|
||||
--set 'ui.enabled=true' \
|
||||
--set 'ui.serviceIPFamilies={IPv4,IPv6}' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.ipFamilies' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
Loading…
Reference in a new issue