Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Michal.Wrobel:v0.27.0
Branches Tags
Michal.Wrobel:main
Michal.Wrobel:bao-2-0-2
Michal.Wrobel:gh-pages
Michal.Wrobel:bao-2-0-1
Michal.Wrobel:release/v0.26.1
Michal.Wrobel:values/default-cluster_name
Michal.Wrobel:generate-docs
Michal.Wrobel:correct-helm-version-check
Michal.Wrobel:helm_gha_migration_test
Michal.Wrobel:tomhjp-patch-1
Michal.Wrobel:topology
Michal.Wrobel:openbao-0.6.0
Michal.Wrobel:openbao-0.5.1
Michal.Wrobel:openbao-0.5.0
Michal.Wrobel:openbao-0.4.0
Michal.Wrobel:openbao-0.3.0
Michal.Wrobel:openbao-0.2.0
Michal.Wrobel:openbao-0.1.0
Michal.Wrobel:v0.27.0
Michal.Wrobel:v0.26.1
Michal.Wrobel:v0.26.0
Michal.Wrobel:v0.25.0
Michal.Wrobel:v0.24.1
Michal.Wrobel:v0.24.0
Michal.Wrobel:v0.23.0
Michal.Wrobel:v0.22.1
Michal.Wrobel:v0.22.0
Michal.Wrobel:v0.21.0
Michal.Wrobel:v0.20.1
Michal.Wrobel:v0.20.0
Michal.Wrobel:v0.19.0
Michal.Wrobel:v0.18.0
Michal.Wrobel:v0.17.1
Michal.Wrobel:v0.17.0
Michal.Wrobel:v0.16.1
Michal.Wrobel:v0.16.0
Michal.Wrobel:v0.15.0
Michal.Wrobel:v0.14.0
Michal.Wrobel:v0.13.0
Michal.Wrobel:v0.12.0
Michal.Wrobel:v0.11.0
Michal.Wrobel:v0.10.0
Michal.Wrobel:v0.9.1
Michal.Wrobel:v0.9.0
Michal.Wrobel:v0.8.0
Michal.Wrobel:v0.7.0
Michal.Wrobel:v0.6.0
Michal.Wrobel:v0.5.0
Michal.Wrobel:v0.4.0
Michal.Wrobel:v0.3.3
Michal.Wrobel:v0.3.2
Michal.Wrobel:v0.3.1
Michal.Wrobel:v0.3.0
Michal.Wrobel:v0.2.1
Michal.Wrobel:v0.2.0
Michal.Wrobel:v0.1.2
Michal.Wrobel:v0.1.1
Michal.Wrobel:v0.1.0
Michal.Wrobel:v0.0.1
...
compare: Michal.Wrobel:main
Branches Tags
Michal.Wrobel:main
Michal.Wrobel:bao-2-0-2
Michal.Wrobel:gh-pages
Michal.Wrobel:bao-2-0-1
Michal.Wrobel:release/v0.26.1
Michal.Wrobel:values/default-cluster_name
Michal.Wrobel:generate-docs
Michal.Wrobel:correct-helm-version-check
Michal.Wrobel:helm_gha_migration_test
Michal.Wrobel:tomhjp-patch-1
Michal.Wrobel:topology
Michal.Wrobel:openbao-0.6.0
Michal.Wrobel:openbao-0.5.1
Michal.Wrobel:openbao-0.5.0
Michal.Wrobel:openbao-0.4.0
Michal.Wrobel:openbao-0.3.0
Michal.Wrobel:openbao-0.2.0
Michal.Wrobel:openbao-0.1.0
Michal.Wrobel:v0.27.0
Michal.Wrobel:v0.26.1
Michal.Wrobel:v0.26.0
Michal.Wrobel:v0.25.0
Michal.Wrobel:v0.24.1
Michal.Wrobel:v0.24.0
Michal.Wrobel:v0.23.0
Michal.Wrobel:v0.22.1
Michal.Wrobel:v0.22.0
Michal.Wrobel:v0.21.0
Michal.Wrobel:v0.20.1
Michal.Wrobel:v0.20.0
Michal.Wrobel:v0.19.0
Michal.Wrobel:v0.18.0
Michal.Wrobel:v0.17.1
Michal.Wrobel:v0.17.0
Michal.Wrobel:v0.16.1
Michal.Wrobel:v0.16.0
Michal.Wrobel:v0.15.0
Michal.Wrobel:v0.14.0
Michal.Wrobel:v0.13.0
Michal.Wrobel:v0.12.0
Michal.Wrobel:v0.11.0
Michal.Wrobel:v0.10.0
Michal.Wrobel:v0.9.1
Michal.Wrobel:v0.9.0
Michal.Wrobel:v0.8.0
Michal.Wrobel:v0.7.0
Michal.Wrobel:v0.6.0
Michal.Wrobel:v0.5.0
Michal.Wrobel:v0.4.0
Michal.Wrobel:v0.3.3
Michal.Wrobel:v0.3.2
Michal.Wrobel:v0.3.1
Michal.Wrobel:v0.3.0
Michal.Wrobel:v0.2.1
Michal.Wrobel:v0.2.0
Michal.Wrobel:v0.1.2
Michal.Wrobel:v0.1.1
Michal.Wrobel:v0.1.0
Michal.Wrobel:v0.0.1

55 commits
v0.27.0 ... main

Author SHA1 Message Date
Jan Martens
6f5aa63325
Merge pull request #23 from ipsavitsky/fix-agent-uri 
Add the `.injector.agentImage.registry` to the image path
 2024-11-13 09:53:23 +01:00
Ilya Savitsky
766a6a341f
Add the .injector.agentImage.registry to the image path 
Signed-off-by: Ilya Savitsky <ilya.savitsky@codethink.co.uk>
 2024-10-23 10:41:11 +01:00
Jan Martens
72b4014e67
Merge pull request #20 from openbao/bao-2-0-2 
update chart README
 2024-10-07 13:51:17 +02:00
Jan Martens
5f31acad6b
update chart README 
To display the up to date values

Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-10-07 11:05:13 +02:00
Jan Martens
7a7a5b3711
Merge pull request #19 from openbao/bao-2-0-2 
Update OpenBao to v2.0.2
 2024-10-07 10:57:59 +02:00
Jan Martens
2e7c23ce62
update chart version 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-10-06 23:51:14 +02:00
Jan Martens
4549ad2b10
fix CSI driver integration 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-10-06 23:51:14 +02:00
Jan Martens
c5b02f372f
fix secret injector integration 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-10-06 23:04:13 +02:00
Jan Martens
3dd2dec9e3
update OpenBao to v2.0.2 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-10-06 23:04:13 +02:00
Finn
a6d9d9f388
Use the CSI agent image registry from configuration (#17) 
* Use the CSI agent image registry from configuration

Signed-off-by: Finn <finn@janky.solutions>

* csi-driver agent: Use BAO_LOG_LEVEL and BAO_LOG_FORMAT

Signed-off-by: Finn <finn@janky.solutions>

---------

Signed-off-by: Finn <finn@janky.solutions>
 2024-09-10 09:31:43 -04:00
Jan Martens
f9daaad711
Merge pull request #16 from openbao/bao-2-0-1 
update used OpenBao Version to 2.0.1
 2024-09-05 00:01:52 +02:00
Jan Martens
100bfce452
update chart README 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-09-04 23:54:05 +02:00
Jan Martens
e0be4ae6de
disable injector and CSI tests 
We do not provide our own images for those components yet which is
causing some incompabilites and test failures

Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-09-04 23:51:49 +02:00
Jan Martens
4f63aa2373
fix acceptance tests 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-09-04 23:51:49 +02:00
Jan Martens
d6a660e868
fix chart unit tests 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-09-04 23:51:48 +02:00
Jan Martens
5fba05f8f8
fix chart verifier tests 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-09-04 23:51:48 +02:00
Jan Martens
5d545983bf
update used OpenBao Version to 2.0.1 
Signed-off-by: Jan Martens <jan@martens.eu.org>
 2024-09-04 23:51:48 +02:00
Jan Martens
540d8c5309
Merge pull request #15 from jorge882/patch-1 
Corrected Helm values.yaml file - prometheusRules
 2024-09-03 23:11:35 +02:00
jorge882
a6f8ccdfed
Corrected Helm values.yaml file - prometheusRules 
Corrected the alert: valut-HighResponseTime alert rules (lines 1325-26), as well as the documentation (1324) to properly reflect a 10 minute threshold for the critical warning.

Signed-off-by: jorge882 <jorge882@gmail.com>
 2024-08-23 12:24:36 -05:00
Tijmen
ad8307d533
Remove hashicorp documentation links from values.yaml (#13) 
Signed-off-by: Tijmen <17317361+Btijmen@users.noreply.github.com>
 2024-08-08 21:13:31 +09:00
jessebot
d5dba29bf5 more updates of vault to openbao, and more updates of old k8s versions 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
547020f267 update all the tests to use kube-version 1.27.x instead of 1.22.x so we're supporting supported versions of kubernetes 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
8f700eb551 fix chart dir for unit tests 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
bfd5135800 clean up more references to vault and licensing 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
b473c07acc update more vault to openbao everywhere 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
f15d0f69f9 remove enterprise tests 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
4f8924d1d7 replace vault command with bao and helm install/delete vault with openbao - part 1 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
7b8c26e1ce update keywords for Chart.yaml to include openbao 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
18652008f4 fix openshift values to use openbao docker images 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
JesseBot
534811b617 Update charts/openbao/Chart.yaml - fix email to be valid email address 
Signed-off-by: JesseBot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
5278ab9ced update email for chart and regenerate docs 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
a139a100bf attempt to fix helm install in bats tests 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
d6a7dce06c we now use /openbao/config instead of /vault/config 
ref: 8283776683/Dockerfile (L45)

also change types from null to [] to be more explicit and regenerate docs

Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
754c4ee94d the command is bao not openbao 🤦 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
jessebot
2c9d040059 update the openbao helm chart test that runs after install to no longer use the vault command 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-29 10:43:12 -04:00
Nathan Phelps
b59b6e55bb Issue 6: Removed Enterprise reference from chart's server-statefulset template. 
Signed-off-by: Nathan Phelps <naphelps@us.ibm.com>
 2024-05-20 17:43:17 -04:00
Nathan Phelps
675c249026 Issue 6: Removing Enterprise references from chart template helper. 
Signed-off-by: Nathan Phelps <naphelps@us.ibm.com>
 2024-05-20 17:43:17 -04:00
Nathan Phelps
c4b831e734 Issue 6: Updated the chart version to 0.3.0. 
Signed-off-by: Nathan Phelps <naphelps@us.ibm.com>
 2024-05-20 17:43:17 -04:00
Nathan Phelps
e5973aeff3 Issue 6: Removed Enterprise licensing references out of the chart's value configuration. 
Signed-off-by: Nathan Phelps <naphelps@us.ibm.com>
 2024-05-20 17:43:17 -04:00
Nathan Phelps
be6fa5a195 Issue 6: Changed some of the Hashicorp Vault refences in the docs to OpenBao. 
Signed-off-by: Nathan Phelps <naphelps@us.ibm.com>
 2024-05-20 17:43:17 -04:00
jessebot
7ad371f159 fix missing space in comment 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-20 17:08:36 -04:00
jessebot
cb464ff650 fix linter issues with values.yaml to please chart tesitng linter 
ref: https://github.com/openbao/openbao-helm/actions/runs/9139677624/job/25132235295?pr=8
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-20 17:08:36 -04:00
jessebot
cbf6f461e2 actually template out the image.registry for each image map reference 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-20 17:08:36 -04:00
jessebot
915f7c845c update base vault images to point at quay.io/openbao/openbao; add more helm docs 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-20 17:08:36 -04:00
JesseBot
ed58ce3e78 Update charts/openbao/Chart.yaml - use default branding image 
Signed-off-by: JesseBot <jessebot@linux.com>
 2024-05-17 08:18:38 -04:00
JesseBot
c16fc99e7c Update charts/openbao/Chart.yaml - update the maintainer to be OpenBao 
Signed-off-by: JesseBot <jessebot@linux.com>
 2024-05-17 08:18:38 -04:00
JesseBot
302fdc8a22 Update charts/openbao/Chart.yaml - fix chart description OpenBao casing 
Signed-off-by: JesseBot <jessebot@linux.com>
 2024-05-17 08:18:38 -04:00
jessebot
00ed536f64 add official openbao security email 
Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-17 08:18:38 -04:00
jessebot
5544941fff begin changes to using openbao everywhere instead of vault 
also begin massive change over to using helm's official chart release and testing actions

Signed-off-by: jessebot <jessebot@linux.com>
 2024-05-17 08:18:38 -04:00
dependabot[bot]
c5f9247828
Bump helm/kind-action from 1.8.0 to 1.9.0 (#999) 
Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.8.0 to 1.9.0.
- [Release notes](https://github.com/helm/kind-action/releases)
- [Commits](dda0770415...99576bfa6d)

---
updated-dependencies:
- dependency-name: helm/kind-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-03-22 18:26:53 -07:00
Ben Ash
dbfb243d03
Update code owners (#1006) 
- ignore scratch dir
 2024-03-19 16:07:57 -04:00
Theron Voran
e439b28914
injector: add get for nodes in clusterrole (#1005) 
Required for operator-lib leader logic
 2024-03-18 21:55:51 -07:00
Christopher Swenson
d186b6ff29
Add annotation on config change (#1001) 
When updating the Vault config (and corresponding)
configmap, we now generate a checksum of the config
and set it as an annotation on both the configmap
and the Vault StatefulSet pod template.

This allows the deployer to know what pods need to
be restarted to pick up the a changed config.

We still recommend using the standard upgrade
[method for Vault on Kubernetes](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide#upgrading-vault-on-kubernetes),
i.e., using the `OnDelete` strategy
for the Vault StatefulSet, so updating the config
and doing a `helm upgrade` should not trigger the
pods to restart, and then deleting pods one
at a time, starting with the standby pods.

With `kubectl` and `jq`, you can check check which
pods need to be updated by first getting the value
of the current configmap checksum:

```shell
kubectl get pods -o json | jq -r ".items[] | select(.metadata.annotations.\"config/checksum\" != $(kubectl get configmap vault-config -o json | jq '.metadata.annotations."config/checksum"') ) | .metadata.name"
```

Fixes #748.

---------

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
 2024-03-18 11:03:56 -07:00
Ben Ash
6930c378d2
Test against k8s 1.29 (#1003) 
* Drop k8s 1.24
* Use latest kind version v0.22.0
 2024-03-11 15:23:14 -04:00
dependabot[bot]
7a127f878a
Bump actions/setup-go from 4.1.0 to 5.0.0 (#984) 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](93397bea11...0c52d547c9)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-08 12:07:19 -08:00
136 changed files with 1625 additions and 1820 deletions
Show stats Expand all files Collapse all files

16
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -9,9 +9,9 @@ assignees: ''
<!-- Please reserve GitHub issues for bug reports and feature requests.
For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker.
Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault Helm, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
**Please note**: We take OpenBao's security and our users' trust very seriously. If
you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
-->
@ -21,19 +21,19 @@ A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Install chart
2. Run vault command
3. See error (vault logs, etc.)
2. Run bao command
3. See error (openbao logs, etc.)
Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output
Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output
**Expected behavior**
A clear and concise description of what you expected to happen.
**Environment**
* Kubernetes version:
* Kubernetes version:
* Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
* Other configuration options or runtime services (istio, etc.):
* vault-helm version:
* openbao-helm version:
Chart values:

3
.github/ISSUE_TEMPLATE/config.yml vendored
View file

@ -3,5 +3,4 @@
contact_links:
- name: Ask a question
url: https://discuss.hashicorp.com/c/vault
about: For increased visibility, please post questions on the discussion forum, and tag with `k8s`
url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org

8
.github/workflows/acceptance.yaml vendored
View file

@ -5,20 +5,18 @@ jobs:
strategy:
fail-fast: false
matrix:
kind-k8s-version: [1.24.15, 1.25.11, 1.26.6, 1.27.3, 1.28.0]
kind-k8s-version: [1.27.11, 1.28.7, 1.29.2]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup test tools
uses: ./.github/actions/setup-test-tools
- name: Create K8s Kind Cluster
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
with:
config: test/kind/config.yaml
node_image: kindest/node:v${{ matrix.kind-k8s-version }}
version: v0.20.0
version: v0.22.0
- run: bats --tap --timing ./test/acceptance
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
permissions:
contents: read

14
.github/workflows/actionlint.yml vendored
View file

@ -1,14 +0,0 @@
# If the repository is public, be sure to change to GitHub hosted runners
name: Lint GitHub Actions Workflows
on:
push:
paths:
- .github/workflows/**.yml
pull_request:
paths:
- .github/workflows/**.yml
permissions:
contents: read
jobs:
actionlint:
uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main

17
.github/workflows/jira.yaml vendored
View file

@ -1,17 +0,0 @@
name: Jira Sync
on:
issues:
types: [opened, closed, deleted, reopened]
pull_request_target:
types: [opened, closed, reopened]
issue_comment: # Also triggers when commenting on a PR from the conversation view
types: [created]
jobs:
sync:
uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main
secrets:
JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
with:
teams-array: '["ecosystem", "foundations-eco"]'

47
.github/workflows/lint-chart.yml vendored Normal file
View file

@ -0,0 +1,47 @@
name: Lint and Test Chart
on:
pull_request:
paths:
- 'charts/**'
permissions:
contents: read
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: "0"
- name: Install Helm
uses: azure/setup-helm@v4
- name: Set up chart-testing
uses: helm/chart-testing-action@v2.6.1
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$changed" ]]; then
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Run chart-testing (lint)
id: lint
if: steps.list-changed.outputs.changed == 'true'
run: ct lint --target-branch ${{ github.event.repository.default_branch }}
- name: Create kind cluster
uses: helm/kind-action@v1.10.0
if: steps.list-changed.outputs.changed == 'true'
- name: Run chart-testing (install)
id: install
if: steps.list-changed.outputs.changed == 'true'
run: ct install --target-branch ${{ github.event.repository.default_branch }}

38
.github/workflows/release-chart.yml vendored Normal file
View file

@ -0,0 +1,38 @@
name: Release
on:
push:
branches:
- main
paths:
- 'charts/**'
jobs:
release:
environment: helm-release
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v3.5
id: helm-install
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run chart-releaser
id: helm-release
uses: helm/chart-releaser-action@v1.6.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_GENERATE_RELEASE_NOTES: true

6
.github/workflows/tests.yaml vendored
View file

@ -10,14 +10,14 @@ jobs:
chart-verifier:
runs-on: ubuntu-latest
env:
CHART_VERIFIER_VERSION: '1.13.0'
CHART_VERIFIER_VERSION: "1.13.7"
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup test tools
uses: ./.github/actions/setup-test-tools
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: '1.21.3'
go-version: "1.22.5"
- run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}"
- run: bats --tap --timing ./test/chart
permissions:

40
.github/workflows/update-helm-charts-index.yml vendored
View file

@ -1,40 +0,0 @@
name: update-helm-charts-index
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
permissions:
contents: read
jobs:
update-helm-charts-index:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: verify Chart version matches tag version
run: |-
export TAG=${{ github.ref_name }}
git_tag="${TAG#v}"
chart_tag=$(yq -r '.version' Chart.yaml)
if [ "${git_tag}" != "${chart_tag}" ]; then
echo "chart version (${chart_tag}) did not match git version (${git_tag})"
exit 1
fi
- name: update helm-charts index
id: update
env:
GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }}
run: |-
gh workflow run publish-charts.yml \
--repo hashicorp/helm-charts \
--ref main \
-f SOURCE_TAG="${{ github.ref_name }}" \
-f SOURCE_REPO="${{ github.repository }}"
- uses: hashicorp/actions-slack-status@v1
if: ${{always()}}
with:
success-message: "vault-helm charts index update triggered successfully. View the run <https://github.com/hashicorp/helm-charts/actions/workflows/publish-charts.yml|here>."
failure-message: "vault-helm charts index update trigger failed."
status: ${{job.status}}
slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}}

1
.gitignore vendored
View file

@ -11,3 +11,4 @@ vaul-helm-dev-creds.json
./test/acceptance/values.yaml
./test/acceptance/values.yml
.idea
scratch/

3
CHANGELOG.md
View file

@ -1,5 +1,8 @@
## Unreleased
Bugs:
* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
## 0.27.0 (November 16, 2023)
Changes:

1
CODEOWNERS
View file

@ -1 +0,0 @@
* @hashicorp/vault-ecosystem-foundations

33
CONTRIBUTING.md
View file

@ -1,8 +1,8 @@
# Contributing to Vault Helm
# Contributing to OpenBao Helm
**Please note:** We take Vault's security and our users' trust very seriously.
If you believe you have found a security issue in Vault, please responsibly
disclose by contacting us at security@hashicorp.com.
**Please note:** We take OpenBao's security and our users' trust very seriously.
If you believe you have found a security issue in OpenBao, please responsibly
disclose by contacting us at openbao-security@lists.lfedge.org.
**First:** if you're unsure or afraid of _anything_, just ask or submit the
issue or pull request anyways. You won't be yelled at for giving it your best
@ -12,14 +12,15 @@ rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged,
talk to us! You can find out our thoughts and ensure that your contribution
won't clash or be obviated by Vault's normal direction. A great way to do this
is via the [Vault Discussion Forum][1].
won't clash or be obviated by OpenBao's normal direction. A great way to do this
is via the [Linux Foundation Element chat server][1], or [mailing list][2].
This document will cover what we're looking for in terms of reporting issues.
By addressing all the points we're looking for, it raises the chances we can
quickly merge or address your contributions.
[1]: https://discuss.hashicorp.com/c/vault
[1]: https://chat.lfx.linuxfoundation.org
[2]: https://lists.lfedge.org/g/openbao
## Issues
@ -33,14 +34,14 @@ quickly merge or address your contributions.
* Provide steps to reproduce the issue, and if possible include the expected
results as well as the actual results. Please provide text, not screen shots!
* Respond as promptly as possible to any questions made by the Vault
* Respond as promptly as possible to any questions made by the OpenBao
team to your issue. Stale issues will be closed periodically.
### Issue Lifecycle
1. The issue is reported.
2. The issue is verified and categorized by a Vault Helm collaborator.
2. The issue is verified and categorized by a OpenBao Helm collaborator.
Categorization is done via tags. For example, bugs are marked as "bugs".
3. Unless it is critical, the issue may be left for a period of time (sometimes
@ -70,25 +71,25 @@ The following are the instructions for running bats tests using a Docker contain
#### Prerequisites
* Docker installed
* `vault-helm` checked out locally
* `openbao-helm` checked out locally
#### Test
**Note:** the following commands should be run from the `vault-helm` directory.
**Note:** the following commands should be run from the `openbao-helm` directory.
First, build the Docker image for running the tests:
```shell
docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test
docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t openbao-helm-test
```
Next, execute the tests with the following commands:
```shell
docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit
docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit
```
It's possible to only run specific bats tests using regular expressions.
It's possible to only run specific bats tests using regular expressions.
For example, the following will run only tests with "injector" in the name:
```shell
docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector"
docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector"
```
### Test Manually
@ -122,7 +123,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
start from a clean slate.
**Note:** There is a Terraform configuration in the
[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory
that can be used to quickly bring up a GKE cluster and configure
`kubectl` and `helm` locally. This can be used to quickly spin up a test
cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes

19
Chart.yaml
View file

@ -1,19 +0,0 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
apiVersion: v2
name: vault
version: 0.27.0
appVersion: 1.15.2
kubeVersion: ">= 1.20.0-0"
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
sources:
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault-helm
- https://github.com/hashicorp/vault-k8s
- https://github.com/hashicorp/vault-csi-provider
annotations:
charts.openshift.io/name: HashiCorp Vault

11
Makefile
View file

@ -1,6 +1,6 @@
TEST_IMAGE?=vault-helm-test
GOOGLE_CREDENTIALS?=vault-helm-test.json
CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
TEST_IMAGE?=openbao-helm-test
GOOGLE_CREDENTIALS?=openbao-helm-test.json
CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514
# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
ACCEPTANCE_TESTS?=acceptance
@ -11,10 +11,10 @@ UNIT_TESTS_FILTER?='.*'
LOCAL_ACCEPTANCE_TESTS?=false
# kind cluster name
KIND_CLUSTER_NAME?=vault-helm
KIND_CLUSTER_NAME?=openbao-helm
# kind k8s version
KIND_K8S_VERSION?=v1.26.3
KIND_K8S_VERSION?=v1.29.2
# Generate json schema for chart values. See test/README.md for more details.
values-schema:
@ -40,7 +40,6 @@ else
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \
-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
-w /helm-test \
$(TEST_IMAGE) \
make acceptance

35
README.md
View file

@ -1,16 +1,12 @@
# Vault Helm Chart
# OpenBao Helm Chart
> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If
you believe you have found a security issue in Vault Helm, _please responsibly disclose_
by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
> :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If
you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
This repository contains the official HashiCorp Helm chart for installing
and configuring Vault on Kubernetes. This chart supports multiple use
cases of Vault on Kubernetes depending on the values provided.
For full documentation on this Helm chart along with all the ways you can
use Vault with Kubernetes, please see the
[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s).
This repository contains the OpenBao Helm chart for installing
and configuring OpenBao on Kubernetes. This chart supports multiple use
cases of OpenBao on Kubernetes depending on the values provided.
## Prerequisites
@ -20,24 +16,19 @@ this README. Please refer to the Kubernetes and Helm documentation.
The versions required are:
* **Helm 3.6+**
* **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested.
* **Helm 3.12+** - Earliest verison tested
* **Kubernetes 1.28+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is
untested.
## Usage
To install the latest version of this chart, add the Hashicorp helm repository
and run `helm install`:
To install the latest version of this chart, add the OpenBao helm repository and run `helm install`:
```console
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
helm repo add openbao https://openbao.github.io/openbao-helm
$ helm install vault hashicorp/vault
helm install openbao openbao/openbao
```
Please see the many options supported in the `values.yaml` file. These are also
fully documented directly on the [Vault
website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more
detailed installation instructions.
Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions.

0
.helmignore → charts/openbao/.helmignore
View file

31
charts/openbao/Chart.yaml Normal file
View file

@ -0,0 +1,31 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
apiVersion: v2
name: openbao
version: 0.6.0
appVersion: v2.0.2
kubeVersion: ">= 1.27.0-0"
description: Official OpenBao Chart
home: https://github.com/openbao/openbao-helm
icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg
keywords:
[
"vault",
"openbao",
"security",
"encryption",
"secrets",
"management",
"automation",
"infrastructure",
]
sources:
- https://github.com/openbao/openbao-helm
annotations:
charts.openshift.io/name: Openbao
maintainers:
- name: OpenBao
email: openbao-security@lists.lfedge.org
url: https://openbao.org

294
charts/openbao/README.md Normal file
View file

@ -0,0 +1,294 @@
# openbao
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
Official OpenBao Chart
**Homepage:** <https://github.com/openbao/openbao-helm>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| OpenBao | <openbao-security@lists.lfedge.org> | <https://openbao.org> |
## Source Code
* <https://github.com/openbao/openbao-helm>
## Requirements
Kubernetes: `>= 1.27.0-0`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| csi.agent.enabled | bool | `true` | |
| csi.agent.extraArgs | list | `[]` | |
| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image |
| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image |
| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image |
| csi.agent.logFormat | string | `"standard"` | |
| csi.agent.logLevel | string | `"info"` | |
| csi.agent.resources | object | `{}` | |
| csi.daemonSet.annotations | object | `{}` | |
| csi.daemonSet.extraLabels | object | `{}` | |
| csi.daemonSet.kubeletRootDir | string | `"/var/lib/kubelet"` | |
| csi.daemonSet.providersDir | string | `"/etc/kubernetes/secrets-store-csi-providers"` | |
| csi.daemonSet.securityContext.container | object | `{}` | |
| csi.daemonSet.securityContext.pod | object | `{}` | |
| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | |
| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | |
| csi.debug | bool | `false` | |
| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. |
| csi.extraArgs | list | `[]` | |
| csi.hmacSecretName | string | `""` | |
| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
| csi.image.registry | string | `"docker.io"` | image registry to use for csi image |
| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image |
| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image |
| csi.livenessProbe.failureThreshold | int | `2` | |
| csi.livenessProbe.initialDelaySeconds | int | `5` | |
| csi.livenessProbe.periodSeconds | int | `5` | |
| csi.livenessProbe.successThreshold | int | `1` | |
| csi.livenessProbe.timeoutSeconds | int | `3` | |
| csi.pod.affinity | object | `{}` | |
| csi.pod.annotations | object | `{}` | |
| csi.pod.extraLabels | object | `{}` | |
| csi.pod.nodeSelector | object | `{}` | |
| csi.pod.tolerations | list | `[]` | |
| csi.priorityClassName | string | `""` | |
| csi.readinessProbe.failureThreshold | int | `2` | |
| csi.readinessProbe.initialDelaySeconds | int | `5` | |
| csi.readinessProbe.periodSeconds | int | `5` | |
| csi.readinessProbe.successThreshold | int | `1` | |
| csi.readinessProbe.timeoutSeconds | int | `3` | |
| csi.resources | object | `{}` | |
| csi.serviceAccount.annotations | object | `{}` | |
| csi.serviceAccount.extraLabels | object | `{}` | |
| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. |
| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. |
| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. |
| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. |
| global.openshift | bool | `false` | If deploying to OpenShift |
| global.psp | object | `{"annotations":"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n","enable":false}` | Create PodSecurityPolicy for pods |
| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. |
| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. |
| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport |
| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | |
| injector.agentDefaults.cpuLimit | string | `"500m"` | |
| injector.agentDefaults.cpuRequest | string | `"250m"` | |
| injector.agentDefaults.memLimit | string | `"128Mi"` | |
| injector.agentDefaults.memRequest | string | `"64Mi"` | |
| injector.agentDefaults.template | string | `"map"` | |
| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | |
| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | |
| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. |
| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image |
| injector.annotations | object | `{}` | |
| injector.authPath | string | `"auth/kubernetes"` | |
| injector.certs.caBundle | string | `""` | |
| injector.certs.certName | string | `"tls.crt"` | |
| injector.certs.keyName | string | `"tls.key"` | |
| injector.certs.secretName | string | `nil` | |
| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled |
| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. |
| injector.extraEnvironmentVars | object | `{}` | |
| injector.extraLabels | object | `{}` | |
| injector.failurePolicy | string | `"Ignore"` | |
| injector.hostNetwork | bool | `false` | |
| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" |
| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image |
| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image |
| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image |
| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. |
| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
| injector.livenessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
| injector.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
| injector.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
| injector.logFormat | string | `"standard"` | Configures the log format of the injector. Supported log formats: "standard", "json". |
| injector.logLevel | string | `"info"` | Configures the log verbosity of the injector. Supported log levels include: trace, debug, info, warn, error |
| injector.metrics | object | `{"enabled":false}` | If true, will enable a node exporter metrics endpoint at /metrics. |
| injector.namespaceSelector | object | `{}` | |
| injector.nodeSelector | object | `{}` | |
| injector.objectSelector | object | `{}` | |
| injector.podDisruptionBudget | object | `{}` | |
| injector.port | int | `8080` | Configures the port the injector should listen on |
| injector.priorityClassName | string | `""` | |
| injector.readinessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
| injector.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
| injector.readinessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
| injector.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
| injector.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
| injector.replicas | int | `1` | |
| injector.resources | object | `{}` | |
| injector.revokeOnShutdown | bool | `false` | |
| injector.securityContext.container | object | `{}` | |
| injector.securityContext.pod | object | `{}` | |
| injector.service.annotations | object | `{}` | |
| injector.serviceAccount.annotations | object | `{}` | |
| injector.startupProbe.failureThreshold | int | `12` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
| injector.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
| injector.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
| injector.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
| injector.startupProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
| injector.strategy | object | `{}` | |
| injector.tolerations | list | `[]` | |
| injector.topologySpreadConstraints | list | `[]` | |
| injector.webhook.annotations | object | `{}` | |
| injector.webhook.failurePolicy | string | `"Ignore"` | |
| injector.webhook.matchPolicy | string | `"Exact"` | |
| injector.webhook.namespaceSelector | object | `{}` | |
| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"openbao.name\" . }}-agent-injector\n"` | |
| injector.webhook.timeoutSeconds | int | `30` | |
| injector.webhookAnnotations | object | `{}` | |
| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | |
| server.annotations | object | `{}` | |
| server.auditStorage.accessMode | string | `"ReadWriteOnce"` | |
| server.auditStorage.annotations | object | `{}` | |
| server.auditStorage.enabled | bool | `false` | |
| server.auditStorage.labels | object | `{}` | |
| server.auditStorage.mountPath | string | `"/openbao/audit"` | |
| server.auditStorage.size | string | `"10Gi"` | |
| server.auditStorage.storageClass | string | `nil` | |
| server.authDelegator.enabled | bool | `true` | |
| server.configAnnotation | bool | `false` | |
| server.dataStorage.accessMode | string | `"ReadWriteOnce"` | |
| server.dataStorage.annotations | object | `{}` | |
| server.dataStorage.enabled | bool | `true` | |
| server.dataStorage.labels | object | `{}` | |
| server.dataStorage.mountPath | string | `"/openbao/data"` | |
| server.dataStorage.size | string | `"10Gi"` | |
| server.dataStorage.storageClass | string | `nil` | |
| server.dev.devRootToken | string | `"root"` | |
| server.dev.enabled | bool | `false` | |
| server.enabled | string | `"-"` | |
| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. |
| server.extraContainers | string | `nil` | |
| server.extraEnvironmentVars | object | `{}` | |
| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. |
| server.extraLabels | object | `{}` | |
| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. |
| server.extraSecretEnvironmentVars | list | `[]` | |
| server.extraVolumes | list | `[]` | |
| server.ha.apiAddr | string | `nil` | |
| server.ha.clusterAddr | string | `nil` | |
| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"openbao\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.ha.disruptionBudget.enabled | bool | `true` | |
| server.ha.disruptionBudget.maxUnavailable | string | `nil` | |
| server.ha.enabled | bool | `false` | |
| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | |
| server.ha.raft.enabled | bool | `false` | |
| server.ha.raft.setNodeId | bool | `false` | |
| server.ha.replicas | int | `3` | |
| server.hostAliases | list | `[]` | |
| server.hostNetwork | bool | `false` | |
| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" |
| server.image.registry | string | `"quay.io"` | image registry to use for server image |
| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image |
| server.image.tag | string | `"2.0.2"` | image tag to use for server image |
| server.ingress.activeService | bool | `true` | |
| server.ingress.annotations | object | `{}` | |
| server.ingress.enabled | bool | `false` | |
| server.ingress.extraPaths | list | `[]` | |
| server.ingress.hosts[0].host | string | `"chart-example.local"` | |
| server.ingress.hosts[0].paths | list | `[]` | |
| server.ingress.ingressClassName | string | `""` | |
| server.ingress.labels | object | `{}` | |
| server.ingress.pathType | string | `"Prefix"` | |
| server.ingress.tls | list | `[]` | |
| server.livenessProbe.enabled | bool | `false` | |
| server.livenessProbe.execCommand | list | `[]` | |
| server.livenessProbe.failureThreshold | int | `2` | |
| server.livenessProbe.initialDelaySeconds | int | `60` | |
| server.livenessProbe.path | string | `"/v1/sys/health?standbyok=true"` | |
| server.livenessProbe.periodSeconds | int | `5` | |
| server.livenessProbe.port | int | `8200` | |
| server.livenessProbe.successThreshold | int | `1` | |
| server.livenessProbe.timeoutSeconds | int | `3` | |
| server.logFormat | string | `""` | |
| server.logLevel | string | `""` | |
| server.networkPolicy.egress | list | `[]` | |
| server.networkPolicy.enabled | bool | `false` | |
| server.networkPolicy.ingress[0].from[0].namespaceSelector | object | `{}` | |
| server.networkPolicy.ingress[0].ports[0].port | int | `8200` | |
| server.networkPolicy.ingress[0].ports[0].protocol | string | `"TCP"` | |
| server.networkPolicy.ingress[0].ports[1].port | int | `8201` | |
| server.networkPolicy.ingress[0].ports[1].protocol | string | `"TCP"` | |
| server.nodeSelector | object | `{}` | |
| server.persistentVolumeClaimRetentionPolicy | object | `{}` | |
| server.postStart | list | `[]` | |
| server.preStopSleepSeconds | int | `5` | |
| server.priorityClassName | string | `""` | |
| server.readinessProbe.enabled | bool | `true` | |
| server.readinessProbe.failureThreshold | int | `2` | |
| server.readinessProbe.initialDelaySeconds | int | `5` | |
| server.readinessProbe.periodSeconds | int | `5` | |
| server.readinessProbe.port | int | `8200` | |
| server.readinessProbe.successThreshold | int | `1` | |
| server.readinessProbe.timeoutSeconds | int | `3` | |
| server.resources | object | `{}` | |
| server.route.activeService | bool | `true` | |
| server.route.annotations | object | `{}` | |
| server.route.enabled | bool | `false` | |
| server.route.host | string | `"chart-example.local"` | |
| server.route.labels | object | `{}` | |
| server.route.tls.termination | string | `"passthrough"` | |
| server.service.active.annotations | object | `{}` | |
| server.service.active.enabled | bool | `true` | |
| server.service.annotations | object | `{}` | |
| server.service.enabled | bool | `true` | |
| server.service.externalTrafficPolicy | string | `"Cluster"` | |
| server.service.instanceSelector.enabled | bool | `true` | |
| server.service.ipFamilies | list | `[]` | |
| server.service.ipFamilyPolicy | string | `""` | |
| server.service.port | int | `8200` | |
| server.service.publishNotReadyAddresses | bool | `true` | |
| server.service.standby.annotations | object | `{}` | |
| server.service.standby.enabled | bool | `true` | |
| server.service.targetPort | int | `8200` | |
| server.serviceAccount.annotations | object | `{}` | |
| server.serviceAccount.create | bool | `true` | |
| server.serviceAccount.createSecret | bool | `false` | |
| server.serviceAccount.extraLabels | object | `{}` | |
| server.serviceAccount.name | string | `""` | |
| server.serviceAccount.serviceDiscovery.enabled | bool | `true` | |
| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation |
| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | |
| server.standalone.enabled | string | `"-"` | |
| server.statefulSet.annotations | object | `{}` | |
| server.statefulSet.securityContext.container | object | `{}` | |
| server.statefulSet.securityContext.pod | object | `{}` | |
| server.terminationGracePeriodSeconds | int | `10` | |
| server.tolerations | list | `[]` | |
| server.topologySpreadConstraints | list | `[]` | |
| server.updateStrategyType | string | `"OnDelete"` | |
| server.volumeMounts | string | `nil` | |
| server.volumes | string | `nil` | |
| serverTelemetry.prometheusRules.enabled | bool | `false` | |
| serverTelemetry.prometheusRules.rules | list | `[]` | |
| serverTelemetry.prometheusRules.selectors | object | `{}` | |
| serverTelemetry.serviceMonitor.enabled | bool | `false` | |
| serverTelemetry.serviceMonitor.interval | string | `"30s"` | |
| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | |
| serverTelemetry.serviceMonitor.selectors | object | `{}` | |
| ui.activeOpenbaoPodOnly | bool | `false` | |
| ui.annotations | object | `{}` | |
| ui.enabled | bool | `false` | |
| ui.externalPort | int | `8200` | |
| ui.externalTrafficPolicy | string | `"Cluster"` | |
| ui.publishNotReadyAddresses | bool | `true` | |
| ui.serviceIPFamilies | list | `[]` | |
| ui.serviceIPFamilyPolicy | string | `""` | |
| ui.serviceNodePort | string | `nil` | |
| ui.serviceType | string | `"ClusterIP"` | |
| ui.targetPort | int | `8200` | |

14
charts/openbao/templates/NOTES.txt Normal file
View file

@ -0,0 +1,14 @@
Thank you for installing OpenBao!
Now that you have deployed OpenBao, you should look over the docs on using
OpenBao with Kubernetes available here:
https://openbao.org/docs/
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get manifest {{ .Release.Name }}

163
templates/_helpers.tpl → charts/openbao/templates/_helpers.tpl
View file

@ -9,7 +9,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). If release name contains chart name it will
be used as a full name.
*/}}
{{- define "vault.fullname" -}}
{{- define "openbao.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
@ -25,28 +25,28 @@ be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vault.chart" -}}
{{- define "openbao.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vault.name" -}}
{{- define "openbao.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden
*/}}
{{- define "vault.namespace" -}}
{{- define "openbao.namespace" -}}
{{- default .Release.Namespace .Values.global.namespace -}}
{{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- define "openbao.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -55,7 +55,7 @@ Compute if the csi driver is enabled.
{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- define "openbao.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -64,7 +64,7 @@ Compute if the injector is enabled.
{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- define "openbao.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -73,7 +73,7 @@ Compute if the server is enabled.
{{/*
Compute if the server serviceaccount is enabled.
*/}}
{{- define "vault.serverServiceAccountEnabled" -}}
{{- define "openbao.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true" )
@ -85,7 +85,7 @@ Compute if the server serviceaccount is enabled.
{{/*
Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
*/}}
{{- define "vault.serverServiceAccountSecretCreationEnabled" -}}
{{- define "openbao.serverServiceAccountSecretCreationEnabled" -}}
{{- $_ := set . "serverServiceAccountSecretCreationEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true")
@ -96,7 +96,7 @@ Compute if the server serviceaccount should have a token created and mounted to
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "vault.serverAuthDelegator" -}}
{{- define "openbao.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator"
(and
(eq (.Values.server.authDelegator.enabled | toString) "true" )
@ -110,15 +110,15 @@ Compute if the server auth delegator serviceaccount is enabled.
{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- define "openbao.serverServiceEnabled" -}}
{{- template "openbao.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- define "openbao.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -129,7 +129,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
Add a special case for replicas=1, where it should default to 0 as well.
*/}}
{{- define "vault.pdb.maxUnavailable" -}}
{{- define "openbao.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.ha.replicas) 1 -}}
{{ 0 }}
{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
@ -143,8 +143,8 @@ Add a special case for replicas=1, where it should default to 0 as well.
Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- define "openbao.mode" -}}
{{- template "openbao.serverEnabled" . -}}
{{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
{{- $_ := set . "mode" "external" -}}
{{- else if not .serverEnabled -}}
@ -163,7 +163,7 @@ template logic.
{{/*
Set's the replica count based on the different modes configured by user
*/}}
{{- define "vault.replicas" -}}
{{- define "openbao.replicas" -}}
{{ if eq .mode "standalone" }}
{{- default 1 -}}
{{ else if eq .mode "ha" }}
@ -182,11 +182,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user
defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS).
*/}}
{{- define "vault.volumes" -}}
{{- define "openbao.volumes" -}}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
configMap:
name: {{ template "vault.fullname" . }}-config
name: {{ template "openbao.fullname" . }}-config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
@ -201,40 +201,34 @@ extra volumes the user may have specified (such as a secret with TLS).
{{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 8}}
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
secret:
secretName: {{ .Values.server.enterpriseLicense.secretName }}
defaultMode: 0440
{{- end }}
{{- end -}}
{{/*
Set's the args for custom command to render the Vault configuration
Set's the args for custom command to render the OpenBao configuration
file with IP addresses to make the out of box experience easier
for users looking to use this chart with Consul Helm.
*/}}
{{- define "vault.args" -}}
{{- define "openbao.args" -}}
{{ if or (eq .mode "standalone") (eq .mode "ha") }}
- |
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
{{ else if eq .mode "dev" }}
- |
/usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }}
/usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }}
{{ end }}
{{- end -}}
{{/*
Set's additional environment variables based on the mode.
*/}}
{{- define "vault.envs" -}}
{{- define "openbao.envs" -}}
{{ if eq .mode "dev" }}
- name: VAULT_DEV_ROOT_TOKEN_ID
value: {{ .Values.server.dev.devRootToken }}
@ -247,7 +241,7 @@ Set's additional environment variables based on the mode.
Set's which additional volumes should be mounted to the container
based on the mode configured.
*/}}
{{- define "vault.mounts" -}}
{{- define "openbao.mounts" -}}
{{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- name: audit
mountPath: {{ .Values.server.auditStorage.mountPath }}
@ -260,21 +254,16 @@ based on the mode configured.
{{ end }}
{{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
mountPath: /vault/config
mountPath: /openbao/config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }}
{{- end }}
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 12}}
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
mountPath: /vault/license
readOnly: true
{{- end }}
{{- end -}}
{{/*
@ -282,14 +271,14 @@ Set's up the volumeClaimTemplates when data or audit storage is required. HA
might not use data storage since Consul is likely it's backend, however, audit
storage might be desired by the user.
*/}}
{{- define "vault.volumeclaims" -}}
{{- define "openbao.volumeclaims" -}}
{{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
volumeClaimTemplates:
{{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
- metadata:
name: data
{{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.dataVolumeClaim.labels" . | nindent 6 }}
{{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@ -303,8 +292,8 @@ storage might be desired by the user.
{{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- metadata:
name: audit
{{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.auditVolumeClaim.labels" . | nindent 6 }}
{{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@ -321,7 +310,7 @@ storage might be desired by the user.
{{/*
Set's the affinity for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.affinity" -}}
{{- define "openbao.affinity" -}}
{{- if and (ne .mode "dev") .Values.server.affinity }}
affinity:
{{ $tp := typeOf .Values.server.affinity }}
@ -351,7 +340,7 @@ Sets the injector affinity for pod placement
{{/*
Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}}
{{- define "vault.topologySpreadConstraints" -}}
{{- define "openbao.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }}
@ -382,7 +371,7 @@ Sets the injector topologySpreadConstraints for pod placement
{{/*
Sets the toleration for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.tolerations" -}}
{{- define "openbao.tolerations" -}}
{{- if and (ne .mode "dev") .Values.server.tolerations }}
tolerations:
{{- $tp := typeOf .Values.server.tolerations }}
@ -412,7 +401,7 @@ Sets the injector toleration for pod placement
{{/*
Set's the node selector for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.nodeselector" -}}
{{- define "openbao.nodeselector" -}}
{{- if and (ne .mode "dev") .Values.server.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.server.nodeSelector }}
@ -457,9 +446,12 @@ Sets the injector deployment update strategy
{{/*
Sets extra pod annotations
*/}}
{{- define "vault.annotations" -}}
{{- if .Values.server.annotations }}
{{- define "openbao.annotations" }}
annotations:
{{- if .Values.server.includeConfigAnnotation }}
openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
{{- end }}
{{- if .Values.server.annotations }}
{{- $tp := typeOf .Values.server.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.annotations . | nindent 8 }}
@ -563,7 +555,7 @@ securityContext for the statefulset pod template.
{{- end -}}
{{/*
securityContext for the statefulset vault container
securityContext for the statefulset openbao container
*/}}
{{- define "server.statefulSet.securityContext.container" -}}
{{- if .Values.server.statefulSet.securityContext.container }}
@ -630,7 +622,7 @@ Set's the injector webhook objectSelector
{{/*
Sets extra ui service annotations
*/}}
{{- define "vault.ui.annotations" -}}
{{- define "openbao.ui.annotations" -}}
{{- if .Values.ui.annotations }}
annotations:
{{- $tp := typeOf .Values.ui.annotations }}
@ -645,9 +637,9 @@ Sets extra ui service annotations
{{/*
Create the name of the service account to use
*/}}
{{- define "vault.serviceAccount.name" -}}
{{- define "openbao.serviceAccount.name" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
{{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
@ -656,7 +648,7 @@ Create the name of the service account to use
{{/*
Sets extra service account annotations
*/}}
{{- define "vault.serviceAccount.annotations" -}}
{{- define "openbao.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.server.serviceAccount.annotations }}
@ -671,7 +663,7 @@ Sets extra service account annotations
{{/*
Sets extra ingress annotations
*/}}
{{- define "vault.ingress.annotations" -}}
{{- define "openbao.ingress.annotations" -}}
{{- if .Values.server.ingress.annotations }}
annotations:
{{- $tp := typeOf .Values.server.ingress.annotations }}
@ -686,7 +678,7 @@ Sets extra ingress annotations
{{/*
Sets extra route annotations
*/}}
{{- define "vault.route.annotations" -}}
{{- define "openbao.route.annotations" -}}
{{- if .Values.server.route.annotations }}
annotations:
{{- $tp := typeOf .Values.server.route.annotations }}
@ -699,9 +691,9 @@ Sets extra route annotations
{{- end -}}
{{/*
Sets extra vault server Service annotations
Sets extra openbao server Service annotations
*/}}
{{- define "vault.service.annotations" -}}
{{- define "openbao.service.annotations" -}}
{{- if .Values.server.service.annotations }}
{{- $tp := typeOf .Values.server.service.annotations }}
{{- if eq $tp "string" }}
@ -713,9 +705,9 @@ Sets extra vault server Service annotations
{{- end -}}
{{/*
Sets extra vault server Service (active) annotations
Sets extra openbao server Service (active) annotations
*/}}
{{- define "vault.service.active.annotations" -}}
{{- define "openbao.service.active.annotations" -}}
{{- if .Values.server.service.active.annotations }}
{{- $tp := typeOf .Values.server.service.active.annotations }}
{{- if eq $tp "string" }}
@ -726,9 +718,9 @@ Sets extra vault server Service (active) annotations
{{- end }}
{{- end -}}
{{/*
Sets extra vault server Service annotations
Sets extra openbao server Service annotations
*/}}
{{- define "vault.service.standby.annotations" -}}
{{- define "openbao.service.standby.annotations" -}}
{{- if .Values.server.service.standby.annotations }}
{{- $tp := typeOf .Values.server.service.standby.annotations }}
{{- if eq $tp "string" }}
@ -742,7 +734,7 @@ Sets extra vault server Service annotations
{{/*
Sets PodSecurityPolicy annotations
*/}}
{{- define "vault.psp.annotations" -}}
{{- define "openbao.psp.annotations" -}}
{{- if .Values.global.psp.annotations }}
annotations:
{{- $tp := typeOf .Values.global.psp.annotations }}
@ -757,7 +749,7 @@ Sets PodSecurityPolicy annotations
{{/*
Sets extra statefulset annotations
*/}}
{{- define "vault.statefulSet.annotations" -}}
{{- define "openbao.statefulSet.annotations" -}}
{{- if .Values.server.statefulSet.annotations }}
annotations:
{{- $tp := typeOf .Values.server.statefulSet.annotations }}
@ -772,7 +764,7 @@ Sets extra statefulset annotations
{{/*
Sets VolumeClaim annotations for data volume
*/}}
{{- define "vault.dataVolumeClaim.annotations" -}}
{{- define "openbao.dataVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.dataStorage.annotations }}
@ -787,7 +779,7 @@ Sets VolumeClaim annotations for data volume
{{/*
Sets VolumeClaim labels for data volume
*/}}
{{- define "vault.dataVolumeClaim.labels" -}}
{{- define "openbao.dataVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.dataStorage.labels }}
@ -802,7 +794,7 @@ Sets VolumeClaim labels for data volume
{{/*
Sets VolumeClaim annotations for audit volume
*/}}
{{- define "vault.auditVolumeClaim.annotations" -}}
{{- define "openbao.auditVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.auditStorage.annotations }}
@ -817,7 +809,7 @@ Sets VolumeClaim annotations for audit volume
{{/*
Sets VolumeClaim labels for audit volume
*/}}
{{- define "vault.auditVolumeClaim.labels" -}}
{{- define "openbao.auditVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.auditStorage.labels }}
@ -832,7 +824,7 @@ Sets VolumeClaim labels for audit volume
{{/*
Set's the container resources if the user has set any.
*/}}
{{- define "vault.resources" -}}
{{- define "openbao.resources" -}}
{{- if .Values.server.resources -}}
resources:
{{ toYaml .Values.server.resources | indent 12}}
@ -991,7 +983,7 @@ Sets extra CSI service account annotations
{{/*
Inject extra environment vars in the format key:value, if populated
*/}}
{{- define "vault.extraEnvironmentVars" -}}
{{- define "openbao.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }}
- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
@ -1003,7 +995,7 @@ Inject extra environment vars in the format key:value, if populated
{{/*
Inject extra environment populated by secrets, if populated
*/}}
{{- define "vault.extraSecretEnvironmentVars" -}}
{{- define "openbao.extraSecretEnvironmentVars" -}}
{{- if .extraSecretEnvironmentVars -}}
{{- range .extraSecretEnvironmentVars }}
- name: {{ .envName }}
@ -1016,7 +1008,7 @@ Inject extra environment populated by secrets, if populated
{{- end -}}
{{/* Scheme for health check and local endpoint */}}
{{- define "vault.scheme" -}}
{{- define "openbao.scheme" -}}
{{- if .Values.global.tlsDisable -}}
{{ "http" }}
{{- else -}}
@ -1075,3 +1067,28 @@ Supported inputs are Values.ui
{{- end -}}
{{- end }}
{{- end -}}
{{/*
config file from values
*/}}
{{- define "openbao.config" -}}
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

12
templates/csi-agent-configmap.yaml → charts/openbao/templates/csi-agent-configmap.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- template "openbao.csiEnabled" . -}}
{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
@ -21,7 +21,7 @@ data:
{{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }}
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}"
"address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}"
{{- end }}
}

6
templates/csi-clusterrole.yaml → charts/openbao/templates/csi-clusterrole.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:

12
templates/csi-clusterrolebinding.yaml → charts/openbao/templates/csi-clusterrolebinding.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
{{- end }}

34
templates/csi-daemonset.yaml → charts/openbao/templates/csi-daemonset.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
@ -27,12 +27,12 @@ spec:
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
@ -43,15 +43,15 @@ spec:
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
{{- template "csi.pod.nodeselector" . }}
{{- template "csi.pod.affinity" . }}
containers:
- name: {{ include "vault.name" . }}-csi-provider
- name: {{ include "openbao.name" . }}-csi-provider
{{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
@ -59,7 +59,7 @@ spec:
{{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }}
- --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
- --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key
{{- end }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
@ -71,7 +71,7 @@ spec:
{{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol
@ -102,12 +102,12 @@ spec:
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: {{ include "vault.name" . }}-agent
image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
- name: {{ include "openbao.name" . }}-agent
image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
{{ template "csi.agent.resources" . }}
command:
- vault
- bao
args:
- agent
- -config=/etc/vault/config.hcl
@ -117,9 +117,9 @@ spec:
ports:
- containerPort: 8200
env:
- name: VAULT_LOG_LEVEL
- name: BAO_LOG_LEVEL
value: "{{ .Values.csi.agent.logLevel }}"
- name: VAULT_LOG_FORMAT
- name: BAO_LOG_FORMAT
value: "{{ .Values.csi.agent.logFormat }}"
securityContext:
runAsNonRoot: true
@ -145,7 +145,7 @@ spec:
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-config
configMap:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory

10
templates/csi-role.yaml → charts/openbao/templates/csi-role.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-role
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-csi-provider-role
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
@ -22,7 +22,7 @@ rules:
{{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }}
{{- else }}
- {{ include "vault.name" . }}-csi-provider-hmac-key
- {{ include "openbao.name" . }}-csi-provider-hmac-key
{{- end }}
# 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

25
charts/openbao/templates/csi-rolebinding.yaml Normal file
View file

@ -0,0 +1,25 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "openbao.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
{{- end }}

8
templates/csi-serviceaccount.yaml → charts/openbao/templates/csi-serviceaccount.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- template "openbao.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-csi-provider
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}

10
templates/injector-certs-secret.yaml → charts/openbao/templates/injector-certs-secret.yaml
View file

@ -3,17 +3,17 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ include "vault.namespace" . }}
name: openbao-injector-certs
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}
{{- end }}

12
templates/injector-clusterrole.yaml → charts/openbao/templates/injector-clusterrole.yaml
View file

@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
@ -21,4 +21,10 @@ rules:
- "list"
- "watch"
- "patch"
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- apiGroups: [""]
resources: ["nodes"]
verbs:
- "get"
{{ end }}
{{ end }}

12
templates/injector-clusterrolebinding.yaml → charts/openbao/templates/injector-clusterrolebinding.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-binding
name: {{ template "openbao.fullname" . }}-agent-injector-binding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
{{ end }}

26
templates/injector-deployment.yaml → charts/openbao/templates/injector-deployment.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
@ -20,14 +20,14 @@ spec:
replicas: {{ .Values.injector.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{ template "injector.strategy" . }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- if .Values.injector.extraLabels -}}
@ -42,7 +42,7 @@ spec:
{{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }}
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }}
@ -50,7 +50,7 @@ spec:
containers:
- name: sidecar-injector
{{ template "injector.resources" . }}
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
image: "{{ .Values.injector.image.registry | default "docker.io" }}/{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
{{- template "injector.securityContext.container" . }}
env:
@ -64,12 +64,12 @@ spec:
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
- name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }}
- name: AGENT_INJECT_TLS_CERT_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
@ -77,9 +77,9 @@ spec:
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }}
- name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg
value: {{ template "openbao.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc
value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc
{{- end }}
- name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }}
@ -125,7 +125,7 @@ spec:
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }}
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
{{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME
valueFrom:
fieldRef:

10
templates/injector-disruptionbudget.yaml → charts/openbao/templates/injector-disruptionbudget.yaml
View file

@ -7,18 +7,18 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}

10
templates/injector-mutating-webhook.yaml → charts/openbao/templates/injector-mutating-webhook.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
@ -12,9 +12,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-cfg
name: {{ template "openbao.fullname" . }}-agent-injector-cfg
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "injector.webhookAnnotations" . }}
@ -27,8 +27,8 @@ webhooks:
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector-svc
namespace: {{ include "openbao.namespace" . }}
path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules:

8
templates/injector-network-policy.yaml → charts/openbao/templates/injector-network-policy.yaml
View file

@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
name: {{ template "openbao.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
ingress:

10
templates/injector-psp-role.yaml → charts/openbao/templates/injector-psp-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector-psp
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
@ -20,6 +20,6 @@ rules:
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
- {{ template "openbao.fullname" . }}-agent-injector
{{- end }}
{{- end }}

12
templates/injector-psp-rolebinding.yaml → charts/openbao/templates/injector-psp-rolebinding.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector-psp
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-psp
name: {{ template "openbao.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
name: {{ template "openbao.fullname" . }}-agent-injector
{{- end }}
{{- end }}

8
templates/injector-psp.yaml → charts/openbao/templates/injector-psp.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
name: {{ template "openbao.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
{{- template "openbao.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.

8
templates/injector-role.yaml → charts/openbao/templates/injector-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:

14
templates/injector-rolebinding.yaml → charts/openbao/templates/injector-rolebinding.yaml
View file

@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
{{- end }}
{{- end }}

10
templates/injector-service.yaml → charts/openbao/templates/injector-service.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector-svc
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.service.annotations" . }}
@ -21,7 +21,7 @@ spec:
port: 443
targetPort: {{ .Values.injector.port }}
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- end }}

8
templates/injector-serviceaccount.yaml → charts/openbao/templates/injector-serviceaccount.yaml
View file

@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- template "openbao.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-agent-injector
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }}

8
templates/prometheus-prometheusrules.yaml → charts/openbao/templates/prometheus-prometheusrules.yaml
View file

@ -10,10 +10,10 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "vault.fullname" . }}
name: {{ template "openbao.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,7 +25,7 @@ metadata:
{{- end }}
spec:
groups:
- name: {{ include "vault.fullname" . }}
- name: {{ include "openbao.fullname" . }}
rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }}

20
templates/prometheus-servicemonitor.yaml → charts/openbao/templates/prometheus-servicemonitor.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "vault.fullname" . }}
name: {{ template "openbao.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,18 +25,18 @@ metadata:
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if eq .mode "ha" }}
vault-active: "true"
openbao-active: "true"
{{- else }}
vault-internal: "true"
openbao-internal: "true"
{{- end }}
endpoints:
- port: {{ include "vault.scheme" . }}
- port: {{ include "openbao.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "vault.scheme" . | lower }}
scheme: {{ include "openbao.scheme" . | lower }}
path: /v1/sys/metrics
params:
format:
@ -45,5 +45,5 @@ spec:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- {{ include "vault.namespace" . }}
- {{ include "openbao.namespace" . }}
{{ end }}

14
templates/server-clusterrolebinding.yaml → charts/openbao/templates/server-clusterrolebinding.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverAuthDelegator" . }}
{{ template "openbao.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
@ -12,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-server-binding
name: {{ template "openbao.fullname" . }}-server-binding
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
@ -24,6 +24,6 @@ roleRef:
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
{{ end }}
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
{{ end }}

31
charts/openbao/templates/server-config-configmap.yaml Normal file
View file

@ -0,0 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openbao.fullname" . }}-config
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.includeConfigAnnotation }}
annotations:
vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
{{- end }}
data:
extraconfig-from-values.hcl: |-
{{ template "openbao.config" . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

10
templates/server-discovery-role.yaml → charts/openbao/templates/server-discovery-role.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ include "vault.namespace" . }}
name: {{ template "vault.fullname" . }}-discovery-role
namespace: {{ include "openbao.namespace" . }}
name: {{ template "openbao.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:

16
templates/server-discovery-rolebinding.yaml → charts/openbao/templates/server-discovery-rolebinding.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
@ -14,21 +14,21 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-discovery-rolebinding
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-discovery-role
name: {{ template "openbao.fullname" . }}-discovery-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
{{ end }}
{{ end }}
{{ end }}

14
templates/server-disruptionbudget.yaml → charts/openbao/templates/server-disruptionbudget.yaml
View file

@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
@ -12,18 +12,18 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end -}}

26
templates/server-ha-active-service.yaml → charts/openbao/templates/server-ha-active-service.yaml
View file

@ -3,27 +3,27 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
# Service for active Vault pod
# Service for active OpenBao pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-active
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-active
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-active: "true"
openbao-active: "true"
annotations:
{{- template "vault.service.active.annotations" . }}
{{- template "vault.service.annotations" . }}
{{- template "openbao.service.active.annotations" . }}
{{- template "openbao.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
@ -42,7 +42,7 @@ spec:
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
- name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -52,12 +52,12 @@ spec:
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "true"
openbao-active: "true"
{{- end }}
{{- end }}
{{- end }}

24
templates/server-ha-standby-service.yaml → charts/openbao/templates/server-ha-standby-service.yaml
View file

@ -3,26 +3,26 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
# Service for standby Vault pod
# Service for standby OpenBao pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-standby
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-standby
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{- template "vault.service.standby.annotations" . }}
{{- template "vault.service.annotations" . }}
{{- template "openbao.service.standby.annotations" . }}
{{- template "openbao.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
@ -41,7 +41,7 @@ spec:
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
- name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -51,12 +51,12 @@ spec:
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "false"
openbao-active: "false"
{{- end }}
{{- end }}
{{- end }}

22
templates/server-headless-service.yaml → charts/openbao/templates/server-headless-service.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
# Service for OpenBao cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-internal
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-internal
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-internal: "true"
openbao-internal: "true"
annotations:
{{ template "vault.service.annotations" .}}
{{ template "openbao.service.annotations" .}}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
@ -33,14 +33,14 @@ spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "{{ include "vault.scheme" . }}"
- name: "{{ include "openbao.scheme" . }}"
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}

16
templates/server-ingress.yaml → charts/openbao/templates/server-ingress.yaml
View file

@ -4,12 +4,12 @@ SPDX-License-Identifier: MPL-2.0
*/}}
{{- if not .Values.global.openshift }}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- $serviceName := include "openbao.fullname" . -}}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
@ -20,17 +20,17 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.ingress.annotations" . }}
{{- template "openbao.ingress.annotations" . }}
spec:
{{- if .Values.server.ingress.tls }}
tls:

6
templates/server-network-policy.yaml → charts/openbao/templates/server-network-policy.yaml
View file

@ -7,14 +7,14 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}
name: {{ template "openbao.fullname" . }}
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
{{- if .Values.server.networkPolicy.egress }}

10
templates/server-psp-role.yaml → charts/openbao/templates/server-psp-role.yaml
View file

@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-psp
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
@ -20,6 +20,6 @@ rules:
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}
- {{ template "openbao.fullname" . }}
{{- end }}
{{- end }}

12
templates/server-psp-rolebinding.yaml → charts/openbao/templates/server-psp-rolebinding.yaml
View file

@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-psp
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-psp
name: {{ template "openbao.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}
name: {{ template "openbao.fullname" . }}
{{- end }}
{{- end }}

8
templates/server-psp.yaml → charts/openbao/templates/server-psp.yaml
View file

@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}
name: {{ template "openbao.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
{{- template "openbao.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.

12
templates/server-route.yaml → charts/openbao/templates/server-route.yaml
View file

@ -6,24 +6,24 @@ SPDX-License-Identifier: MPL-2.0
{{- if .Values.global.openshift }}
{{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- $serviceName := include "openbao.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.route.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.route.annotations" . }}
{{- template "openbao.route.annotations" . }}
spec:
host: {{ .Values.server.route.host }}
to:

20
templates/server-service.yaml → charts/openbao/templates/server-service.yaml
View file

@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- template "openbao.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
# Service for OpenBao cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
{{ template "openbao.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
@ -40,7 +40,7 @@ spec:
# since this DNS is also used for join operations.
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
- name: {{ include "openbao.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -50,7 +50,7 @@ spec:
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

21
charts/openbao/templates/server-serviceaccount-secret.yaml Normal file
View file

@ -0,0 +1,21 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "openbao.serviceAccount.name" . }}-token
namespace: {{ include "openbao.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }}
labels:
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token
{{ end }}

12
templates/server-serviceaccount.yaml → charts/openbao/templates/server-serviceaccount.yaml
View file

@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountEnabled" . }}
{{ template "openbao.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.serviceAccount.name" . }}
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.serviceAccount.extraLabels -}}
{{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "vault.serviceAccount.annotations" . }}
{{ template "openbao.serviceAccount.annotations" . }}
{{ end }}

100
templates/server-statefulset.yaml → charts/openbao/templates/server-statefulset.yaml
View file

@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- if ne .mode "" }}
{{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster.
# StatefulSet to run the actual openbao server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}
namespace: {{ include "openbao.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.statefulSet.annotations" . }}
{{- template "openbao.statefulSet.annotations" . }}
spec:
serviceName: {{ template "vault.fullname" . }}-internal
serviceName: {{ template "openbao.fullname" . }}-internal
podManagementPolicy: Parallel
replicas: {{ template "vault.replicas" . }}
replicas: {{ template "openbao.replicas" . }}
updateStrategy:
type: {{ .Values.server.updateStrategyType }}
{{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
@ -29,30 +29,30 @@ spec:
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
template:
metadata:
labels:
helm.sh/chart: {{ template "vault.chart" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
helm.sh/chart: {{ template "openbao.chart" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if .Values.server.extraLabels -}}
{{- toYaml .Values.server.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "vault.annotations" . }}
{{ template "openbao.annotations" . }}
spec:
{{ template "vault.affinity" . }}
{{ template "vault.topologySpreadConstraints" . }}
{{ template "vault.tolerations" . }}
{{ template "vault.nodeselector" . }}
{{ template "openbao.affinity" . }}
{{ template "openbao.topologySpreadConstraints" . }}
{{ template "openbao.tolerations" . }}
{{ template "openbao.nodeselector" . }}
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }}
serviceAccountName: {{ template "openbao.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
{{ end }}
@ -61,7 +61,7 @@ spec:
hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }}
volumes:
{{ template "vault.volumes" . }}
{{ template "openbao.volumes" . }}
- name: home
emptyDir: {}
{{- if .Values.server.hostAliases }}
@ -73,14 +73,14 @@ spec:
{{ toYaml .Values.server.extraInitContainers | nindent 8}}
{{- end }}
containers:
- name: vault
{{ template "vault.resources" . }}
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
- name: openbao
{{ template "openbao.resources" . }}
image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command:
- "/bin/sh"
- "-ec"
args: {{ template "vault.args" . }}
args: {{ template "openbao.args" . }}
{{- template "server.statefulSet.securityContext.container" . }}
env:
- name: HOST_IP
@ -91,21 +91,21 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME
- name: BAO_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
- name: BAO_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
- name: VAULT_API_ADDR
- name: BAO_ADDR
value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200"
- name: BAO_API_ADDR
{{- if .Values.server.ha.apiAddr }}
value: {{ .Values.server.ha.apiAddr }}
{{- else }}
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200"
{{- end }}
- name: SKIP_CHOWN
value: "true"
@ -115,46 +115,42 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
- name: BAO_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr | quote }}
{{- else }}
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201"
{{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: VAULT_RAFT_NODE_ID
- name: BAO_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
- name: HOME
value: "/home/vault"
value: "/home/openbao"
{{- if .Values.server.logLevel }}
- name: VAULT_LOG_LEVEL
- name: BAO_LOG_LEVEL
value: "{{ .Values.server.logLevel }}"
{{- end }}
{{- if .Values.server.logFormat }}
- name: VAULT_LOG_FORMAT
- name: BAO_LOG_FORMAT
value: "{{ .Values.server.logFormat }}"
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: VAULT_LICENSE_PATH
value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
{{- end }}
{{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
{{ template "openbao.envs" . }}
{{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
volumeMounts:
{{ template "vault.mounts" . }}
{{ template "openbao.mounts" . }}
- name: home
mountPath: /home/vault
mountPath: /home/openbao
ports:
- containerPort: 8200
name: {{ include "vault.scheme" . }}
name: {{ include "openbao.scheme" . }}
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: {{ include "vault.scheme" . }}-rep
name: {{ include "openbao.scheme" . }}-rep
{{- if .Values.server.extraPorts -}}
{{ toYaml .Values.server.extraPorts | nindent 12}}
{{- end }}
@ -164,15 +160,15 @@ spec:
httpGet:
path: {{ .Values.server.readinessProbe.path | quote }}
port: {{ .Values.server.readinessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
scheme: {{ include "openbao.scheme" . | upper }}
{{- else }}
# Check status; unsealed vault servers return 0
# Check status; unsealed openbao servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec:
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
{{- end }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
@ -192,7 +188,7 @@ spec:
httpGet:
path: {{ .Values.server.livenessProbe.path | quote }}
port: {{ .Values.server.livenessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
scheme: {{ include "openbao.scheme" . | upper }}
{{- end }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
@ -201,7 +197,7 @@ spec:
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
{{- end }}
lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes
# openbao container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services).
@ -212,7 +208,7 @@ spec:
# Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made
# to this pod while it's terminating
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)",
]
{{- if .Values.server.postStart }}
postStart:
@ -226,7 +222,7 @@ spec:
{{ toYaml .Values.server.extraContainers | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ template "vault.volumeclaims" . }}
{{ template "openbao.volumeclaims" . }}
{{ end }}
{{ end }}
{{ end }}

18
templates/tests/server-test.yaml → charts/openbao/templates/tests/server-test.yaml
View file

@ -3,42 +3,42 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "vault.fullname" . }}-server-test
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-server-test
namespace: {{ include "openbao.namespace" . }}
annotations:
"helm.sh/hook": test
spec:
{{- include "imagePullSecrets" . | nindent 2 }}
containers:
- name: {{ .Release.Name }}-server-test
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'vault status' output"
echo "Checking for sealed info in 'bao status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
vault status -format yaml | grep -E '^sealed: (true|false)' && break
bao status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'vault status' output"
echo "timed out looking for sealed info in 'bao status' output"
exit 1
fi

22
templates/ui-service.yaml → charts/openbao/templates/ui-service.yaml
View file

@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ template "openbao.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.uiEnabled" . -}}
{{- template "openbao.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
namespace: {{ include "vault.namespace" . }}
name: {{ template "openbao.fullname" . }}-ui
namespace: {{ include "openbao.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui
helm.sh/chart: {{ include "openbao.chart" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.ui.annotations" . }}
{{- template "openbao.ui.annotations" . }}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.ui.serviceIPFamilyPolicy }}
@ -29,15 +29,15 @@ spec:
{{- end }}
{{- end }}
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/name: {{ include "openbao.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
vault-active: "true"
{{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }}
openbao-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
- name: {{ include "openbao.scheme" . }}
port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }}

10
values.openshift.yaml → charts/openbao/values.openshift.yaml
View file

@ -12,13 +12,15 @@ injector:
tag: "1.3.1-ubi"
agentImage:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.15.2-ubi"
registry: "quay.io"
repository: "openbao/openbao"
tag: "v2.0.2-ubi"
server:
image:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.15.2-ubi"
registry: "quay.io"
repository: "openbao/openbao"
tag: "v2.0.2-ubi"
readinessProbe:
path: "/v1/sys/health?uninitcode=204"

15
values.schema.json → charts/openbao/values.schema.json
View file

@ -230,7 +230,7 @@
},
"namespace": {
"type": "string"
},
},
"externalVaultAddr": {
"type": "string"
},
@ -659,17 +659,6 @@
"string"
]
},
"enterpriseLicense": {
"type": "object",
"properties": {
"secretKey": {
"type": "string"
},
"secretName": {
"type": "string"
}
}
},
"extraArgs": {
"type": "string"
},
@ -1163,7 +1152,7 @@
"ui": {
"type": "object",
"properties": {
"activeVaultPodOnly": {
"activeOpenbaoPodOnly": {
"type": "boolean"
},
"annotations": {

432
values.yaml → charts/openbao/values.yaml
View file

@ -1,36 +1,36 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Available parameters and their default values for the Vault chart.
# Available parameters and their default values for the OpenBao chart.
global:
# enabled is the master enabled switch. Setting this to true or false
# -- enabled is the master enabled switch. Setting this to true or false
# will enable or disable all the components within this chart by default.
enabled: true
# The namespace to deploy to. Defaults to the `helm` installation namespace.
# -- The namespace to deploy to. Defaults to the `helm` installation namespace.
namespace: ""
# Image pull secret to use for registry authentication.
# -- Image pull secret to use for registry authentication.
# Alternatively, the value may be specified as an array of strings.
imagePullSecrets: []
# imagePullSecrets:
# - name: image-pull-secret
# TLS for end-to-end encrypted transport
# -- TLS for end-to-end encrypted transport
tlsDisable: true
# External vault server address for the injector and CSI provider to use.
# Setting this will disable deployment of a vault server.
# -- External openbao server address for the injector and CSI provider to use.
# Setting this will disable deployment of a openbao server.
externalVaultAddr: ""
# If deploying to OpenShift
# -- If deploying to OpenShift
openshift: false
# Create PodSecurityPolicy for pods
# -- Create PodSecurityPolicy for pods
psp:
enable: false
# Annotation for PodSecurityPolicy.
# -- Annotation for PodSecurityPolicy.
# This is a multi-line templated string map, and can also be set as YAML.
annotations: |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
@ -39,46 +39,56 @@ global:
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
serverTelemetry:
# Enable integration with the Prometheus Operator
# -- Enable integration with the Prometheus Operator
# See the top level serverTelemetry section below before enabling this feature.
prometheusOperator: false
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
# -- True if you want to enable openbao agent injection. @default: global.enabled
enabled: "-"
replicas: 1
# Configures the port the injector should listen on
# -- Configures the port the injector should listen on
port: 8080
# If multiple replicas are specified, by default a leader will be determined
# -- If multiple replicas are specified, by default a leader will be determined
# so that only one injector attempts to create TLS certificates.
leaderElector:
enabled: true
# If true, will enable a node exporter metrics endpoint at /metrics.
# -- If true, will enable a node exporter metrics endpoint at /metrics.
metrics:
enabled: false
# Deprecated: Please use global.externalVaultAddr instead.
# -- Deprecated: Please use global.externalVaultAddr instead.
externalVaultAddr: ""
# image sets the repo and tag of the vault-k8s image to use for the injector.
image:
# -- image registry to use for k8s image
registry: "docker.io"
# -- image repo to use for k8s image
repository: "hashicorp/vault-k8s"
tag: "1.3.1"
# -- image tag to use for k8s image
tag: "1.4.2"
# -- image pull policy to use for k8s image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent
# containers. This should be set to the official Vault image. Vault 1.3.1+ is
# -- agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent
# containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is
# required.
agentImage:
repository: "hashicorp/vault"
tag: "1.15.2"
# -- image registry to use for agent image
registry: "quay.io"
# -- image repo to use for agent image
repository: "openbao/openbao"
# -- image tag to use for agent image
tag: "2.0.2"
# -- image pull policy to use for agent image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
# The default values for the injected Vault Agent containers.
# The default values for the injected OpenBao Agent containers.
agentDefaults:
# For more information on configuring resources, see the K8s documentation:
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@ -100,52 +110,52 @@ injector:
# Used to define custom livenessProbe settings
livenessProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
# -- When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
# -- Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
# -- How often (in seconds) to perform the probe
periodSeconds: 2
# Minimum consecutive successes for the probe to be considered successful after having failed
# -- Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
# -- Number of seconds after which the probe times out.
timeoutSeconds: 5
# Used to define custom readinessProbe settings
readinessProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
# -- When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
# -- Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
# -- How often (in seconds) to perform the probe
periodSeconds: 2
# Minimum consecutive successes for the probe to be considered successful after having failed
# -- Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
# -- Number of seconds after which the probe times out.
timeoutSeconds: 5
# Used to define custom startupProbe settings
startupProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
# -- When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 12
# Number of seconds after the container has started before probe initiates
# -- Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
# -- How often (in seconds) to perform the probe
periodSeconds: 5
# Minimum consecutive successes for the probe to be considered successful after having failed
# -- Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
# -- Number of seconds after which the probe times out.
timeoutSeconds: 5
# Mount Path of the Vault Kubernetes Auth Method.
# Mount Path of the OpenBao Kubernetes Auth Method.
authPath: "auth/kubernetes"
# Configures the log verbosity of the injector.
# -- Configures the log verbosity of the injector.
# Supported log levels include: trace, debug, info, warn, error
logLevel: "info"
# Configures the log format of the injector. Supported log formats: "standard", "json".
# -- Configures the log format of the injector. Supported log formats: "standard", "json".
logFormat: "standard"
# Configures all Vault Agent sidecars to revoke their token when shutting down
# Configures all OpenBao Agent sidecars to revoke their token when shutting down
revokeOnShutdown: false
webhook:
@ -194,7 +204,7 @@ injector:
- key: app.kubernetes.io/name
operator: NotIn
values:
- {{ template "vault.name" . }}-agent-injector
- {{ template "openbao.name" . }}-agent-injector
# Extra annotations to attach to the webhook
annotations: {}
@ -278,7 +288,8 @@ injector:
# extraEnvironmentVars is a list of extra environment variables to set in the
# injector deployment.
extraEnvironmentVars: {}
extraEnvironmentVars:
{}
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
# Affinity Settings for injector pods
@ -290,7 +301,7 @@ injector:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: webhook
topologyKey: kubernetes.io/hostname
@ -355,41 +366,33 @@ injector:
# type: RollingUpdate
server:
# If true, or "-" with global.enabled true, Vault server will be installed.
# See vault.mode in _helpers.tpl for implementation details.
# If true, or "-" with global.enabled true, OpenBao server will be installed.
# See openbao.mode in _helpers.tpl for implementation details.
enabled: "-"
# [Enterprise Only] This value refers to a Kubernetes secret that you have
# created that contains your enterprise license. If you are not using an
# enterprise image or if you plan to introduce the license key via another
# route, then leave secretName blank ("") or set it to null.
# Requires Vault Enterprise 1.8 or later.
enterpriseLicense:
# The name of the Kubernetes secret that holds the enterprise license. The
# secret must be in the same namespace that Vault is installed into.
secretName: ""
# The key within the Kubernetes secret that holds the enterprise license.
secretKey: "license"
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made.
image:
repository: "hashicorp/vault"
tag: "1.15.2"
# Overrides the default Image Pull Policy
# -- image registry to use for server image
registry: "quay.io"
# -- image repo to use for server image
repository: "openbao/openbao"
# -- image tag to use for server image
tag: "2.0.2"
# -- image pull policy to use for server image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
# Configure the Update Strategy Type for the StatefulSet
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategyType: "OnDelete"
# Configure the logging verbosity for the Vault server.
# Configure the logging verbosity for the OpenBao server.
# Supported log levels include: trace, debug, info, warn, error
logLevel: ""
# Configure the logging format for the Vault server.
# Configure the logging format for the OpenBao server.
# Supported log formats include: standard, json
logFormat: ""
@ -403,14 +406,16 @@ server:
# cpu: 250m
# Ingress allows ingress services to be created to allow external access
# from Kubernetes to access Vault pods.
# from Kubernetes to access OpenBao pods.
# If deployment is on OpenShift, the following block is ignored.
# In order to expose the service, use the route section below
ingress:
enabled: false
labels: {}
labels:
{}
# traffic: external
annotations: {}
annotations:
{}
# |
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
@ -427,7 +432,7 @@ server:
pathType: Prefix
# When HA mode is enabled and K8s service registration is being used,
# configure the ingress to point to the Vault active service.
# configure the ingress to point to the OpenBao active service.
activeService: true
hosts:
- host: chart-example.local
@ -457,7 +462,7 @@ server:
enabled: false
# When HA mode is enabled and K8s service registration is being used,
# configure the route to point to the Vault active service.
# configure the route to point to the OpenBao active service.
activeService: true
labels: {}
@ -471,14 +476,15 @@ server:
# authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth
# method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
# method. See https://openbao.org/docs/auth/kubernetes
authDelegator:
enabled: true
# extraInitContainers is a list of init containers. Specified as a YAML list.
# -- extraInitContainers is a list of init containers. Specified as a YAML list.
# This is useful if you need to run a script to provision TLS certificates or
# write out configuration files in a dynamic way.
extraInitContainers: null
extraInitContainers:
[]
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
# # which is defined in the volumes value.
# - name: oauthapp
@ -497,16 +503,17 @@ server:
# extraContainers is a list of sidecar containers. Specified as a YAML list.
extraContainers: null
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
# -- shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers
# This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation
shareProcessNamespace: false
# extraArgs is a string containing additional Vault server arguments.
# -- extraArgs is a string containing additional OpenBao server arguments.
extraArgs: ""
# extraPorts is a list of extra ports. Specified as a YAML list.
# -- extraPorts is a list of extra ports. Specified as a YAML list.
# This is useful if you need to add additional ports to the statefulset in dynamic way.
extraPorts: null
extraPorts:
[]
# - containerPort: 8300
# name: http-monitoring
@ -535,7 +542,7 @@ server:
execCommand: []
# - /bin/sh
# - -c
# - /vault/userconfig/mylivenessscript/run.sh
# - /openbao/userconfig/mylivenessscript/run.sh
# Path for the livenessProbe to use httpGet as the livenessProbe handler
path: "/v1/sys/health?standbyok=true"
# Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
@ -564,30 +571,33 @@ server:
postStart: []
# - /bin/sh
# - -c
# - /vault/userconfig/myscript/run.sh
# - /openbao/userconfig/myscript/run.sh
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
extraEnvironmentVars: {}
extraEnvironmentVars:
{}
# GOOGLE_REGION: global
# GOOGLE_PROJECT: myproject
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
# GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: []
extraSecretEnvironmentVars:
[]
# - envName: AWS_SECRET_ACCESS_KEY
# secretName: vault
# secretName: openbao
# secretKey: AWS_SECRET_ACCESS_KEY
# Deprecated: please use 'volumes' instead.
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
extraVolumes:
[]
# - type: secret (or "configMap")
# name: my-secret
# path: null # default is `/vault/userconfig`
# path: null # default is `/openbao/userconfig`
# volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
@ -613,7 +623,7 @@ server:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/name: {{ template "openbao.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
@ -649,12 +659,12 @@ server:
# port: 443
ingress:
- from:
- namespaceSelector: {}
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
# Priority class for server pods
priorityClassName: ""
@ -668,19 +678,26 @@ server:
# of the annotations to apply to the server pods
annotations: {}
# Enables a headless service to be used by the Vault Statefulset
# Add an annotation to the server configmap and the statefulset pods,
# vaultproject.io/config-checksum, that is a hash of the OpenBao configuration.
# This can be used together with an OnDelete deployment strategy to help
# identify which pods still need to be deleted during a deployment to pick up
# any configuration changes.
configAnnotation: false
# Enables a headless service to be used by the OpenBao Statefulset
service:
enabled: true
# Enable or disable the vault-active service, which selects Vault pods that
# have labeled themselves as the cluster leader with `vault-active: "true"`.
# Enable or disable the openbao-active service, which selects OpenBao pods that
# have labeled themselves as the cluster leader with `openbao-active: "true"`.
active:
enabled: true
# Extra annotations for the service definition. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the active service.
annotations: {}
# Enable or disable the vault-standby service, which selects Vault pods that
# have labeled themselves as a cluster follower with `vault-active: "false"`.
# Enable or disable the openbao-standby service, which selects OpenBao pods that
# have labeled themselves as a cluster follower with `openbao-active: "false"`.
standby:
enabled: true
# Extra annotations for the service definition. This can either be YAML or a
@ -688,21 +705,21 @@ server:
# to the standby service.
annotations: {}
# If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
# When disabled, services may select Vault pods not deployed from the chart.
# Does not affect the headless vault-internal service with `ClusterIP: None`
# When disabled, services may select OpenBao pods not deployed from the chart.
# Does not affect the headless openbao-internal service with `ClusterIP: None`
instanceSelector:
enabled: true
# clusterIP controls whether a Cluster IP address is attached to the
# Vault service within Kubernetes. By default, the Vault service will
# OpenBao service within Kubernetes. By default, the OpenBao service will
# be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round-robin
# load balancer.
# clusterIP: None
# Configures the service type for the main Vault service. Can be ClusterIP
# Configures the service type for the main OpenBao service. Can be ClusterIP
# or NodePort.
#type: ClusterIP
# type: ClusterIP
# The IP family and IP families options are to set the behaviour in a dual-stack environment.
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
@ -714,7 +731,7 @@ server:
# PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
# RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
ipFamilyPolicy: ""
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well.
# Can be IPv4 and/or IPv6.
ipFamilies: []
@ -732,19 +749,19 @@ server:
# If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank.
#nodePort: 30000
# nodePort: 30000
# When HA mode is enabled
# If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank.
#activeNodePort: 30001
# activeNodePort: 30001
# When HA mode is enabled
# If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank.
#standbyNodePort: 30002
# standbyNodePort: 30002
# Port on which Vault server is listening
# Port on which OpenBao server is listening
port: 8200
# Target port to which the service should be mapped to
targetPort: 8200
@ -753,15 +770,15 @@ server:
# to the service.
annotations: {}
# This configures the Vault Statefulset to create a PVC for data
# This configures the OpenBao Statefulset to create a PVC for data
# storage when using the file or raft backend storage engines.
# See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
# See https://openbao.org/docs/configuration/storage to know more
dataStorage:
enabled: true
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/vault/data"
mountPath: "/openbao/data"
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
@ -780,17 +797,17 @@ server:
# whenScaled: Retain
persistentVolumeClaimRetentionPolicy: {}
# This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized, and unsealed, Vault must
# This configures the OpenBao Statefulset to create a PVC for audit
# logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must
# be configured to use this for audit logs. This will be mounted to
# /vault/audit
# See https://developer.hashicorp.com/vault/docs/audit to know more
# /openbao/audit
# See https://openbao.org/docs/audit to know more
auditStorage:
enabled: false
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/vault/audit"
mountPath: "/openbao/audit"
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
@ -801,18 +818,18 @@ server:
# Labels to apply to the PVC
labels: {}
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
# Run OpenBao in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with OpenBao without
# needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting.
# See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
# See https://openbao.org/docs/concepts/dev-server to know more
dev:
enabled: false
# Set VAULT_DEV_ROOT_TOKEN_ID value
devRootToken: "root"
# Run Vault in "standalone" mode. This is the default mode that will deploy if
# Run OpenBao in "standalone" mode. This is the default mode that will deploy if
# no arguments are given to helm. This requires a PVC for data storage to use
# the "file" backend. This mode is not highly available and should not be scaled
# past a single replica.
@ -820,14 +837,14 @@ server:
enabled: "-"
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# deployment. Default is to use a PersistentVolumeClaim mounted at /openbao/data
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL.
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
@ -841,17 +858,17 @@ server:
#}
}
storage "file" {
path = "/vault/data"
path = "/openbao/data"
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev"
# project = "openbao-helm-dev"
# region = "global"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
# key_ring = "openbao-helm-unseal-kr"
# crypto_key = "openbao-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics in your config.
@ -860,31 +877,30 @@ server:
# disable_hostname = true
#}
# Run Vault in "HA" mode. There are no storage requirements unless the audit log
# persistence is required. In HA mode Vault will configure itself to use Consul
# Run OpenBao in "HA" mode. There are no storage requirements unless the audit log
# persistence is required. In HA mode OpenBao will configure itself to use Consul
# for its storage backend. The default configuration provided will work the Consul
# Helm project by default. It is possible to manually configure Vault to use a
# Helm project by default. It is possible to manually configure OpenBao to use a
# different HA backend.
ha:
enabled: false
replicas: 3
# Set the api_addr configuration for Vault HA
# See https://developer.hashicorp.com/vault/docs/configuration#api_addr
# Set the api_addr configuration for OpenBao HA
# See https://openbao.org/docs/configuration#api_addr
# If set to null, this will be set to the Pod IP Address
apiAddr: null
# Set the cluster_addr confuguration for Vault HA
# See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
# Set the cluster_addr confuguration for OpenBao HA
# See https://openbao.org/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201
clusterAddr: null
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where
# Vault's persistence is external (such as Consul), enabling Raft mode will create
# persistent volumes for Vault to store data according to the configuration under server.dataStorage.
# The Vault cluster will coordinate leader elections and failovers internally.
# Enables OpenBao's integrated Raft storage. Unlike the typical HA modes where
# OpenBao's persistence is external (such as Consul), enabling Raft mode will create
# persistent volumes for OpenBao to store data according to the configuration under server.dataStorage.
# The OpenBao cluster will coordinate leader elections and failovers internally.
raft:
# Enables Raft integrated storage
enabled: false
# Set the Node Raft ID to the name of the pod
@ -893,7 +909,7 @@ server:
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
@ -908,7 +924,7 @@ server:
}
storage "raft" {
path = "/vault/data"
path = "/openbao/data"
}
service_registration "kubernetes" {}
@ -920,7 +936,7 @@ server:
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://openbao.org/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
@ -930,7 +946,7 @@ server:
cluster_address = "[::]:8201"
}
storage "consul" {
path = "vault"
path = "openbao"
address = "HOST_IP:8500"
}
@ -940,10 +956,10 @@ server:
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev-246514"
# project = "openbao-helm-dev-246514"
# region = "global"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
# key_ring = "openbao-helm-unseal-kr"
# crypto_key = "openbao-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics.
@ -959,12 +975,12 @@ server:
disruptionBudget:
enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here.
# maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here.
maxUnavailable: null
# Definition of the serviceAccount used to run Vault.
# These options are also used when using an external Vault server to validate
# These options are also used when using an external OpenBao server to validate
# Kubernetes tokens.
serviceAccount:
# Specifies whether a service account should be created
@ -986,12 +1002,12 @@ server:
# This should be a YAML map of the labels to apply to the serviceAccount
extraLabels: {}
# Enable or disable a service account role binding with the permissions required for
# Vault's Kubernetes service_registration config option.
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
# OpenBao's Kubernetes service_registration config option.
# See https://openbao.org/docs/configuration/service-registration/kubernetes
serviceDiscovery:
enabled: true
# Settings for the statefulSet used to run Vault.
# Settings for the statefulSet used to run OpenBao.
statefulSet:
# Extra annotations for the statefulSet. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
@ -1018,17 +1034,17 @@ server:
# Should the server pods run on the host network
hostNetwork: false
# Vault UI
# OpenBao UI
ui:
# True if you want to create a Service entry for the Vault UI.
# True if you want to create a Service entry for the OpenBao UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
enabled: false
publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: false
# The service should only contain selectors for active OpenBao pod
activeOpenbaoPodOnly: false
serviceType: "ClusterIP"
serviceNodePort: null
externalPort: 8200
@ -1055,7 +1071,7 @@ ui:
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
externalTrafficPolicy: Cluster
#loadBalancerSourceRanges:
# loadBalancerSourceRanges:
# - 10.0.0.0/16
# - 1.78.23.3/32
@ -1068,35 +1084,40 @@ ui:
# secrets-store-csi-driver-provider-vault
csi:
# True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
# -- True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
#
# Requires installing the secrets-store-csi-driver separately, see:
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
#
# With the driver and provider installed, you can mount Vault secrets into volumes
# similar to the Vault Agent injector, and you can also sync those secrets into
# With the driver and provider installed, you can mount OpenBao secrets into volumes
# similar to the OpenBao Agent injector, and you can also sync those secrets into
# Kubernetes secrets.
enabled: false
image:
# -- image registry to use for csi image
registry: "docker.io"
# -- image repo to use for csi image
repository: "hashicorp/vault-csi-provider"
tag: "1.4.1"
# -- image tag to use for csi image
tag: "1.4.0"
# -- image pull policy to use for csi image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
# volumes is a list of volumes made available to all containers. These are rendered
# -- volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumes: null
volumes: []
# - name: tls
# secret:
# secretName: vault-tls
# secretName: openbao-tls
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
# -- volumeMounts is a list of volumeMounts for the main server container. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumeMounts: null
volumeMounts: []
# - name: tls
# mountPath: "/vault/tls"
# mountPath: "/openbao/tls"
# readOnly: true
resources: {}
@ -1164,8 +1185,13 @@ csi:
extraArgs: []
image:
repository: "hashicorp/vault"
tag: "1.15.2"
# -- image registry to use for agent image
registry: "quay.io"
# -- image repo to use for agent image
repository: "openbao/openbao"
# -- image tag to use for agent image
tag: "2.0.2"
# -- image pull policy to use for agent image. if tag is "latest", set to "Always"
pullPolicy: IfNotPresent
logFormat: standard
@ -1222,20 +1248,20 @@ csi:
debug: false
# Pass arbitrary additional arguments to vault-csi-provider.
# See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
# See https://openbao.org/docs/platform/k8s/csi/configurations#command-line-arguments
# for the available command line flags.
extraArgs: []
# Vault is able to collect and publish various runtime metrics.
# OpenBao is able to collect and publish various runtime metrics.
# Enabling this feature requires setting adding `telemetry{}` stanza to
# the Vault configuration. There are a few examples included in the `config` sections above.
# the OpenBao configuration. There are a few examples included in the `config` sections above.
#
# For more information see:
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
# https://developer.hashicorp.com/vault/docs/internals/telemetry
# https://openbao.org/docs/configuration/telemetry
# https://openbao.org/docs/internals/telemetry
serverTelemetry:
# Enable support for the Prometheus Operator. Currently, this chart does not support
# authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included
# authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included
# in the `listener "tcp"{}` stanza
# telemetry {
# unauthenticated_metrics_access = "true"
@ -1243,7 +1269,7 @@ serverTelemetry:
#
# See the `standalone.config` for a more complete example of this.
#
# In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
# In addition, a top level `telemetry{}` stanza must also be included in the OpenBao configuration:
#
# example:
# telemetry {
@ -1251,7 +1277,7 @@ serverTelemetry:
# disable_hostname = true
# }
#
# Configuration for monitoring the Vault server.
# Configuration for monitoring the OpenBao server.
serviceMonitor:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
@ -1263,7 +1289,7 @@ serverTelemetry:
# https://github.com/prometheus-operator/prometheus-operator
# https://github.com/prometheus-operator/kube-prometheus
# Enable deployment of the Vault Server ServiceMonitor CustomResource.
# Enable deployment of the OpenBao Server ServiceMonitor CustomResource.
enabled: false
# Selector labels to add to the ServiceMonitor.
@ -1278,32 +1304,32 @@ serverTelemetry:
scrapeTimeout: 10s
prometheusRules:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
# provided by the operator.
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
# provided by the operator.
# Deploy the PrometheusRule custom resource for AlertManager based alerts.
# Requires that AlertManager is properly deployed.
enabled: false
# Deploy the PrometheusRule custom resource for AlertManager based alerts.
# Requires that AlertManager is properly deployed.
enabled: false
# Selector labels to add to the PrometheusRules.
# When empty, defaults to:
# release: prometheus
selectors: {}
# Selector labels to add to the PrometheusRules.
# When empty, defaults to:
# release: prometheus
selectors: {}
# Some example rules.
rules: []
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of Vault is over 500ms on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
# for: 5m
# labels:
# severity: warning
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of Vault is over 1s on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
# for: 5m
# labels:
# severity: critical
# Some example rules.
rules: []
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of OpenBao is over 500ms on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
# for: 5m
# labels:
# severity: warning
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of OpenBao is over 1s on average over the last 10 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
# for: 10m
# labels:
# severity: critical

14
templates/NOTES.txt
View file

@ -1,14 +0,0 @@
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://developer.hashicorp.com/vault/docs
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get manifest {{ .Release.Name }}

25
templates/csi-rolebinding.yaml
View file

@ -1,25 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
{{- end }}

45
templates/server-config-configmap.yaml
View file

@ -1,45 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-config
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
extraconfig-from-values.hcl: |-
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

21
templates/server-serviceaccount-secret.yaml
View file

@ -1,21 +0,0 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "vault.serviceAccount.name" . }}-token
namespace: {{ include "vault.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token
{{ end }}

8
test/README.md
View file

@ -1,11 +1,9 @@
# Vault Helm Tests
# OpenBao Helm Tests
## Running Vault Helm Acceptance tests
## Running OpenBao Helm Acceptance tests
The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster.
Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license.
### Running in a GKE cluster
* Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project.
@ -49,7 +47,7 @@ editing will be required, since several properties accept multiple data types.
## Helm test
Vault Helm also contains a simple helm test under
OpenBao Helm also contains a simple helm test under
[templates/tests/](../templates/tests/) that may be run against a helm release:
helm test <RELEASE_NAME>

26
test/acceptance/_helpers.bash
View file

@ -3,15 +3,15 @@
# name_prefix returns the prefix of the resources within Kubernetes.
name_prefix() {
printf "vault"
printf "openbao"
}
# chart_dir returns the directory for the chart
chart_dir() {
echo ${BATS_TEST_DIRNAME}/../..
echo ${BATS_TEST_DIRNAME}/../../charts/openbao
}
# helm_install installs the vault chart. This will source overridable
# helm_install installs the openbao chart. This will source overridable
# values from the "values.yaml" file in this directory. This can be set
# by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful.
@ -22,11 +22,11 @@ helm_install() {
fi
helm install -f ${values} \
--name vault \
${BATS_TEST_DIRNAME}/../..
--name openbao \
${BATS_TEST_DIRNAME}/../../charts/openbao
}
# helm_install_ha installs the vault chart using HA mode. This will source
# helm_install_ha installs the openbao chart using HA mode. This will source
# overridable values from the "values.yaml" file in this directory. This can be
# set by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful.
@ -37,10 +37,10 @@ helm_install_ha() {
fi
helm install -f ${values} \
--name vault \
--name openbao \
--set 'server.enabled=false' \
--set 'serverHA.enabled=true' \
${BATS_TEST_DIRNAME}/../..
${BATS_TEST_DIRNAME}/../../charts/openbao
}
# wait for consul to be ready
@ -52,7 +52,7 @@ wait_for_sealed_vault() {
POD_NAME=$1
check() {
sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed')
sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed')
if [ "$sealed_status" == "true" ]; then
return 0
fi
@ -61,15 +61,15 @@ wait_for_sealed_vault() {
for i in $(seq 60); do
if check ${POD_NAME}; then
echo "Vault on ${POD_NAME} is running."
echo "OpenBao on ${POD_NAME} is running."
return
fi
echo "Waiting for Vault on ${POD_NAME} to be running..."
echo "Waiting for OpenBao on ${POD_NAME} to be running..."
sleep 2
done
echo "Vault on ${POD_NAME} never became running."
echo "OpenBao on ${POD_NAME} never became running."
return 1
}
@ -144,7 +144,7 @@ wait_for_complete_job() {
# string length.
kubectl get job $1 -o json | \
jq -r 'select(
.status.succeeded == 1
.status.succeeded == 1
) | .metadata.namespace + "/" + .metadata.name'
}

2
test/acceptance/csi-test/vault-kv-secretproviderclass.yaml → test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
View file

@ -1,7 +1,7 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# The "Hello World" Vault SecretProviderClass
# The "Hello World" OpenBao SecretProviderClass
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:

0
test/acceptance/csi-test/vault-policy.hcl → test/acceptance/csi-test/openbao-policy.hcl
View file

32
test/acceptance/csi.bats
View file

@ -18,11 +18,11 @@ load _helpers
--wait --timeout=5m \
--namespace=acceptance \
--set linux.image.pullPolicy="IfNotPresent" \
--set tokenRequests[0].audience="vault" \
--set tokenRequests[0].audience="openbao" \
--set enableSecretRotation=true \
--set rotationPollInterval=5s
# Install Vault and Vault provider
helm install vault \
# Install OpenBao and OpenBao provider
helm install openbao \
--wait --timeout=5m \
--namespace=acceptance \
--set="server.dev.enabled=true" \
@ -31,23 +31,23 @@ load _helpers
--set="csi.agent.logLevel=debug" \
--set="injector.enabled=false" \
.
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
# Set up k8s auth and a kv secret.
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
bound_service_account_names=nginx \
bound_service_account_namespaces=acceptance \
policies=kv-policy \
ttl=20m
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
@ -55,7 +55,7 @@ load _helpers
for i in $(seq 10); do
sleep 2
if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
echo "Agent returned a cached login response"
return
fi
@ -65,8 +65,8 @@ load _helpers
# Print the logs and fail the test
echo "Failed to find a log for the Agent renewing CSI's auth token"
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
exit 1
}
@ -75,7 +75,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm --namespace=acceptance delete vault
helm --namespace=acceptance delete openbao
helm --namespace=acceptance delete secrets-store-csi-driver
kubectl delete --all pvc
kubectl delete namespace acceptance

2
test/acceptance/helm-test.bats
View file

@ -20,7 +20,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

8
test/acceptance/injector-leader-elector.bats
View file

@ -13,9 +13,9 @@ load _helpers
--wait \
--timeout=5m \
--set="injector.replicas=3" .
kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m
kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m
pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name'))
pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name'))
[ "${#pods[@]}" == 3 ]
leader=''
@ -45,8 +45,8 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance
fi
}
}

24
test/acceptance/injector-test/bootstrap.sh
View file

@ -5,40 +5,40 @@
OUTPUT=/tmp/output.txt
vault operator init -n 1 -t 1 >> ${OUTPUT?}
bao operator init -n 1 -t 1 >> ${OUTPUT?}
unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
vault operator unseal ${unseal?}
bao operator unseal ${unseal?}
vault login -no-print ${root?}
bao login -no-print ${root?}
vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl
bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl
vault auth enable kubernetes
bao auth enable kubernetes
vault write auth/kubernetes/config \
bao write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/db-backup \
bao write auth/kubernetes/role/db-backup \
bound_service_account_names=pgdump \
bound_service_account_namespaces=acceptance \
policies=db-backup \
ttl=1h
vault secrets enable database
bao secrets enable database
vault write database/config/postgresql \
bao write database/config/postgresql \
plugin_name=postgresql-database-plugin \
allowed_roles="db-backup" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
username="vault" \
password="vault"
username="openbao" \
password="openbao"
vault write database/roles/db-backup \
bao write database/roles/db-backup \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \

14
test/acceptance/injector-test/job.yaml
View file

@ -32,11 +32,11 @@ spec:
spec:
serviceAccountName: pgdump
containers:
- name: pgdump
image: postgres:11.5
command:
- "/bin/sh"
- "-ec"
args:
- "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
- name: pgdump
image: postgres:11.5
command:
- "/bin/sh"
- "-ec"
args:
- "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
restartPolicy: Never

12
test/acceptance/injector-test/pg-deployment.yaml
View file

@ -38,7 +38,7 @@ spec:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: mydb
value: mydb
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
@ -52,7 +52,7 @@ spec:
- name: pgdata
emptyDir: {}
- name: pgconf
configMap:
configMap:
name: "pg-init"
---
apiVersion: v1
@ -63,10 +63,10 @@ metadata:
app: postgres
data:
setup.sql: |
CREATE ROLE vault;
ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault';
\c mydb
CREATE ROLE openbao;
ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao';
\c mydb
CREATE SCHEMA app;
CREATE TABLE app.inventory(id int);
INSERT INTO app.inventory(id) VALUES (0);

24
test/acceptance/injector.bats
View file

@ -4,20 +4,20 @@ load _helpers
@test "injector: testing deployment" {
cd `chart_dir`
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
kubectl create -f ./test/acceptance/injector-test/pg-deployment.yaml
kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
sleep 5
wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")
kubectl create secret generic test \
--from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ./test/acceptance/injector-test/bootstrap.sh
--from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
--from-file ../../test/acceptance/injector-test/bootstrap.sh
kubectl label secret test app=vault-agent-demo
kubectl label secret test app=openbao-agent-demo
helm install "$(name_prefix)" \
--set="server.extraVolumes[0].type=secret" \
@ -26,20 +26,20 @@ load _helpers
wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
sleep 5
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
[ "${init_status}" == "true" ]
kubectl create -f ./test/acceptance/injector-test/job.yaml
kubectl create -f ../../test/acceptance/injector-test/job.yaml
wait_for_complete_job "pgdump"
}
@ -48,9 +48,9 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete secret test
kubectl delete secret test
kubectl delete job pgdump
kubectl delete deployment postgres
kubectl delete namespace acceptance

2
test/acceptance/server-annotations.bats
View file

@ -8,7 +8,7 @@ load _helpers
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml .
helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml .
wait_for_running $(name_prefix)-0
# service annotations

6
test/acceptance/server-dev.bats
View file

@ -43,11 +43,11 @@ load _helpers
[ "${ports}" == "8201" ]
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
@ -57,7 +57,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

166
test/acceptance/server-ha-enterprise-dr.bats
View file

@ -1,166 +0,0 @@
#!/usr/bin/env bats
load _helpers
@test "server/ha-enterprise-raft: testing DR deployment" {
cd `chart_dir`
helm install "$(name_prefix)-east" \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='injector.enabled=false' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-east-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ]
local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0"
sleep 10
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
[ "${secondary_replica_token}" != "" ]
# Install vault-west
helm install "$(name_prefix)-west" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-west-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ]
local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0"
sleep 10
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token}
sleep 10
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl delete pod "${pod?}"
wait_for_running "${pod?}"
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
}
setup() {
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
}
#cleanup
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
helm delete vault-east
helm delete vault-west
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi
}

164
test/acceptance/server-ha-enterprise-perf.bats
View file

@ -1,164 +0,0 @@
#!/usr/bin/env bats
load _helpers
@test "server/ha-enterprise-raft: testing performance replica deployment" {
cd `chart_dir`
helm install "$(name_prefix)-east" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-east-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-east-0
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
vault operator init -format=json -n 1 -t 1)
local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${primary_token}" != "" ]
local primary_root=$(echo ${init} | jq -r '.root_token')
[ "${primary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
wait_for_ready "$(name_prefix)-east-0"
sleep 30
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-east-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json)
[ "${secondary}" != "" ]
local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
[ "${secondary_replica_token}" != "" ]
# Install vault-west
helm install "$(name_prefix)-west" \
--set='injector.enabled=false' \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' \
--set='server.enterpriseLicense.secretName=vault-license' .
wait_for_running "$(name_prefix)-west-0"
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-west-0
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Vault Init
local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
vault operator init -format=json -n 1 -t 1)
local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${secondary_token}" != "" ]
local secondary_root=$(echo ${init} | jq -r '.root_token')
[ "${secondary_root}" != "" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
wait_for_ready "$(name_prefix)-west-0"
sleep 30
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
wait_for_ready "${pod}"
fi
done
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token}
sleep 30
local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-west-0" ]]
then
kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
wait_for_ready "${pod}"
fi
done
}
setup() {
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
}
#cleanup
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
helm delete vault-east
helm delete vault-west
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi
}

30
test/acceptance/server-ha-raft.bats
View file

@ -13,7 +13,7 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
@ -57,45 +57,45 @@ load _helpers
jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ]
# Vault Init
# OpenBao Init
local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1)
bao operator init -format=json -n 1 -t 1)
local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
local root=$(echo ${init} | jq -r '.root_token')
[ "${root}" != "" ]
kubectl exec -ti vault-0 -- vault operator unseal ${token}
kubectl exec -ti openbao-0 -- bao operator unseal ${token}
wait_for_ready "$(name_prefix)-0"
sleep 5
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
# OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
if [[ ${pod?} != "$(name_prefix)-0" ]]
then
kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- vault operator unseal ${token}
kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
kubectl exec -ti ${pod} -- bao operator unseal ${token}
wait_for_ready "${pod}"
fi
done
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
kubectl exec "$(name_prefix)-0" -- vault login ${root}
kubectl exec "$(name_prefix)-0" -- bao login ${root}
local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json |
local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
jq -r '.data.config.servers | length')
[ "${raft_status}" == "3" ]
}
@ -112,9 +112,9 @@ teardown() {
then
# If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app.kubernetes.io/name=vault
kubectl logs -l app.kubernetes.io/name=openbao
fi
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

121
test/acceptance/server-ha.bats
View file

@ -1,121 +0,0 @@
#!/usr/bin/env bats
load _helpers
@test "server/ha: testing deployment" {
cd `chart_dir`
helm install "$(name_prefix)" \
--set='server.ha.enabled=true' .
wait_for_running $(name_prefix)-0
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
# Replicas
local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.replicas')
[ "${replicas}" == "3" ]
# Volume Mounts
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts | length')
[ "${volumeCount}" == "2" ]
# Volumes
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.volumes | length')
[ "${volumeCount}" == "2" ]
local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.volumes[0].configMap.name')
[ "${volume}" == "$(name_prefix)-config" ]
# Service
local service=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.clusterIP')
[ "${service}" != "None" ]
local service=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.type')
[ "${service}" == "ClusterIP" ]
local ports=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.ports | length')
[ "${ports}" == "2" ]
local ports=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.ports[0].port')
[ "${ports}" == "8200" ]
local ports=$(kubectl get service "$(name_prefix)" --output json |
jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ]
# Vault Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Sealed, not initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
# setup a consul env
setup() {
kubectl delete namespace acceptance --ignore-not-found=true
kubectl create namespace acceptance
kubectl config set-context --current --namespace=acceptance
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
CONSUL_HELM_VERSION=v0.48.0
K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major)
K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor)
if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then
CONSUL_HELM_VERSION=v0.32.1
fi
helm install consul hashicorp/consul \
--version $CONSUL_HELM_VERSION \
--set 'ui.enabled=false'
wait_for_running_consul
}
#cleanup
teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
# If the test failed, print some debug output
if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
kubectl logs -l app=consul
kubectl logs -l app.kubernetes.io/name=vault
fi
helm delete vault
helm delete consul
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi
}

22
test/acceptance/server-telemetry.bats
View file

@ -19,7 +19,7 @@ load _helpers
helm install \
--wait \
--values ./test/acceptance/server-test/telemetry.yaml \
--values ../../test/acceptance/server-test/telemetry.yaml \
"$(name_prefix)" .
wait_for_running $(name_prefix)-0
@ -27,31 +27,31 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
# Vault Init
# OpenBao Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
# OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
kubectl exec -ti ${pod} -- bao operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
# unfortunately it can take up to 2 minutes for the vault prometheus job to appear
# unfortunately it can take up to 2 minutes for the openbao prometheus job to appear
# TODO: investigate how reduce this.
local job_labels
local tries=0
@ -62,7 +62,7 @@ load _helpers
-- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr )
# Ensure the expected job label was picked up by Prometheus
[ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break
[ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break
((++tries))
sleep .5
@ -72,7 +72,7 @@ load _helpers
# Ensure the expected job is "up"
local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \
-c prometheus \
-- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \
-- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \
tee /dev/stderr )
[ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ]
}

2
test/acceptance/server-test/telemetry.yaml
View file

@ -17,7 +17,7 @@ server:
}
storage "file" {
path = "/vault/data"
path = "/openbao/data"
}
telemetry {

20
test/acceptance/server.bats
View file

@ -15,7 +15,7 @@ load _helpers
# Sealed, not initialized
wait_for_sealed_vault $(name_prefix)-0
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "false" ]
@ -40,7 +40,7 @@ load _helpers
local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
[ "${mountPath}" == "/vault/data" ]
[ "${mountPath}" == "/openbao/data" ]
# Volumes
local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
@ -72,27 +72,27 @@ load _helpers
jq -r '.spec.ports[1].port')
[ "${ports}" == "8201" ]
# Vault Init
# OpenBao Init
local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
vault operator init -format=json -n 1 -t 1 | \
bao operator init -format=json -n 1 -t 1 | \
jq -r '.unseal_keys_b64[0]')
[ "${token}" != "" ]
# Vault Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
# OpenBao Unseal
local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
for pod in "${pods[@]}"
do
kubectl exec -ti ${pod} -- vault operator unseal ${token}
kubectl exec -ti ${pod} -- bao operator unseal ${token}
done
wait_for_ready "$(name_prefix)-0"
# Unsealed, initialized
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.sealed' )
[ "${sealed_status}" == "false" ]
local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
jq -r '.initialized')
[ "${init_status}" == "true" ]
}
@ -102,7 +102,7 @@ teardown() {
if [[ ${CLEANUP:-true} == "true" ]]
then
echo "helm/pvc teardown"
helm delete vault
helm delete openbao
kubectl delete --all pvc
kubectl delete namespace acceptance --ignore-not-found=true
fi

2
test/chart/_helpers.bash
View file

@ -3,7 +3,7 @@
# chart_dir returns the directory for the chart
chart_dir() {
echo ${BATS_TEST_DIRNAME}/../..
echo ${BATS_TEST_DIRNAME}/../../charts/openbao
}
# check_result checks if the specified test passed

4
test/chart/verifier.bats
View file

@ -5,8 +5,8 @@ load _helpers
setup_file() {
cd `chart_dir`
export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json"
export CHART_VOLUME=vault-helm-chart-src
local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1"
export CHART_VOLUME=openbao-helm-chart-src
local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.7"
# chart-verifier requires an openshift version if a cluster isn't available
local OPENSHIFT_VERSION="4.12"
local DISABLED_TESTS="chart-testing"

6
test/docker/Test.dockerfile
View file

@ -28,7 +28,11 @@ RUN apk update && apk add --no-cache --virtual .build-deps \
jq
# yq
RUN pip install yq
RUN python3 -m venv venv && \
. venv/bin/activate && \
pip install yq && \
ln -s $PWD/venv/bin/yq /usr/local/bin/yq && \
deactivate
# gcloud
RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \

2
test/terraform/main.tf
View file

@ -19,7 +19,7 @@ data "google_service_account" "gcpapi" {
}
resource "google_container_cluster" "cluster" {
name = "vault-helm-dev-${random_id.suffix.dec}"
name = "openbao-helm-dev-${random_id.suffix.dec}"
project = "${var.project}"
enable_legacy_abac = true
initial_node_count = 3

2
test/terraform/variables.tf
View file

@ -2,7 +2,7 @@
# SPDX-License-Identifier: MPL-2.0
variable "project" {
default = "vault-helm-dev-246514"
default = "openbao-helm-dev-246514"
description = <<EOF
Google Cloud Project to launch resources in. This project must have GKE

2
test/unit/_helpers.bash
View file

@ -3,5 +3,5 @@
# chart_dir returns the directory for the chart
chart_dir() {
echo ${BATS_TEST_DIRNAME}/../..
echo ${BATS_TEST_DIRNAME}/../../charts/openbao
}

16
test/unit/csi-agent-configmap.bats
View file

@ -18,7 +18,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-agent-config" ]
[ "${actual}" = "release-name-openbao-csi-provider-agent-config" ]
}
@test "csi/Agent-ConfigMap: namespace" {
@ -40,25 +40,25 @@ load _helpers
[ "${actual}" = "bar" ]
}
@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" {
@test "csi/Agent-ConfigMap: OpenBao addr not affected by injector setting" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \
--release-name not-external-test \
--set 'injector.externalVaultAddr=http://vault-outside' \
--set 'injector.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr |
yq -r '.data["config.hcl"]' | tee /dev/stderr)
echo "${actual}" | grep "http://not-external-test-vault.default.svc:8200"
echo "${actual}" | grep "http://not-external-test-openbao.default.svc:8200"
}
@test "csi/Agent-ConfigMap: Vault addr correctly set for externalVaultAddr" {
@test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalVaultAddr" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \
--set 'global.externalVaultAddr=http://vault-outside' \
--set 'global.externalVaultAddr=http://openbao-outside' \
. | tee /dev/stderr |
yq -r '.data["config.hcl"]' | tee /dev/stderr)
echo "${actual}" | grep "http://vault-outside"
}
echo "${actual}" | grep "http://openbao-outside"
}

4
test/unit/csi-clusterrole.bats
View file

@ -29,5 +29,5 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
}
[ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
}

6
test/unit/csi-clusterrolebinding.bats
View file

@ -29,7 +29,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.roleRef.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
[ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
}
# ClusterRoleBinding service account name
@ -40,7 +40,7 @@ load _helpers
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.subjects[0].name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider" ]
[ "${actual}" = "release-name-openbao-csi-provider" ]
}
# ClusterRoleBinding service account namespace
@ -61,4 +61,4 @@ load _helpers
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
}

Some files were not shown because too many files have changed in this diff Show more