diff --git a/.github/actions/setup-test-tools/action.yaml b/.github/actions/setup-test-tools/action.yaml index 6da07b5b7..d2941065c 100644 --- a/.github/actions/setup-test-tools/action.yaml +++ b/.github/actions/setup-test-tools/action.yaml @@ -6,7 +6,7 @@ description: Install bats and python-yq runs: using: "composite" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: '16' - run: npm install -g bats@${BATS_VERSION} @@ -15,7 +15,7 @@ runs: BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.10' - run: pip install yq diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 4c8720d90..75de9c231 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -5,18 +5,18 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.22.17, 1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] + kind-k8s-version: [1.24.15, 1.25.11, 1.26.6, 1.27.3, 1.28.0] runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0 + uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.19.0 + version: v0.20.0 - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index ad6237c51..0f73ec380 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -14,4 +14,4 @@ jobs: JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} with: - teams-array: '["ecosystem", "foundations"]' + teams-array: '["ecosystem", "foundations-eco"]' diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index ea3e7b562..11c19de44 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -4,20 +4,20 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest env: - CHART_VERIFIER_VERSION: '1.10.1' + CHART_VERIFIER_VERSION: '1.13.0' steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup test tools uses: ./.github/actions/setup-test-tools - - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.19.2' + go-version: '1.21.3' - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: bats --tap --timing ./test/chart permissions: diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 55cebb53d..28016abc6 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -11,7 +11,7 @@ jobs: update-helm-charts-index: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: verify Chart version matches tag version run: |- export TAG=${{ github.ref_name }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e59adea4..0e0cb0af8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,48 @@ ## Unreleased +## 0.27.0 (November 16, 2023) + +Changes: + +* Default `vault` version updated to 1.15.2 + +Features: + +* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) +* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969) +* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877) + +Improvements: + +* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971) + +## 0.26.1 (October 30, 2023) + +Bugs: +* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961) + +## 0.26.0 (October 27, 2023) + +Changes: +* Default `vault` version updated to 1.15.1 +* Default `vault-k8s` version updated to 1.3.1 +* Default `vault-csi-provider` version updated to 1.4.1 +* Tested with Kubernetes versions 1.24-1.28 +* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) + +Features: +* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) +* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) +* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) +* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923) + Bugs: * csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) Improvements: * global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) +* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) +* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943) ## 0.25.0 (June 26, 2023) diff --git a/Chart.yaml b/Chart.yaml index 878f0b1eb..abc94daf0 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v2 name: vault -version: 0.26.0 -appVersion: 1.14.0 +version: 0.28.0 +appVersion: 1.15.2 kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/README.md b/README.md index 6e7014360..256bd8b91 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ cases of Vault on Kubernetes depending on the values provided. For full documentation on this Helm chart along with all the ways you can use Vault with Kubernetes, please see the -[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/). +[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s). ## Prerequisites @@ -39,5 +39,5 @@ $ helm install vault hashicorp/vault Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more +website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more detailed installation instructions. diff --git a/templates/NOTES.txt b/templates/NOTES.txt index 8e267121c..60d99a4e5 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -4,7 +4,7 @@ Thank you for installing HashiCorp Vault! Now that you have deployed Vault, you should look over the docs on using Vault with Kubernetes available here: -https://www.vaultproject.io/docs/ +https://developer.hashicorp.com/vault/docs Your release is named {{ .Release.Name }}. To learn more about the release, try: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index d796ab57d..8f77f9220 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -82,6 +82,17 @@ Compute if the server serviceaccount is enabled. (eq (.Values.global.enabled | toString) "true"))) -}} {{- end -}} +{{/* +Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. +*/}} +{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- $_ := set . "serverServiceAccountSecretCreationEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true") + (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} +{{- end -}} + + {{/* Compute if the server auth delegator serviceaccount is enabled. */}} @@ -156,7 +167,11 @@ Set's the replica count based on the different modes configured by user {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} - {{- .Values.server.ha.replicas | default 3 -}} + {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} + {{- .Values.server.ha.replicas -}} + {{ else }} + {{- 3 -}} + {{- end -}} {{ else }} {{- default 1 -}} {{ end }} @@ -274,6 +289,7 @@ storage might be desired by the user. - metadata: name: data {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} @@ -288,6 +304,7 @@ storage might be desired by the user. - metadata: name: audit {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} @@ -695,6 +712,33 @@ Sets extra vault server Service annotations {{- end }} {{- end -}} +{{/* +Sets extra vault server Service (active) annotations +*/}} +{{- define "vault.service.active.annotations" -}} + {{- if .Values.server.service.active.annotations }} + {{- $tp := typeOf .Values.server.service.active.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.active.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.active.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.standby.annotations" -}} + {{- if .Values.server.service.standby.annotations }} + {{- $tp := typeOf .Values.server.service.standby.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets PodSecurityPolicy annotations */}} @@ -740,6 +784,21 @@ Sets VolumeClaim annotations for data volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for data volume +*/}} +{{- define "vault.dataVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.dataStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets VolumeClaim annotations for audit volume */}} @@ -755,6 +814,21 @@ Sets VolumeClaim annotations for audit volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for audit volume +*/}} +{{- define "vault.auditVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.auditStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Set's the container resources if the user has set any. */}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 2a3375a63..9d2abfbb1 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -22,11 +22,20 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} vault-active: "true" annotations: -{{ template "vault.service.annotations" .}} +{{- template "vault.service.active.annotations" . }} +{{- template "vault.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 27fdfce8b..bae1e2834 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -21,11 +21,20 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{- template "vault.service.standby.annotations" . }} +{{- template "vault.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index 4df81e219..c0f4d3460 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -22,6 +22,14 @@ metadata: annotations: {{ template "vault.service.annotations" .}} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} clusterIP: None publishNotReadyAddresses: true ports: diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml index 62d4ae1ac..43dcdb16f 100644 --- a/templates/server-network-policy.yaml +++ b/templates/server-network-policy.yaml @@ -16,14 +16,7 @@ spec: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP + ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} {{- if .Values.server.networkPolicy.egress }} egress: {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 444b15e60..c12e190cb 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -24,6 +24,14 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-serviceaccount-secret.yaml b/templates/server-serviceaccount-secret.yaml new file mode 100644 index 000000000..74d70f900 --- /dev/null +++ b/templates/server-serviceaccount-secret.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{- if .serverServiceAccountSecretCreationEnabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vault.serviceAccount.name" . }}-token + namespace: {{ include "vault.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: kubernetes.io/service-account-token +{{ end }} \ No newline at end of file diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 519d421c3..0d8e604d0 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -24,6 +24,9 @@ spec: replicas: {{ template "vault.replicas" . }} updateStrategy: type: {{ .Values.server.updateStrategyType }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} @@ -61,6 +64,10 @@ spec: {{ template "vault.volumes" . }} - name: home emptyDir: {} + {{- if .Values.server.hostAliases }} + hostAliases: + {{ toYaml .Values.server.hostAliases | nindent 8}} + {{- end }} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | nindent 8}} @@ -175,10 +182,18 @@ spec: {{- end }} {{- if .Values.server.livenessProbe.enabled }} livenessProbe: + {{- if .Values.server.livenessProbe.execCommand }} + exec: + command: + {{- range (.Values.server.livenessProbe.execCommand) }} + - {{ . | quote }} + {{- end }} + {{- else }} httpGet: path: {{ .Values.server.livenessProbe.path | quote }} port: {{ .Values.server.livenessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} + {{- end }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 2c577aa24..20e2e5a5a 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -9,7 +9,7 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: v1 kind: Pod metadata: - name: "{{ .Release.Name }}-server-test" + name: {{ template "vault.fullname" . }}-server-test namespace: {{ include "vault.namespace" . }} annotations: "helm.sh/hook": test diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 261732ba1..95370842e 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -20,6 +20,14 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{- template "vault.ui.annotations" . }} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.ui.serviceIPFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} + {{- end }} + {{- if .Values.ui.serviceIPFamilies }} + ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} selector: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index b7e2ec5f2..cf36430d4 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -13,6 +13,31 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/ha-active-Service: with active annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.active.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} +@test "server/ha-active-Service: with both annotations set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.active.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=vaultIsNotAwesome: false' \ + . | tee /dev/stderr | + yq -r '.metadata' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] + actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + [ "${actual}" = "false" ] +} @test "server/ha-active-Service: disable with ha.enabled false" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 5f2654e44..bd04853af 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -24,6 +24,42 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/ha-standby-Service: with standby annotations string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-standby-Service: with standby annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} +@test "server/ha-standby-Service: with both annotations set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.standby.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=vaultIsNotAwesome: false' \ + . | tee /dev/stderr | + yq -r '.metadata' | tee /dev/stderr) + + local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] + actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + [ "${actual}" = "false" ] +} @test "server/ha-standby-Service: disable with ha.enabled false" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 06a0ca0a0..9bb5118db 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -157,6 +157,28 @@ load _helpers [ "${actual}" = "10" ] } +@test "server/ha-StatefulSet: zero replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=0' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "0" ] +} + +@test "server/ha-StatefulSet: invalid value for replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=null' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "3" ] +} + #-------------------------------------------------------------------- # resources diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 8a1f52fe8..df649bebc 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -53,4 +53,46 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "bar" ] +} + +@test "server/headless-Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/headless-Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "server/headless-Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/headless-Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] } \ No newline at end of file diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats index 1364321d1..179268577 100755 --- a/test/unit/server-network-policy.bats +++ b/test/unit/server-network-policy.bats @@ -21,6 +21,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/network-policy: ingress changed by server.networkPolicy.ingress" { + cd `chart_dir` + local actual=$(helm template \ + --set 'server.networkPolicy.enabled=true' \ + --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \ + --show-only templates/server-network-policy.yaml \ + . | tee /dev/stderr | + yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/network-policy: egress enabled by server.networkPolicy.egress" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index b84e5b1d0..040e9fadf 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -467,3 +467,45 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "server/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] +} \ No newline at end of file diff --git a/test/unit/server-serviceaccount-secret.bats b/test/unit/server-serviceaccount-secret.bats new file mode 100644 index 000000000..2cfe33395 --- /dev/null +++ b/test/unit/server-serviceaccount-secret.bats @@ -0,0 +1,77 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ServiceAccountSecret: verify service account name match" { + cd `chart_dir` + + local actual=$( (helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.create=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa-token" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-token" ] + +} + +@test "server/ServiceAccountSecret: annotation mapping to service account" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "release-name-vault" ] + +} + +@test "server/ServiceAccountSecret: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7dc01f584..8acd9ee91 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -221,6 +221,73 @@ load _helpers [ "${actual}" = "OnDelete" ] } +#-------------------------------------------------------------------- +# persistentVolumeClaimRetentionPolicy + +@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes < 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.22" \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenDeleted when kubernetes < 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.22" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: unset persistentVolumeClaimRetentionPolicy.whenScaled when kubernetes < 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.22" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: persistentVolumeClaimRetentionPolicy not set by default when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.23" \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: can set persistentVolumeClaimRetentionPolicy.whenDeleted when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.23" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenDeleted=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenDeleted' | tee /dev/stderr) + [ "${actual}" = "Delete" ] +} + +@test "server/standalone-StatefulSet: can set persistentVolumeClaimRetentionPolicy.whenScaled when kubernetes >= 1.23" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --kube-version "1.23" \ + --set 'server.persistentVolumeClaimRetentionPolicy.whenScaled=Delete' \ + . | tee /dev/stderr | + yq -r '.spec.persistentVolumeClaimRetentionPolicy.whenScaled' | tee /dev/stderr) + [ "${actual}" = "Delete" ] +} + #-------------------------------------------------------------------- # replicas @@ -1415,6 +1482,41 @@ load _helpers [ "${actual}" = "100" ] } +@test "server/standalone-StatefulSet: liveness exec disabled by default" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.exec' | tee /dev/stderr) + [ "${actual}" = "null" ] + + local actual=$(echo $object | + yq -r '.httpGet' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: liveness exec can be set" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + --set='server.livenessProbe.execCommand={/bin/sh,-c,sleep}' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.exec.command[0]' | tee /dev/stderr) + [ "${actual}" = "/bin/sh" ] + + local actual=$(echo $object | + yq -r '.httpGet' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + #-------------------------------------------------------------------- # args @test "server/standalone-StatefulSet: add extraArgs" { @@ -1826,6 +1928,28 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# hostAliases + +@test "server/StatefulSet: server.hostAliases not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/StatefulSet: server.hostAliases is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostAliases[0]=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases[]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + #-------------------------------------------------------------------- # extraPorts @@ -1876,3 +2000,49 @@ load _helpers yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) [ "${actual}" = "8200" ] } + +#-------------------------------------------------------------------- +# labels +@test "server/standalone-StatefulSet: auditStorage volumeClaim labels string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.auditStorage.enabled=true' \ + --set 'server.auditStorage.labels=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: dataStorage volumeClaim labels string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.dataStorage.enabled=true' \ + --set 'server.dataStorage.labels=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: auditStorage volumeClaim labels yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.auditStorage.enabled=true' \ + --set 'server.auditStorage.labels.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: dataStorage volumeClaim labels yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.dataStorage.enabled=true' \ + --set 'server.dataStorage.labels.vaultIsAwesome=true' \ + . | tee /dev/stderr | + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index de82f84c3..314703a5d 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -37,6 +37,33 @@ load _helpers #-------------------------------------------------------------------- +@test "server/standalone-server-test-Pod: default metadata.name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name vault" { + cd `chart_dir` + local actual=$(helm template vault \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "vault-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name foo" { + cd `chart_dir` + local actual=$(helm template foo \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "foo-vault-server-test" ] +} + @test "server/standalone-server-test-Pod: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 384098f89..dce0e5e7c 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -383,5 +383,50 @@ load _helpers . | tee /dev/stderr | yq '.spec.externalTrafficPolicy' | tee /dev/stderr) [ "${actual}" = "null" ] +} + +@test "ui/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "ui/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} +@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --kube-version 1.22.0 \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] } + +@test "server/Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --kube-version 1.22.0 \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] +} \ No newline at end of file diff --git a/values.openshift.yaml b/values.openshift.yaml index 6e575e4d4..bafc5e699 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -9,13 +9,16 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.2.1-ubi" + tag: "1.3.1-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.14.0-ubi" + tag: "1.15.2-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.14.0-ubi" + tag: "1.15.2-ubi" + + readinessProbe: + path: "/v1/sys/health?uninitcode=204" diff --git a/values.schema.json b/values.schema.json index 2aefb06d0..976065733 100644 --- a/values.schema.json +++ b/values.schema.json @@ -559,6 +559,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "enabled": { "type": [ "boolean", @@ -599,6 +605,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "enabled": { "type": [ "boolean", @@ -619,6 +631,17 @@ } } }, + "persistentVolumeClaimRetentionPolicy": { + "type": "object", + "properties": { + "whenDeleted": { + "type": "string" + }, + "whenScaled": { + "type": "string" + } + } + }, "dev": { "type": "object", "properties": { @@ -740,6 +763,9 @@ } } }, + "hostAliases": { + "type": "array" + }, "image": { "type": "object", "properties": { @@ -815,6 +841,12 @@ "path": { "type": "string" }, + "port": { + "type": "integer" + }, + "execCommand": { + "type": "array" + }, "periodSeconds": { "type": "integer" }, @@ -840,6 +872,9 @@ }, "enabled": { "type": "boolean" + }, + "ingress": { + "type": "array" } } }, @@ -919,6 +954,12 @@ "properties": { "enabled": { "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] } } }, @@ -953,6 +994,12 @@ "properties": { "enabled": { "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] } } }, @@ -967,6 +1014,14 @@ }, "standbyNodePort": { "type": "integer" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "ipFamilies": { + "type": [ + "array" + ] } } }, @@ -985,6 +1040,9 @@ "extraLabels": { "type": "object" }, + "createSecret": { + "type": "boolean" + }, "name": { "type": "string" }, @@ -1140,6 +1198,16 @@ }, "targetPort": { "type": "integer" + }, + "serviceIPFamilyPolicy": { + "type": [ + "string" + ] + }, + "serviceIPFamilies": { + "type": [ + "array" + ] } } } diff --git a/values.yaml b/values.yaml index 347dfe605..1a0bbfa22 100644 --- a/values.yaml +++ b/values.yaml @@ -68,7 +68,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.2.1" + tag: "1.3.1" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -76,7 +76,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.14.0" + tag: "1.15.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -377,7 +377,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.14.0" + tag: "1.15.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -445,6 +445,12 @@ server: # hosts: # - chart-example.local + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - chart-example.local + # OpenShift only - create a route to expose the service # By default the created route will be of type passthrough route: @@ -465,7 +471,7 @@ server: # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth - # method. https://www.vaultproject.io/docs/auth/kubernetes.html + # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes authDelegator: enabled: true @@ -525,8 +531,14 @@ server: # Used to enable a livenessProbe for the pods livenessProbe: enabled: false + # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler. + execCommand: [] + # - /bin/sh + # - -c + # - /vault/userconfig/mylivenessscript/run.sh + # Path for the livenessProbe to use httpGet as the livenessProbe handler path: "/v1/sys/health?standbyok=true" - # Port number on which livenessProbe will be checked. + # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 @@ -635,6 +647,14 @@ server: # ports: # - protocol: TCP # port: 443 + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP # Priority class for server pods priorityClassName: "" @@ -652,13 +672,21 @@ server: service: enabled: true # Enable or disable the vault-active service, which selects Vault pods that - # have labelled themselves as the cluster leader with `vault-active: "true"` + # have labeled themselves as the cluster leader with `vault-active: "true"`. active: enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the active service. + annotations: {} # Enable or disable the vault-standby service, which selects Vault pods that - # have labelled themselves as a cluster follower with `vault-active: "false"` + # have labeled themselves as a cluster follower with `vault-active: "false"`. standby: enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the standby service. + annotations: {} # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` # When disabled, services may select Vault pods not deployed from the chart. # Does not affect the headless vault-internal service with `ClusterIP: None` @@ -676,6 +704,21 @@ server: # or NodePort. #type: ClusterIP + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family policy, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + ipFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. + # Can be IPv4 and/or IPv6. + ipFamilies: [] + # Do not wait for pods to be ready before including them in the services' # targets. Does not apply to the headless service, which is used for # cluster-internal communication. @@ -712,7 +755,7 @@ server: # This configures the Vault Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. - # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more + # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more dataStorage: enabled: true # Size of the PVC created @@ -726,12 +769,22 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} + + # Persistent Volume Claim (PVC) retention policy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + # Example: + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + persistentVolumeClaimRetentionPolicy: {} # This configures the Vault Statefulset to create a PVC for audit # logs. Once Vault is deployed, initialized, and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit - # See https://www.vaultproject.io/docs/audit/index.html to know more + # See https://developer.hashicorp.com/vault/docs/audit to know more auditStorage: enabled: false # Size of the PVC created @@ -745,12 +798,14 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} # Run Vault in "dev" mode. This requires no further setup, no state management, # and no initialization. This is useful for experimenting with Vault without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. - # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more + # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more dev: enabled: false @@ -772,7 +827,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -815,12 +870,12 @@ server: replicas: 3 # Set the api_addr configuration for Vault HA - # See https://www.vaultproject.io/docs/configuration#api_addr + # See https://developer.hashicorp.com/vault/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null # Set the cluster_addr confuguration for Vault HA - # See https://www.vaultproject.io/docs/configuration#cluster_addr + # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 clusterAddr: null @@ -838,7 +893,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -865,7 +920,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -917,6 +972,12 @@ server: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + # Create a Secret API object to store a non-expiring token for the service account. + # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets + # serviceAccount.create must be equal to 'true' in order to use this feature. + createSecret: false # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. @@ -973,6 +1034,21 @@ ui: externalPort: 8200 targetPort: 8200 + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + serviceIPFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well + # Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. @@ -1004,7 +1080,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.4.0" + tag: "1.4.1" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1089,7 +1165,7 @@ csi: image: repository: "hashicorp/vault" - tag: "1.14.0" + tag: "1.15.2" pullPolicy: IfNotPresent logFormat: standard @@ -1146,7 +1222,7 @@ csi: debug: false # Pass arbitrary additional arguments to vault-csi-provider. - # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: [] @@ -1155,8 +1231,8 @@ csi: # the Vault configuration. There are a few examples included in the `config` sections above. # # For more information see: -# https://www.vaultproject.io/docs/configuration/telemetry -# https://www.vaultproject.io/docs/internals/telemetry +# https://developer.hashicorp.com/vault/docs/configuration/telemetry +# https://developer.hashicorp.com/vault/docs/internals/telemetry serverTelemetry: # Enable support for the Prometheus Operator. Currently, this chart does not support # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included