Add OpenShift beta support (#319)

* Initial commit * Added openshift flag * added self signed certificate for service annotation * added OpenShift flag * Added OpenShift flag * cleanup * Cleanup * Further cleanup * Further cleanup * reverted security context on injector * Extra corrections * cleanup * Removed Raft config for OpenShift, removed generated certs for ha and standby services * Add openshift flag to global block, route disabled by default, condition for injector in network policy * Added Unit tests for OpenShift * Fixed unit test for HA statefulset for OpenShift * Removed debug log level from stateful set * Added port 8201 to networkpolicy * Updated injector image * Add openshift beta support * Add openshift beta support * Remove comments from configs * Remove vault-k8s note from values * Change route to use active service when HA Co-authored-by: Radu Domnu <[email protected]> Co-authored-by: Radu Domnu <[email protected]>
hashicorp · Jun 3, 2020 · 853cb06 · 853cb06
1 parent 7f7fb7b
commit 853cb06
Show file tree

Hide file tree

Showing 23 changed files with 382 additions and 49 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -318,6 +318,21 @@ Sets extra ingress annotations
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets extra route annotations
+*/}}
+{{- define "vault.route.annotations" -}}
+  {{- if .Values.server.route.annotations }}
+  annotations:
+    {{- $tp := typeOf .Values.server.route.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.route.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.route.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets extra vault server Service annotations
 */}}

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
@@ -31,10 +31,12 @@ spec:
       priorityClassName: {{ .Values.injector.priorityClassName }}
       {{- end }}
       serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
+      {{- if not .Values.global.openshift }}
       securityContext:
         runAsNonRoot: true
         runAsGroup: {{ .Values.injector.gid | default 1000 }}
         runAsUser: {{ .Values.injector.uid | default 100 }}
+      {{- end }}
       containers:
         - name: sidecar-injector
           {{ template "injector.resources" . }}
@@ -70,6 +72,10 @@ spec:
               value: {{ .Values.injector.logFormat | default "standard" }}
             - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
               value: "{{ .Values.injector.revokeOnShutdown | default false }}"
+            {{- if .Values.global.openshift }}
+            - name: AGENT_INJECT_SET_SECURITY_CONTEXT
+              value: "false"
+            {{- end }}
             {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
           args:
             - agent-inject

diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.global.openshift }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector
+  labels:
+    app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  ingress:
+    - from:
+        - namespaceSelector: {}
+      ports:
+      - port: 8080
+        protocol: TCP
+{{ end }}
diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.global.openshift }}
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
@@ -49,3 +50,4 @@ spec:
   {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.global.openshift }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "vault.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  ingress:
+    - from:
+        - namespaceSelector: {}
+      ports:
+      - port: 8200
+        protocol: TCP
+      - port: 8201
+        protocol: TCP
+{{ end }}
diff --git a/templates/server-route.yaml b/templates/server-route.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.global.openshift }}
+{{- if ne .mode "external" }}
+{{- if .Values.server.route.enabled -}}
+{{- $serviceName := include "vault.fullname" . -}}
+{{- if eq .mode "ha" }}
+{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
+{{- end }}
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- with .Values.server.route.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- template "vault.route.annotations" . }}
+spec:
+  host: {{ .Values.server.route.host }}
+  to:
+    kind: Service
+    name: {{ $serviceName }}
+    weight: 100
+  port:
+    targetPort: 8200
+  tls:
+    termination: passthrough
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
@@ -45,13 +45,17 @@ spec:
       {{ if  .Values.server.shareProcessNamespace }}
       shareProcessNamespace: true
       {{ end }}
+      {{- if not .Values.global.openshift }}
       securityContext:
         runAsNonRoot: true
         runAsGroup: {{ .Values.server.gid | default 1000 }}
         runAsUser: {{ .Values.server.uid | default 100 }}
         fsGroup: {{ .Values.server.gid | default 1000 }}
+      {{- end }}
       volumes:
         {{ template "vault.volumes" . }}
+        - name: home
+          emptyDir: {}
       {{- if .Values.server.extraInitContainers }}
       initContainers:
         {{ toYaml .Values.server.extraInitContainers | nindent 8}}
@@ -100,11 +104,15 @@ spec:
                 fieldRef:
                   fieldPath: metadata.name
             {{- end }}
+            - name: HOME
+              value: "/home/vault"
             {{ template "vault.envs" . }}
             {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
             {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
           volumeMounts:
           {{ template "vault.mounts" . }}
+            - name: home
+              mountPath: /home/vault
           ports:
             - containerPort: 8200
               name: {{ include "vault.scheme" . }}

diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml
@@ -41,7 +41,7 @@ spec:
             - name: POSTGRES_PASSWORD
               value: password
           volumeMounts:
-            - mountPath: "/var/lib/postgresql/data"
+            - mountPath: "/var/lib/postgresql"
               name: "pgdata"
             - mountPath: "/docker-entrypoint-initdb.d"
               name: "pgconf"

diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats
@@ -19,7 +19,7 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "0" ]
+  [ "${volumeCount}" == "1" ]
 
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |

diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats
@@ -7,7 +7,7 @@ load _helpers
 
   helm install "$(name_prefix)-east" \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='injector.enabled=false' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
@@ -76,7 +76,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
   wait_for_running "$(name_prefix)-west-0"

diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats
@@ -8,7 +8,7 @@ load _helpers
   helm install "$(name_prefix)-east" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
   wait_for_running "$(name_prefix)-east-0"
@@ -76,7 +76,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
   wait_for_running "$(name_prefix)-west-0"

diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats
@@ -27,12 +27,12 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "2" ]
+  [ "${volumeCount}" == "3" ]
 
   # Volumes
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes[0].configMap.name')

diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats
@@ -26,12 +26,12 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   # Volumes
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes[0].configMap.name')

diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats
@@ -34,7 +34,7 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "2" ]
+  [ "${volumeCount}" == "3" ]
 
   local mountName=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts[0].name')
@@ -47,17 +47,12 @@ load _helpers
   # Volumes
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes[0].configMap.name')
   [ "${volume}" == "$(name_prefix)-config" ]
 
-  # Security Context
-  local fsGroup=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.securityContext.fsGroup')
-  [ "${fsGroup}" == "1000" ]
-
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.clusterIP')

diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
@@ -322,6 +322,19 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "injector/deployment: disable security context when openshift enabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+    yq -r '.[9].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ]
+}
+
 #--------------------------------------------------------------------
 # extraEnvironmentVars
 
@@ -447,3 +460,25 @@ load _helpers
       yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+#--------------------------------------------------------------------
+# OpenShift
+
+@test "injector/deployment: OpenShift - runAsUser disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/deployment: OpenShift - runAsGroup disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats
@@ -249,19 +249,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[11].name' | tee /dev/stderr)
+    yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[12].name' | tee /dev/stderr)
+      yq -r '.[13].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[12].value' | tee /dev/stderr)
+      yq -r '.[13].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -282,23 +282,25 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.[10].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_0" ]
   local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_0" ]
   local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_0" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_1" ]
+
   local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_1" ]
+
   local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_1" ]
 }
 

diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats
diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats