From 853cb06842b015859cd82d50e96fd61c77247d56 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 2 Jun 2020 22:10:41 -0400 Subject: [PATCH] Add OpenShift beta support (#319) * Initial commit * Added openshift flag * added self signed certificate for service annotation * added OpenShift flag * Added OpenShift flag * cleanup * Cleanup * Further cleanup * Further cleanup * reverted security context on injector * Extra corrections * cleanup * Removed Raft config for OpenShift, removed generated certs for ha and standby services * Add openshift flag to global block, route disabled by default, condition for injector in network policy * Added Unit tests for OpenShift * Fixed unit test for HA statefulset for OpenShift * Removed debug log level from stateful set * Added port 8201 to networkpolicy * Updated injector image * Add openshift beta support * Add openshift beta support * Remove comments from configs * Remove vault-k8s note from values * Change route to use active service when HA Co-authored-by: Radu Domnu Co-authored-by: Radu Domnu --- templates/_helpers.tpl | 15 +++ templates/injector-deployment.yaml | 6 + templates/injector-network-policy.yaml | 21 ++++ templates/server-ingress.yaml | 2 + templates/server-network-policy.yaml | 22 ++++ templates/server-route.yaml | 33 +++++ templates/server-statefulset.yaml | 8 ++ .../injector-test/pg-deployment.yaml | 2 +- test/acceptance/server-dev.bats | 2 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/acceptance/server-ha-raft.bats | 4 +- test/acceptance/server-ha.bats | 4 +- test/acceptance/server.bats | 9 +- test/unit/injector-deployment.bats | 35 ++++++ test/unit/server-dev-statefulset.bats | 22 ++-- test/unit/server-ha-active-service.bats | 0 test/unit/server-ha-standby-service.bats | 0 test/unit/server-ha-statefulset.bats | 43 +++++-- test/unit/server-network-policy.bats | 22 ++++ test/unit/server-route.bats | 116 ++++++++++++++++++ test/unit/server-statefulset.bats | 40 ++++-- values.yaml | 17 ++- 23 files changed, 382 insertions(+), 49 deletions(-) create mode 100644 templates/injector-network-policy.yaml create mode 100644 templates/server-network-policy.yaml create mode 100644 templates/server-route.yaml mode change 100644 => 100755 test/unit/server-ha-active-service.bats mode change 100644 => 100755 test/unit/server-ha-standby-service.bats create mode 100755 test/unit/server-network-policy.bats create mode 100755 test/unit/server-route.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index bab233b91..5c88b18b0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -318,6 +318,21 @@ Sets extra ingress annotations {{- end }} {{- end -}} +{{/* +Sets extra route annotations +*/}} +{{- define "vault.route.annotations" -}} + {{- if .Values.server.route.annotations }} + annotations: + {{- $tp := typeOf .Values.server.route.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.route.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.route.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra vault server Service annotations */}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 9ab89f1cf..8768f7d5b 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -31,10 +31,12 @@ spec: priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{- if not .Values.global.openshift }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.injector.gid | default 1000 }} runAsUser: {{ .Values.injector.uid | default 100 }} + {{- end }} containers: - name: sidecar-injector {{ template "injector.resources" . }} @@ -70,6 +72,10 @@ spec: value: {{ .Values.injector.logFormat | default "standard" }} - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN value: "{{ .Values.injector.revokeOnShutdown | default false }}" + {{- if .Values.global.openshift }} + - name: AGENT_INJECT_SET_SECURITY_CONTEXT + value: "false" + {{- end }} {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml new file mode 100644 index 000000000..b72766987 --- /dev/null +++ b/templates/injector-network-policy.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.openshift }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP +{{ end }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 9b3d112d0..7c19f5fea 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.openshift }} {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} @@ -49,3 +50,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml new file mode 100644 index 000000000..0879d5b9a --- /dev/null +++ b/templates/server-network-policy.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.openshift }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP +{{ end }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml new file mode 100644 index 000000000..2fccf0263 --- /dev/null +++ b/templates/server-route.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.openshift }} +{{- if ne .mode "external" }} +{{- if .Values.server.route.enabled -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- if eq .mode "ha" }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.route.annotations" . }} +spec: + host: {{ .Values.server.route.host }} + to: + kind: Service + name: {{ $serviceName }} + weight: 100 + port: + targetPort: 8200 + tls: + termination: passthrough +{{- end }} +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 69a925f2f..f8a0eb1e5 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -45,13 +45,17 @@ spec: {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} + {{- if not .Values.global.openshift }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.server.gid | default 1000 }} runAsUser: {{ .Values.server.uid | default 100 }} fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} volumes: {{ template "vault.volumes" . }} + - name: home + emptyDir: {} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | nindent 8}} @@ -100,11 +104,15 @@ spec: fieldRef: fieldPath: metadata.name {{- end }} + - name: HOME + value: "/home/vault" {{ template "vault.envs" . }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} volumeMounts: {{ template "vault.mounts" . }} + - name: home + mountPath: /home/vault ports: - containerPort: 8200 name: {{ include "vault.scheme" . }} diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index 13389ffd6..caf8605d2 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -41,7 +41,7 @@ spec: - name: POSTGRES_PASSWORD value: password volumeMounts: - - mountPath: "/var/lib/postgresql/data" + - mountPath: "/var/lib/postgresql" name: "pgdata" - mountPath: "/docker-entrypoint-initdb.d" name: "pgconf" diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats index ffda94640..0619c289f 100644 --- a/test/acceptance/server-dev.bats +++ b/test/acceptance/server-dev.bats @@ -19,7 +19,7 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "0" ] + [ "${volumeCount}" == "1" ] # Service local service=$(kubectl get service "$(name_prefix)" --output json | diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 35348e3c5..ea8a8dbc6 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 48f9887f3..0d4c77936 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-east-0" @@ -76,7 +76,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.4.0_ent' \ + --set='server.image.tag=1.4.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' . wait_for_running "$(name_prefix)-west-0" diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index b6f1f2556..9f9f3decd 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -27,12 +27,12 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "2" ] + [ "${volumeCount}" == "3" ] # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] local volume=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes[0].configMap.name') diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 4cb4a754a..0945f122e 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -26,12 +26,12 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] local volume=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes[0].configMap.name') diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index ce7843fb0..84a4e7d99 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -34,7 +34,7 @@ load _helpers # Volume Mounts local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts | length') - [ "${volumeCount}" == "2" ] + [ "${volumeCount}" == "3" ] local mountName=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.containers[0].volumeMounts[0].name') @@ -47,17 +47,12 @@ load _helpers # Volumes local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes | length') - [ "${volumeCount}" == "1" ] + [ "${volumeCount}" == "2" ] local volume=$(kubectl get statefulset "$(name_prefix)" --output json | jq -r '.spec.template.spec.volumes[0].configMap.name') [ "${volume}" == "$(name_prefix)-config" ] - # Security Context - local fsGroup=$(kubectl get statefulset "$(name_prefix)" --output json | - jq -r '.spec.template.spec.securityContext.fsGroup') - [ "${fsGroup}" == "1000" ] - # Service local service=$(kubectl get service "$(name_prefix)" --output json | jq -r '.spec.clusterIP') diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index bd3f63a0b..9e09e428d 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -322,6 +322,19 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: disable security context when openshift enabled" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[9].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ] +} + #-------------------------------------------------------------------- # extraEnvironmentVars @@ -447,3 +460,25 @@ load _helpers yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# OpenShift + +@test "injector/deployment: OpenShift - runAsUser disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/deployment: OpenShift - runAsGroup disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 3b38eab41..a44e24379 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -249,19 +249,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[12].name' | tee /dev/stderr) + yq -r '.[13].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[12].value' | tee /dev/stderr) + yq -r '.[13].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -282,23 +282,25 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] + local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] + local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats old mode 100644 new mode 100755 diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats old mode 100644 new mode 100755 diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index e6d0d5888..ff5c5716d 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -349,19 +349,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -383,23 +383,23 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_0" ] local actual=$(echo $object | - yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_0" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "ENV_FOO_1" ] local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr) [ "${actual}" = "secret_name_1" ] local actual=$(echo $object | - yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr) + yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr) [ "${actual}" = "secret_key_1" ] } @@ -643,3 +643,26 @@ load _helpers yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) [ "${actual}" = "2000" ] } + +#-------------------------------------------------------------------- +# OpenShift + +@test "server/ha-statefulset: OpenShift - runAsUser disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-statefulset: OpenShift - runAsGroup disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats new file mode 100755 index 000000000..0df89fcb4 --- /dev/null +++ b/test/unit/server-network-policy.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/network-policy: OpenShift - disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-network-policy.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/network-policy: OpenShift - enabled if OpenShift" { + cd `chart_dir` + local actual=$( (helm template \ + --set 'global.openshift=true' \ + --show-only templates/server-network-policy.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats new file mode 100755 index 000000000..f5830e6dd --- /dev/null +++ b/test/unit/server-route.bats @@ -0,0 +1,116 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/route: OpenShift - disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --set 'global.openshift=true' \ + --show-only templates/server-route.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/route: OpenShift -disable by injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/route: OpenShift - checking host entry gets added and path is /" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.host=test.com' \ + . | tee /dev/stderr | + yq -r '.spec.host' | tee /dev/stderr) + [ "${actual}" = 'test.com' ] +} + +@test "server/route: OpenShift - vault backend should be added when I specify a path" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.host=test.com' \ + . | tee /dev/stderr | + yq -r '.spec.to.name | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + +} + +@test "server/route: OpenShift - labels gets added to object" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.labels.traffic=external' \ + --set 'server.route.labels.team=dev' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.traffic' | tee /dev/stderr) + [ "${actual}" = "external" ] +} + +@test "server/route: OpenShift - annotations added to object - string" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.annotations=kubernetes.io/route.class: haproxy' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr) + [ "${actual}" = "haproxy" ] +} + +@test "server/route: OpenShift - annotations added to object - yaml" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set server.route.annotations."kubernetes\.io/route\.class"=haproxy \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr) + [ "${actual}" = "haproxy" ] +} + +@test "server/route: OpenShift - route points to main service by default" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.to.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] +} + +@test "server/route: OpenShift - route points to active service by when HA" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.to.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault-active" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7e7678c44..65f4ce263 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -384,19 +384,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] local object=$(helm template \ @@ -407,19 +407,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[10].name' | tee /dev/stderr) + yq -r '.[11].name' | tee /dev/stderr) [ "${actual}" = "FOO" ] local actual=$(echo $object | - yq -r '.[10].value' | tee /dev/stderr) + yq -r '.[11].value' | tee /dev/stderr) [ "${actual}" = "bar" ] local actual=$(echo $object | - yq -r '.[11].name' | tee /dev/stderr) + yq -r '.[12].name' | tee /dev/stderr) [ "${actual}" = "FOOBAR" ] local actual=$(echo $object | - yq -r '.[11].value' | tee /dev/stderr) + yq -r '.[12].value' | tee /dev/stderr) [ "${actual}" = "foobar" ] } @@ -1049,7 +1049,6 @@ load _helpers [ "${actual}" = "true" ] } -#-------------------------------------------------------------------- # postStart @test "server/standalone-StatefulSet: postStart disabled by default" { cd `chart_dir` @@ -1069,3 +1068,26 @@ load _helpers yq -r '.spec.template.spec.containers[0].lifecycle.postStart.exec.command[0]' | tee /dev/stderr) [ "${actual}" = "/bin/sh" ] } + +#-------------------------------------------------------------------- +# OpenShift + +@test "server/standalone-StatefulSet: OpenShift - runAsUser disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-StatefulSet: OpenShift - runAsGroup disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.openshift=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/values.yaml b/values.yaml index d1bbaf4b0..8c6e4a344 100644 --- a/values.yaml +++ b/values.yaml @@ -10,6 +10,8 @@ global: # - name: image-pull-secret # TLS for end-to-end encrypted transport tlsDisable: true + # Beta Feature: If deploying to OpenShift + openshift: false injector: # True if you want to enable vault agent injection. @@ -22,7 +24,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.3.0" + tag: "0.4.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -30,7 +32,7 @@ injector: # required. agentImage: repository: "vault" - tag: "1.4.0" + tag: "1.4.2" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" @@ -113,7 +115,7 @@ server: image: repository: "vault" - tag: "1.4.0" + tag: "1.4.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -132,6 +134,8 @@ server: # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. + # If deployment is on OpenShift, the following block is ignored. + # In order to expose the service, use the route section below ingress: enabled: false labels: {} @@ -152,6 +156,13 @@ server: # hosts: # - chart-example.local + # OpenShift only - create a route to expose the service + # The created route will be of type passthrough + route: + enabled: false + labels: {} + annotations: {} + host: chart-example.local # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth