diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/actions/setup-test-tools/action.yaml similarity index 89% rename from .github/workflows/setup-test-tools/action.yaml rename to .github/actions/setup-test-tools/action.yaml index d666e235f..6da07b5b7 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/actions/setup-test-tools/action.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + name: Setup common testing tools description: Install bats and python-yq runs: diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 597a64420..c9696daa1 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -5,18 +5,18 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3] + kind-k8s-version: [1.22.17, 1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools + uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 + uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.17.0 + version: v0.19.0 - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index bdee70fc2..ec209f5dd 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -11,6 +11,4 @@ permissions: contents: read jobs: actionlint: - runs-on: ubuntu-latest - steps: - - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main + uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 661307ad6..25f344db1 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -4,21 +4,21 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - uses: ./.github/workflows/setup-test-tools + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit chart-verifier: runs-on: ubuntu-latest env: CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: ./.github/actions/setup-test-tools + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: '1.19.2' - - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: bats --tap --timing ./test/chart permissions: contents: read diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml index 415434963..7d4cca79b 100644 --- a/.github/workflows/update-helm-charts-index.yml +++ b/.github/workflows/update-helm-charts-index.yml @@ -11,12 +11,12 @@ jobs: update-helm-charts-index: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: verify Chart version matches tag version run: |- export TAG=${{ github.ref_name }} - git_tag=$(echo "${TAG#v}") - chart_tag=$(yq r Chart.yaml version) + git_tag="${TAG#v}" + chart_tag=$(yq -r '.version' Chart.yaml) if [ "${git_tag}" != "${chart_tag}" ]; then echo "chart version (${chart_tag}) did not match git version (${git_tag})" exit 1 diff --git a/CHANGELOG.md b/CHANGELOG.md index ce70750ea..7c158f183 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,29 @@ ## Unreleased +Features: +* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) +* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) + +Bugs: +* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + +Improvements: +* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) +* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) + +## 0.25.0 (June 26, 2023) + +Changes: +* Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Improvements: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + Bugs: * server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) @@ -38,9 +62,6 @@ Features: Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) -Improvements: -* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) - ## 0.22.1 (October 26th, 2022) Changes: diff --git a/Chart.yaml b/Chart.yaml index 1803a5272..104b05f3f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,9 +3,9 @@ apiVersion: v2 name: vault -version: 0.24.1 -appVersion: 1.13.1 -kubeVersion: ">= 1.22.0-0" +version: 0.25.0 +appVersion: 1.14.0 +kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/README.md b/README.md index 6e7014360..256bd8b91 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ cases of Vault on Kubernetes depending on the values provided. For full documentation on this Helm chart along with all the ways you can use Vault with Kubernetes, please see the -[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/). +[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s). ## Prerequisites @@ -39,5 +39,5 @@ $ helm install vault hashicorp/vault Please see the many options supported in the `values.yaml` file. These are also fully documented directly on the [Vault -website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more +website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more detailed installation instructions. diff --git a/templates/NOTES.txt b/templates/NOTES.txt index 8e267121c..60d99a4e5 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -4,7 +4,7 @@ Thank you for installing HashiCorp Vault! Now that you have deployed Vault, you should look over the docs on using Vault with Kubernetes available here: -https://www.vaultproject.io/docs/ +https://developer.hashicorp.com/vault/docs Your release is named {{ .Release.Name }}. To learn more about the release, try: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ffeae3eb8..8d4599cae 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -36,6 +36,13 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "vault.namespace" -}} +{{- default .Release.Namespace .Values.global.namespace -}} +{{- end -}} + {{/* Compute if the csi driver is enabled. */}} @@ -75,6 +82,17 @@ Compute if the server serviceaccount is enabled. (eq (.Values.global.enabled | toString) "true"))) -}} {{- end -}} +{{/* +Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. +*/}} +{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- $_ := set . "serverServiceAccountSecretCreationEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true") + (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} +{{- end -}} + + {{/* Compute if the server auth delegator serviceaccount is enabled. */}} @@ -149,7 +167,11 @@ Set's the replica count based on the different modes configured by user {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} - {{- .Values.server.ha.replicas | default 3 -}} + {{- if kindIs "int64" .Values.server.ha.replicas -}} + {{- .Values.server.ha.replicas -}} + {{ else }} + {{- 3 -}} + {{- end -}} {{ else }} {{- default 1 -}} {{ end }} @@ -876,6 +898,34 @@ Sets the injector toleration for pod placement {{- end }} {{- end -}} +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} {{/* Sets extra CSI provider pod annotations */}} diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml index 7af08e8f9..18cdb04ac 100644 --- a/templates/csi-agent-configmap.yaml +++ b/templates/csi-agent-configmap.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "vault.fullname" . }}-csi-provider-agent-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider @@ -21,7 +21,7 @@ data: {{- if .Values.global.externalVaultAddr }} "address" = "{{ .Values.global.externalVaultAddr }}" {{- else }} - "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}" + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" {{- end }} } diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index d5a934688..506ec944a 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -20,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index a32ef7c70..1436ff905 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -9,7 +9,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} @@ -45,6 +45,8 @@ spec: {{- end }} serviceAccountName: {{ template "vault.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} @@ -69,7 +71,7 @@ spec: {{- else if .Values.global.externalVaultAddr }} value: "{{ .Values.global.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} volumeMounts: - name: providervol diff --git a/templates/csi-role.yaml b/templates/csi-role.yaml index dd23af655..17e1918b4 100644 --- a/templates/csi-role.yaml +++ b/templates/csi-role.yaml @@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-csi-provider-role + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/csi-rolebinding.yaml b/templates/csi-rolebinding.yaml index e61f2dc2d..3d3b981b8 100644 --- a/templates/csi-rolebinding.yaml +++ b/templates/csi-rolebinding.yaml @@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} @@ -20,5 +21,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index 25e123ee9..6327a7b2f 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 3e5ddb7b9..f6995af10 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Secret metadata: name: vault-injector-certs - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 9253e4f0a..82cbce0ce 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -20,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index fbf32c093..822e8e41d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -10,7 +10,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -64,7 +64,7 @@ spec: {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} @@ -79,7 +79,7 @@ spec: - name: AGENT_INJECT_TLS_AUTO value: {{ template "vault.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc + value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 6ae714bae..2b2a61c6f 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -8,7 +8,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index d03cd136d..b1de1ee3f 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -28,7 +28,7 @@ webhooks: clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} path: "/mutate" caBundle: {{ .Values.injector.certs.caBundle | quote }} rules: diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 65d8e9ba9..a07f8f6c0 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index 48a3a26a2..3c97e8dad 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index df7b0ed74..b2ad0c7b9 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index 0848e43d8..6ad25ca69 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -22,6 +22,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} {{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 5b2069286..1479cd1ab 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index 9b5c2f6ed..2f91c3d4a 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 60f2729a0..25d30a468 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -45,5 +45,5 @@ spec: insecureSkipVerify: true namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "vault.namespace" . }} {{ end }} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index b694129b5..14ec838a0 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -25,5 +25,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} \ No newline at end of file diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 5d29e98d6..5c660579f 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "vault.fullname" . }}-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index adae42a2b..0cbdefaff 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -10,7 +10,7 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} name: {{ template "vault.fullname" . }}-discovery-role labels: helm.sh/chart: {{ include "vault.chart" . }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 853ee870c..87b0f6170 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -15,7 +15,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -28,7 +28,7 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} {{ end }} {{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3ff11099b..bbe9eb299 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -13,7 +13,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index a939926bc..2a27349b7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-active - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -28,6 +28,14 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index c2a21fa18..c09618d0e 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-standby - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -27,6 +27,14 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index c4eca7af7..c0f4d3460 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-internal - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -22,8 +22,16 @@ metadata: annotations: {{ template "vault.service.annotations" .}} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} clusterIP: None - publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + publishNotReadyAddresses: true ports: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 3aba66885..d796bae41 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -21,7 +21,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index 0c8c983ea..64cd6c507 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index 9b975d556..342f55379 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 3f35aefe2..4e955555a 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -14,7 +14,7 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 8e34c88c5..c12e190cb 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -24,6 +24,14 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} diff --git a/templates/server-serviceaccount-secret.yaml b/templates/server-serviceaccount-secret.yaml new file mode 100644 index 000000000..74d70f900 --- /dev/null +++ b/templates/server-serviceaccount-secret.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{- if .serverServiceAccountSecretCreationEnabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vault.serviceAccount.name" . }}-token + namespace: {{ include "vault.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: kubernetes.io/service-account-token +{{ end }} \ No newline at end of file diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index e154f8dc2..216ea6178 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 7ab7de8e2..f330927d6 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -12,7 +12,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -61,6 +61,10 @@ spec: {{ template "vault.volumes" . }} - name: home emptyDir: {} + {{- if .Values.server.hostAliases }} + hostAliases: + {{ toYaml .Values.server.hostAliases | nindent 8}} + {{- end }} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | nindent 8}} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 59b150109..20e2e5a5a 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -9,8 +9,8 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: v1 kind: Pod metadata: - name: "{{ .Release.Name }}-server-test" - namespace: {{ .Release.Namespace }} + name: {{ template "vault.fullname" . }}-server-test + namespace: {{ include "vault.namespace" . }} annotations: "helm.sh/hook": test spec: @@ -21,7 +21,7 @@ spec: imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 4b2e8f7e4..95370842e 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-ui - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-ui @@ -20,6 +20,14 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{- template "vault.ui.annotations" . }} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.ui.serviceIPFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} + {{- end }} + {{- if .Values.ui.serviceIPFamilies }} + ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} selector: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index d45436419..aa6edc46c 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -55,16 +55,16 @@ load _helpers for i in $(seq 10); do sleep 2 - if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "returning cached response: path=/v1/auth/kubernetes/login")" ]; then + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then echo "Agent returned a cached login response" return fi - echo "Waiting for a cached response from Agent..." + echo "Waiting to confirm the Agent is renewing CSI's auth token..." done # Print the logs and fail the test - echo "Failed to find a log for a cached Agent response" + echo "Failed to find a log for the Agent renewing CSI's auth token" kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider exit 1 diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 911cf8dfe..264be67f6 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index c63f76368..15025c94e 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/unit/csi-agent-configmap.bats b/test/unit/csi-agent-configmap.bats index 4ae4a30b8..515e4c84e 100644 --- a/test/unit/csi-agent-configmap.bats +++ b/test/unit/csi-agent-configmap.bats @@ -21,6 +21,25 @@ load _helpers [ "${actual}" = "release-name-vault-csi-provider-agent-config" ] } +@test "csi/Agent-ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index ccd98c55a..6490d2c0d 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -41,4 +41,24 @@ load _helpers . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) [ "${actual}" = "release-name-vault-csi-provider" ] +} + +# ClusterRoleBinding service account namespace +@test "csi/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 3ad9675c4..d3d4221e5 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,26 @@ load _helpers [ "${actual}" = "true" ] } +# namespace +@test "csi/daemonset: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + # priorityClassName @test "csi/daemonset: priorityClassName not set by default" { @@ -345,6 +365,74 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# nodeSelector +@test "csi/daemonset: nodeSelector not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .nodeSelector? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.nodeSelector=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.nodeSelector.foo=bar,csi.pod.nodeSelector.baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector.foo == "bar" and .spec.template.spec.nodeSelector.baz == "qux"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# affinity +@test "csi/daemonset: affinity not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.affinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.affinity.podAntiAffinity=foobar" \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity.podAntiAffinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Extra Labels @@ -762,4 +850,4 @@ load _helpers local value=$(echo $object | yq -r '.limits.cpu' | tee /dev/stderr) [ "${value}" = "500m" ] -} \ No newline at end of file +} diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats index e7eb7e62c..88f7d0590 100644 --- a/test/unit/csi-role.bats +++ b/test/unit/csi-role.bats @@ -27,6 +27,25 @@ load _helpers [ "${actual}" = "vault-csi-provider-hmac-key" ] } +@test "csi/Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/Role: HMAC secret name configurable" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats index caf368b74..dc4a1afdd 100644 --- a/test/unit/csi-rolebinding.bats +++ b/test/unit/csi-rolebinding.bats @@ -19,4 +19,23 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ] +} + +@test "csi/RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] } \ No newline at end of file diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 41c17349f..aa89749be 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -32,6 +32,26 @@ load _helpers [ "${actual}" = "release-name-vault-csi-provider" ] } +# serviceAccountNamespace namespace +@test "csi/daemonset: serviceAccountNamespace namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/serviceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-clusterrolebinding.bats b/test/unit/injector-clusterrolebinding.bats index 6e217878b..e997ebd6b 100755 --- a/test/unit/injector-clusterrolebinding.bats +++ b/test/unit/injector-clusterrolebinding.bats @@ -20,3 +20,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 7723a1565..7b2bb5ae9 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -42,6 +42,25 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 72be93fcc..4ce55157f 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index bbd482985..e72354a9f 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -96,6 +96,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/role: created/skipped as appropriate" { @@ -147,6 +155,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/rolebinding: created/skipped as appropriate" { @@ -198,4 +214,12 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 0a8be0a3c..fcf4e7b4a 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -40,6 +40,14 @@ load _helpers . | tee /dev/stderr | yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/MutatingWebhookConfiguration: caBundle is empty string" { diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index 8e7acd7d5..3dda504c2 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index 88bfe7900..62afe7b50 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index 027eaa080..b5eea4960 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -18,6 +18,23 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/Service: service with default port" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-serviceaccount.bats b/test/unit/injector-serviceaccount.bats index bf178a3ac..f7ba319ba 100755 --- a/test/unit/injector-serviceaccount.bats +++ b/test/unit/injector-serviceaccount.bats @@ -21,6 +21,23 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/ServiceAccount: generic annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index 9d05aeaf1..d80f05f3d 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -71,3 +71,20 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "server/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index fe2ac1257..eea7e7008 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -75,6 +75,23 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ConfigMap: standalone extraConfig is set" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats index 11473a081..f17dcf44d 100755 --- a/test/unit/server-discovery-role.bats +++ b/test/unit/server-discovery-role.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRole: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats index 568c24072..83e8defd1 100755 --- a/test/unit/server-discovery-rolebinding.bats +++ b/test/unit/server-discovery-rolebinding.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index aa972074e..8b6e95c85 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -58,6 +58,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 4cb3ae63b..4daff30e6 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -53,6 +53,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/DisruptionBudget: correct maxUnavailable with n=1" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index c9d3590c2..62d3259f2 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -80,6 +80,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 06a0ca0a0..9bb5118db 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -157,6 +157,28 @@ load _helpers [ "${actual}" = "10" ] } +@test "server/ha-StatefulSet: zero replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=0' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "0" ] +} + +@test "server/ha-StatefulSet: invalid value for replicas" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=null' \ + . | tee /dev/stderr | + yq -r '.spec.replicas' | tee /dev/stderr) + [ "${actual}" = "3" ] +} + #-------------------------------------------------------------------- # resources diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 0794d0e49..df649bebc 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -2,7 +2,7 @@ load _helpers -@test "server/headless-Service: publishNotReadyAddresses can be changed" { +@test "server/headless-Service: publishNotReadyAddresses cannot be changed" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-headless-service.yaml \ @@ -15,7 +15,7 @@ load _helpers --set 'server.service.publishNotReadyAddresses=false' \ . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "server/headless-Service: instance selector cannot be disabled" { @@ -35,3 +35,64 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "release-name" ] } + +@test "server/headless-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/headless-Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/headless-Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "server/headless-Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/headless-Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] +} \ No newline at end of file diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 0cc5b266c..90ed0a26c 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -11,6 +11,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ingress: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ingress: disable by injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-psp-role.bats b/test/unit/server-psp-role.bats index 1d3e62c4c..28239b05e 100644 --- a/test/unit/server-psp-role.bats +++ b/test/unit/server-psp-role.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-psp-rolebinding.bats b/test/unit/server-psp-rolebinding.bats index 4171219f6..4a4bae385 100644 --- a/test/unit/server-psp-rolebinding.bats +++ b/test/unit/server-psp-rolebinding.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 51b1a3021..a1716fbed 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -24,6 +24,27 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/route: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/route: OpenShift - checking host entry gets added and path is /" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 70a544598..040e9fadf 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -113,6 +113,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ @@ -448,3 +467,45 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "server/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} + +@test "server/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --kube-version 1.22.0 \ + --set 'server.service.ipFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] +} \ No newline at end of file diff --git a/test/unit/server-serviceaccount-secret.bats b/test/unit/server-serviceaccount-secret.bats new file mode 100644 index 000000000..2cfe33395 --- /dev/null +++ b/test/unit/server-serviceaccount-secret.bats @@ -0,0 +1,77 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ServiceAccountSecret: verify service account name match" { + cd `chart_dir` + + local actual=$( (helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.create=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa-token" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-token" ] + +} + +@test "server/ServiceAccountSecret: annotation mapping to service account" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.createSecret=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) + [ "${actual}" = "release-name-vault" ] + +} + +@test "server/ServiceAccountSecret: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount-secret.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.createSecret=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 2c826032e..9a688a9ea 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -30,6 +30,25 @@ load _helpers } +@test "server/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ServiceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 67cde811b..de3ee2bdd 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -78,6 +78,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/standalone-StatefulSet: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ @@ -1807,6 +1826,28 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# hostAliases + +@test "server/StatefulSet: server.hostAliases not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/StatefulSet: server.hostAliases is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostAliases[0]=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostAliases[]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + #-------------------------------------------------------------------- # extraPorts diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index de82f84c3..314703a5d 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -37,6 +37,33 @@ load _helpers #-------------------------------------------------------------------- +@test "server/standalone-server-test-Pod: default metadata.name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name vault" { + cd `chart_dir` + local actual=$(helm template vault \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "vault-server-test" ] +} + +@test "server/standalone-server-test-Pod: release metadata.name foo" { + cd `chart_dir` + local actual=$(helm template foo \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "foo-vault-server-test" ] +} + @test "server/standalone-server-test-Pod: default server.standalone.enabled" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 384098f89..dce0e5e7c 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -383,5 +383,50 @@ load _helpers . | tee /dev/stderr | yq '.spec.externalTrafficPolicy' | tee /dev/stderr) [ "${actual}" = "null" ] +} + +@test "ui/Service: Assert ipFamilies set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq '.spec.ipFamilies' -c | tee /dev/stderr) + [ "${actual}" = '["IPv4","IPv6"]' ] +} + +@test "ui/Service: Assert ipFamilyPolicy set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "PreferDualStack" ] +} +@test "server/Service: Assert ipFamilyPolicy is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --kube-version 1.22.0 \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilyPolicy=PreferDualStack' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) + [ "${actual}" = "null" ] } + +@test "server/Service: Assert ipFamilies is not set if version below 1.23" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --kube-version 1.22.0 \ + --set 'ui.enabled=true' \ + --set 'ui.serviceIPFamilies={IPv4,IPv6}' \ + . | tee /dev/stderr | + yq -r '.spec.ipFamilies' | tee /dev/stderr) + [ "${actual}" = "null" ] +} \ No newline at end of file diff --git a/values.openshift.yaml b/values.openshift.yaml index da71dcfb9..6e575e4d4 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -13,9 +13,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.13.1-ubi" + tag: "1.14.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.13.1-ubi" + tag: "1.14.0-ubi" diff --git a/values.schema.json b/values.schema.json index 3e04b205c..6a8b350ce 100644 --- a/values.schema.json +++ b/values.schema.json @@ -136,6 +136,13 @@ "pod": { "type": "object", "properties": { + "affinity": { + "type": [ + "null", + "object", + "string" + ] + }, "annotations": { "type": [ "object", @@ -145,6 +152,13 @@ "extraLabels": { "type": "object" }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, "tolerations": { "type": [ "null", @@ -214,6 +228,9 @@ "enabled": { "type": "boolean" }, + "namespace": { + "type": "string" + }, "externalVaultAddr": { "type": "string" }, @@ -723,6 +740,9 @@ } } }, + "hostAliases": { + "type": "array" + }, "image": { "type": "object", "properties": { @@ -962,6 +982,14 @@ }, "standbyNodePort": { "type": "integer" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "ipFamilies": { + "type": [ + "array" + ] } } }, @@ -980,6 +1008,9 @@ "extraLabels": { "type": "object" }, + "createSecret": { + "type": "boolean" + }, "name": { "type": "string" }, @@ -1135,6 +1166,16 @@ }, "targetPort": { "type": "integer" + }, + "serviceIPFamilyPolicy": { + "type": [ + "string" + ] + }, + "serviceIPFamilies": { + "type": [ + "array" + ] } } } diff --git a/values.yaml b/values.yaml index a89332586..9c0dcb31f 100644 --- a/values.yaml +++ b/values.yaml @@ -8,6 +8,9 @@ global: # will enable or disable all the components within this chart by default. enabled: true + # The namespace to deploy to. Defaults to the `helm` installation namespace. + namespace: "" + # Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] @@ -73,7 +76,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -374,7 +377,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -442,6 +445,12 @@ server: # hosts: # - chart-example.local + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - chart-example.local + # OpenShift only - create a route to expose the service # By default the created route will be of type passthrough route: @@ -462,7 +471,7 @@ server: # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth - # method. https://www.vaultproject.io/docs/auth/kubernetes.html + # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes authDelegator: enabled: true @@ -683,7 +692,24 @@ server: # or NodePort. #type: ClusterIP - # Do not wait for pods to be ready + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family policy, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + ipFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. + # Can be IPv4 and/or IPv6. + ipFamilies: [] + + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. publishNotReadyAddresses: true # The externalTrafficPolicy can be set to either Cluster or Local @@ -717,7 +743,7 @@ server: # This configures the Vault Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. - # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more + # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more dataStorage: enabled: true # Size of the PVC created @@ -736,7 +762,7 @@ server: # logs. Once Vault is deployed, initialized, and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit - # See https://www.vaultproject.io/docs/audit/index.html to know more + # See https://developer.hashicorp.com/vault/docs/audit to know more auditStorage: enabled: false # Size of the PVC created @@ -755,7 +781,7 @@ server: # and no initialization. This is useful for experimenting with Vault without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. - # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more + # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more dev: enabled: false @@ -777,7 +803,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -820,12 +846,12 @@ server: replicas: 3 # Set the api_addr configuration for Vault HA - # See https://www.vaultproject.io/docs/configuration#api_addr + # See https://developer.hashicorp.com/vault/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null # Set the cluster_addr confuguration for Vault HA - # See https://www.vaultproject.io/docs/configuration#cluster_addr + # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 clusterAddr: null @@ -843,7 +869,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -870,7 +896,7 @@ server: # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -922,6 +948,12 @@ server: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + # Create a Secret API object to store a non-expiring token for the service account. + # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets + # serviceAccount.create must be equal to 'true' in order to use this feature. + createSecret: false # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. @@ -978,6 +1010,21 @@ ui: externalPort: 8200 targetPort: 8200 + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + serviceIPFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well + # Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. @@ -1009,7 +1056,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.3.0" + tag: "1.4.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1073,6 +1120,17 @@ csi: # in a PodSpec. tolerations: [] + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + # Extra labels to attach to the vault-csi-provider pod # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} @@ -1083,7 +1141,7 @@ csi: image: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" pullPolicy: IfNotPresent logFormat: standard @@ -1140,7 +1198,7 @@ csi: debug: false # Pass arbitrary additional arguments to vault-csi-provider. - # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: [] @@ -1149,8 +1207,8 @@ csi: # the Vault configuration. There are a few examples included in the `config` sections above. # # For more information see: -# https://www.vaultproject.io/docs/configuration/telemetry -# https://www.vaultproject.io/docs/internals/telemetry +# https://developer.hashicorp.com/vault/docs/configuration/telemetry +# https://developer.hashicorp.com/vault/docs/internals/telemetry serverTelemetry: # Enable support for the Prometheus Operator. Currently, this chart does not support # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included