hashicorp · xiaocongji · Apr 2, 2020 · Apr 10, 2020 · May 19, 2021 · May 26, 2021
@@ -1,3 +1,8 @@
+# MaaS Vault
+
+This is a forked version of HashiCorp's Vault Helm Chart. It is forked for business continuity (should the original be deleted) and to adhere to the MPL-2.0 license of public disclosure of source changes.
+This repository is used as a submodule in other repositories that install and setup Vault.
+
 # Vault Helm Chart
 
 > :warning: **Please note**: We take Vault's security and our users' trust very seriously. If 
@@ -37,7 +42,17 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 $ helm install vault hashicorp/vault
 ```
 
-Please see the many options supported in the `values.yaml` file. These are also
-fully documented directly on the [Vault
-website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more
-detailed installation instructions.
+Please see the many options supported in the `values.yaml`
+file. These are also fully documented directly on the
+[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html).
+
+
+## Customizations
+
+This Helm chart has been customized in the following ways:
+
+### Support LoadBalancerIP Field
+
+The Service spec in the **server-service.yaml** file now allows setting a
+specific IP address when the Service type is set to `LoadBalancer` and a
+**maas.lbAddress** value has been provided.
@@ -126,6 +126,8 @@ template logic.
     {{- $_ := set . "mode" "external" -}}
   {{- else if not .serverEnabled -}}
     {{- $_ := set . "mode" "external" -}}
+  {{- else if not .serverEnabled -}}
+    {{- $_ := set . "mode" "external" -}}
   {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
     {{- $_ := set . "mode" "dev" -}}
   {{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
@@ -161,6 +163,14 @@ extra volumes the user may have specified (such as a secret with TLS).
           configMap:
             name: {{ template "vault.fullname" . }}-config
   {{ end }}
+  {{- if .Values.server.logrotate.enabled }}
+        - name: {{ template "vault.fullname" . }}-logrotate-config
+          configMap:
+            name: {{ template "vault.fullname" . }}-logrotate-configmap
+        - name: {{ template "vault.fullname" . }}-datadog-config
+          configMap:
+            name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap
+  {{- end}}
   {{- range .Values.server.extraVolumes }}
         - name: userconfig-{{ .name }}
           {{ .type }}:

@@ -0,0 +1,10 @@
+{{- if .Values.server.logrotate.enabled}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "vault.fullname" . }}-datadog-sidecar-configmap
+  namespace: {{ .Release.Namespace }}
+data:
+  conf.yaml: |-
+{{ .Values.server.logrotate.datadogsidecar.config | indent 6 }}
+{{ end }}
@@ -140,17 +140,11 @@ spec:
             periodSeconds: 2
             successThreshold: 1
             timeoutSeconds: 5
-{{- if .Values.injector.certs.secretName }}
-          volumeMounts:
-            - name: webhook-certs
-              mountPath: /etc/webhook/certs
-              readOnly: true
-{{- end }}
 {{- if .Values.injector.certs.secretName }}
       volumes:
         - name: webhook-certs
           secret:
             secretName: "{{ .Values.injector.certs.secretName }}"
 {{- end }}
       {{- include "imagePullSecrets" . | nindent 6 }}
-{{ end }}
+{{ end }}
@@ -0,0 +1,10 @@
+{{- if .Values.server.logrotate.enabled}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "vault.fullname" . }}-logrotate-configmap
+  namespace: {{ .Release.Namespace }}
+data:
+  logrotate.conf: |-
+{{ .Values.server.logrotate.config.logRotateConf | indent 6 }}
+{{ end }}
@@ -21,4 +21,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "vault.serviceAccount.name" . }}
   namespace: {{ .Release.Namespace }}
-{{ end }}
+{{ end }}
@@ -23,6 +23,9 @@ spec:
   clusterIP: {{ .Values.server.service.clusterIP }}
   {{- end }}
   {{- include "service.externalTrafficPolicy" .Values.server.service }}
+  {{- if and (.Values.maas.lbAddress) (eq (.Values.server.service.type | toString) "LoadBalancer") }}
+  loadBalancerIP: {{ .Values.maas.lbAddress }}
+  {{- end }}
   # We want the servers to become available even if they're not ready
   # since this DNS is also used for join operations.
   publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}

@@ -2,15 +2,23 @@
 
 load _helpers
 
+check_skip_csi() {
+  if [ ! -z ${SKIP_CSI} ]; then
+    skip "Skipping CSI tests"
+  fi
+}
+
 @test "csi: testing deployment" {
-  cd `chart_dir`
+  check_skip_csi
 
+  cd `chart_dir`
   kubectl delete namespace acceptance --ignore-not-found=true
   kubectl create namespace acceptance
 
   # Install Secrets Store CSI driver
   CSI_DRIVER_VERSION=1.0.0
-  helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \
+  helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
+    --version="${CSI_DRIVER_VERSION}"
     --wait --timeout=5m \
     --namespace=acceptance \
     --set linux.image.pullPolicy="IfNotPresent" \
@@ -50,6 +58,8 @@ load _helpers
 
 # Clean up
 teardown() {
+  check_skip_csi
+
   if [[ ${CLEANUP:-true} == "true" ]]
   then
       echo "helm/pvc teardown"

@@ -53,6 +53,29 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+# priorityClassName
+
+@test "csi/daemonset: priorityClassName not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/csi-daemonset.yaml  \
+      --set "csi.enabled=true" \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "csi/daemonset: priorityClassName can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/csi-daemonset.yaml  \
+      --set 'csi.priorityClassName=armaggeddon' \
+      --set "csi.enabled=true" \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 # serviceAccountName reference name
 @test "csi/daemonset: serviceAccountName reference name" {
   cd `chart_dir`

@@ -913,7 +913,6 @@ EOF
       yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr)
   [ "${value}" = "false" ]
 }
-
 @test "injector/deployment: agent default template_config.static_secret_render_interval" {
   cd `chart_dir`
   local object=$(helm template \

@@ -51,4 +51,4 @@ load _helpers
       . | tee /dev/stderr |
       yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
   [ "${actual}" = "true" ]
-}
+}
@@ -120,4 +120,4 @@ load _helpers
       . | tee /dev/stderr |
       yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
   [ "${actual}" = "true" ]
-}
+}
@@ -179,3 +179,41 @@ load _helpers
       yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr)
   [ "${actual}" = "Redirect" ]
 }
+
+@test "server/route: OpenShift - route termination mode set to default passthrough" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.tls.termination' | tee /dev/stderr)
+  [ "${actual}" = "passthrough" ]
+}
+
+@test "server/route: OpenShift - route termination mode set to edge" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.tls.termination=edge' \
+      . | tee /dev/stderr |
+      yq -r '.spec.tls.termination' | tee /dev/stderr)
+  [ "${actual}" = "edge" ]
+}
+
+@test "server/route: OpenShift - route custom tls entry" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \
+      . | tee /dev/stderr |
+      yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr)
+  [ "${actual}" = "Redirect" ]
+}
@@ -1783,4 +1783,4 @@ load _helpers
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
-}
+}
@@ -53,6 +53,9 @@
                         }
                     }
                 },
+                "priorityClassName": {
+                    "type": "string"
+                },
                 "debug": {
                     "type": "boolean"
                 },
@@ -364,6 +367,9 @@
                 "podDisruptionBudget": {
                     "type": "object"
                 },
+                "podDisruptionBudget": {
+                    "type": "object"
+                },
                 "port": {
                     "type": "integer"
                 },
@@ -860,6 +866,9 @@
                         "enabled": {
                             "type": "boolean"
                         },
+                        "publishNotReadyAddresses": {
+                            "type": "boolean"
+                        },
                         "externalTrafficPolicy": {
                             "type": "string"
                         },

@@ -125,7 +125,6 @@ injector:
     # for more details.
     #
     timeoutSeconds: 30
-
     # namespaceSelector is the selector for restricting the webhook to only
     # specific namespaces.
     # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@@ -184,6 +183,17 @@ injector:
   #      vault-sidecar-injector: enabled
   objectSelector: {}
 
+  # Deprecated: please use 'webhook.objectSelector' instead
+  # objectSelector is the selector for restricting the webhook to only
+  # specific labels.
+  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
+  # for more details.
+  # Example:
+  # objectSelector:
+  #    matchLabels:
+  #      vault-sidecar-injector: enabled
+  objectSelector: {}
+
   # Deprecated: please use 'webhook.annotations' instead
   # Extra annotations to attach to the webhook
   webhookAnnotations: {}
@@ -356,7 +366,6 @@ server:
   #   limits:
   #     memory: 256Mi
   #     cpu: 250m
-
   # Ingress allows ingress services to be created to allow external access
   # from Kubernetes to access Vault pods.
   # If deployment is on OpenShift, the following block is ignored.
@@ -604,8 +613,8 @@ server:
     # load balancer.
     # clusterIP: None
 
-    # Configures the service type for the main Vault service.  Can be ClusterIP
-    # or NodePort.
+    # Configures the service type for the main Vault service.  Can be ClusterIP,
+    # NodePort, or LoadBalancer.
     #type: ClusterIP
 
     # Do not wait for pods to be ready
@@ -851,13 +860,17 @@ server:
     # YAML or a YAML-formatted multi-line templated string map of the
     # annotations to apply to the serviceAccount.
     annotations: {}
+  # A boolean flag to setup logrotate as a side car continer
+  logrotate: null
 
   # Settings for the statefulSet used to run Vault.
   statefulSet:
     # Extra annotations for the statefulSet. This can either be YAML or a
     # YAML-formatted multi-line templated string map of the annotations to apply
     # to the statefulSet.
     annotations: {}
+  # A boolean flag to setup logrotate as a side car continer
+  logrotate: null
 
     # Set the pod and container security contexts.
     # If not set, these will default to, and for *not* OpenShift:
@@ -989,7 +1002,6 @@ csi:
     extraLabels: {}
 
 
-
   # Priority class for csi pods
   priorityClassName: ""