From da146703f68166953212fa97edce25dd39142684 Mon Sep 17 00:00:00 2001 From: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Date: Thu, 17 Aug 2023 15:28:39 -0400 Subject: [PATCH] DATAGO-59809: Upgrade vault to 1.12.1 (#20) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) * Fix CSI acceptance tests (#728) * Update minimum required helm version in readme (#730) Co-authored-by: Tom Proctor * Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault * Set default object selector for webhooks to exclude injector itself (#736) Set default object selector for webhooks to exclude injector itself If `injector.failurePolicy` is set to `Fail`, there is a race condition where if the mutating webhook config is setup before the injector, then the injector can fail to start because it tries to inject itself. We can work around this by ignoring the injector pod in in the webhook by default. Thanks to @joeyslalom for the object selector to exclude the pod. Fixes https://github.com/hashicorp/vault-k8s/issues/258 * Prepare for release 0.20.1 (#739) Prepare for release 0.20.1 Improvements: * `vault-k8s` updated to 0.16.1 CHANGES: * `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) Co-authored-by: Theron Voran * Mention minimum helm version in changelog (#742) Also add a features section to 0.20.0 * Start testing against Kubernetes 1.24 (#744) Start testing against Kubernetes 1.24 Update .github/workflows/acceptance.yaml Remove skip csi Co-authored-by: Theron Voran * Update .helmignore (#732) Review .helmignore file, ignore CI in chart * Set VAULT_ADDR env var for CSI Provider pods (#745) * Support to add annotations in injector serviceaccount (#753) * changelog++ (#757) * jira-sync: transition to "Closed" not "Close" (#758) * Add support for nodePort for active and standby services (#610) * Feat/adding pod and container security context (#750) Allow the injector's pod- and container-level securityContext to be fully specified by the user, via new options `injector.securityContext.pod` and `injector.securityContext.container` with more complete defaults. Deprecates `injector.uid` and `injector.gid`. If `injector.uid` or `injector.gid` are set by the user, the old pod securityContext settings will be used. Otherwise the new defaults and settings are used. Co-authored-by: Theron Voran * Changelog and schema update for active/standby node port (#761) * Changelog and schema update for active/standby node port Follow-up to https://github.com/hashicorp/vault-helm/pull/610 * changelog++ and json schema update (#762) Changelog updates for #750, and json schema update. * Update jira sync (#768) * csi/server.statefulset: custom security context (#767) csi/server.statefulset: custom security context This adds flexibility to have custom pod template and container `securityContext` and preserves current default values and behavior. Fixes https://github.com/hashicorp/vault-helm/issues/663. This also is a way to address https://github.com/hashicorp/vault-helm/pull/599 so that people can specify, for example, the CSI to run in a privileged container for OpenShift. This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750 and builds on the same principles. Side note: I am not able to run `helm schema-gen` since it is unmaintained and does not work with M1 Macs. * Prepare for 0.21.0 release (#771) Prepare for 0.21.0 release CHANGES: * `vault-k8s` updated to 0.17.0. (this) * `vault-csi-provider` updated to 1.2.0 (this) * `vault` updated to 1.11.2 (this) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: * server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) * DOC: Minor typos fixes (#669) Co-authored-by: Tom Proctor * update values comments for server.securityContext (#778) Since container is empty for openshift. * CI: run acceptance tests on push to any (#781) * Add support for the Prometheus Operator (#772) support collecting Vault server metrics by deploying PrometheusOperator CustomResources. Co-authored-by: Sam Weston Co-authored-by: Theron Voran * Update vault-k8s to 1.0.0 (#784) Update vault-k8s to 1.0.0 Also update Kubernetes versions tested against, including adding 1.25 Update consul in tests for Kubernetes 1.25 support * Prepare for 0.22.0 release (#785) Prepare for 0.21.1 release * Update Vault to 1.11.3 * Add server.hostNetwork option (#775) * [COMPLIANCE] Add MPL 2.0 LICENSE (#800) Co-authored-by: hashicorp-copywrite[bot] * Prepare to release to 0.22.1 (#803) * Prepare to release to 0.22.1 * Revert chart verifier update for now * Remove unused jobs from CircleCI config * Fix CircleCI config (#804) * Fix CircleCI config * Add manual trigger option * Add extraLabels for Vault server serviceAccount (#806) * Quote `.server.ha.clusterAddr` value (#810) * Support selectively disabling active/standby services and service discovery role (#811) * server: Allow disabling the instance selector for services (#813) * Prepare for 0.23.0 release (#814) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * Datago 30304/upgrading vault to 1.9.2 (#14) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 * feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * DATAGO-59401: Upgrading vault to 1.11.x (#18) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) * Fix CSI acceptance tests (#728) * Update minimum required helm version in readme (#730) Co-authored-by: Tom Proctor * Restore missing 'vault' service account (#737) Our tutorials rely on this service account being present even if we are using an external Vault. The `values.yaml` also states that external Vaults are expected to use this service account. For example, https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault * Set default object selector for webhooks to exclude injector itself (#736) Set default object selector for webhooks to exclude injector itself If `injector.failurePolicy` is set to `Fail`, there is a race condition where if the mutating webhook config is setup before the injector, then the injector can fail to start because it tries to inject itself. We can work around this by ignoring the injector pod in in the webhook by default. Thanks to @joeyslalom for the object selector to exclude the pod. Fixes https://github.com/hashicorp/vault-k8s/issues/258 * Prepare for release 0.20.1 (#739) Prepare for release 0.20.1 Improvements: * `vault-k8s` updated to 0.16.1 CHANGES: * `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) * Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) Co-authored-by: Theron Voran * Mention minimum helm version in changelog (#742) Also add a features section to 0.20.0 * Start testing against Kubernetes 1.24 (#744) Start testing against Kubernetes 1.24 Update .github/workflows/acceptance.yaml Remove skip csi Co-authored-by: Theron Voran * Update .helmignore (#732) Review .helmignore file, ignore CI in chart * Set VAULT_ADDR env var for CSI Provider pods (#745) * Support to add annotations in injector serviceaccount (#753) * changelog++ (#757) * jira-sync: transition to "Closed" not "Close" (#758) * Add support for nodePort for active and standby services (#610) * Feat/adding pod and container security context (#750) Allow the injector's pod- and container-level securityContext to be fully specified by the user, via new options `injector.securityContext.pod` and `injector.securityContext.container` with more complete defaults. Deprecates `injector.uid` and `injector.gid`. If `injector.uid` or `injector.gid` are set by the user, the old pod securityContext settings will be used. Otherwise the new defaults and settings are used. Co-authored-by: Theron Voran * Changelog and schema update for active/standby node port (#761) * Changelog and schema update for active/standby node port Follow-up to https://github.com/hashicorp/vault-helm/pull/610 * changelog++ and json schema update (#762) Changelog updates for #750, and json schema update. * Update jira sync (#768) * csi/server.statefulset: custom security context (#767) csi/server.statefulset: custom security context This adds flexibility to have custom pod template and container `securityContext` and preserves current default values and behavior. Fixes https://github.com/hashicorp/vault-helm/issues/663. This also is a way to address https://github.com/hashicorp/vault-helm/pull/599 so that people can specify, for example, the CSI to run in a privileged container for OpenShift. This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750 and builds on the same principles. Side note: I am not able to run `helm schema-gen` since it is unmaintained and does not work with M1 Macs. * Prepare for 0.21.0 release (#771) Prepare for 0.21.0 release CHANGES: * `vault-k8s` updated to 0.17.0. (this) * `vault-csi-provider` updated to 1.2.0 (this) * `vault` updated to 1.11.2 (this) * Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) * Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) * CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) Features: * server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) * Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) * Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) * DOC: Minor typos fixes (#669) Co-authored-by: Tom Proctor * update values comments for server.securityContext (#778) Since container is empty for openshift. * CI: run acceptance tests on push to any (#781) * Add support for the Prometheus Operator (#772) support collecting Vault server metrics by deploying PrometheusOperator CustomResources. Co-authored-by: Sam Weston Co-authored-by: Theron Voran * Update vault-k8s to 1.0.0 (#784) Update vault-k8s to 1.0.0 Also update Kubernetes versions tested against, including adding 1.25 Update consul in tests for Kubernetes 1.25 support * Prepare for 0.22.0 release (#785) Prepare for 0.21.1 release * Update Vault to 1.11.3 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * Datago 30304/upgrading vault to 1.9.2 (#14) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * Update to 0.4.0 * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * fix: deploy_local.sh error with file * minor changes * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12) * Add objectSelector to webhookconfiguration (#456) * changelog++ * Add CSI secrets store provider (#461) * updating acceptance tests to k8s 1.17 on gke (#473) * changelog++ * Target vault-csi-provider release 0.1.0 (#475) * Update to 0.10.0 (#477) * Update to v0.10.0 * Fix typo * Add csi link in changelog * Add volumes and mounts support for CSI (#479) * Remove extraVolumes from CSI, add volumes and mounts * Add better example * changelog++ * Remove extra word in readme (#482) * fix csi helm deployment (#486) * fix serviceaccount and clusterrole name reference (full name) * add server.enabled option, align with documentation * add unit tests * update server.enabled behaviour to explicit true and update tests * changelog++ * add hostNetwork value to injector deployment (#471) * add hostNetwork value to injector deployment * adding unit tests * changelog++ * feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) Refs #361 * changelog++ * Add logLevel and logFormat values for Vault (#488) * Add logLevel and logFormat values for Vault * Add configurable tests * Update order of log levels * Update values.yaml * Update per review * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor * Update test/unit/server-statefulset.bats Co-authored-by: Tom Proctor Co-authored-by: Tom Proctor * changelog++ * Custom value of agent port (#489) * configure the agent port * add unit test * remove default * remove default * Update values.yaml Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * Add injector agent default overrides (#493) * Add injector agent default overrides * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran * Update test/unit/injector-deployment.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * changelog++ * [injector] Add port name in injector service (#495) * [injector] Add port name in injector service * [injector] Hardcore port to https * changelog++ * Fix injector unit test failing (#496) * Fix injector unit test failing * Add null check * Add default if unset for CI * Remove redundant logic (#434) * Update to v0.11.0 (#497) * Add container based tests documentation (#492) * update documentation with running unit tests using container * promote bats version to 1.3.0 * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Set kubeVersion and added chart-verifier tests (#510) Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats test, and configured to run it in CI. Some verification tests that haven't been addressed yet are skipped. * changelog++ * match kubeVersion on semver pre-releases (#512) Since clouds like GKE set their kubeVersion as a pre-release (e.g. v1.17.17-gke.6700) * Add ImagePullSecrets to CSI daemonset (#519) * changelog++ * changelog++ * fix CONTRIBUTING.md (#501) * updating to use new dedicated context and token (#515) * added values json schema (#513) Generated the schema using the helm schema-gen plugin, and added extra data types to fields that allow it, such as annotations, tolerations, enabled, etc. Enabled the "contains-value-schema" chart-verifier test. Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * changelog++ * [Issue-520] tolerations for csi-daemonset (#521) Co-authored-by: Theron Voran * changelog++ * Add extraArgs value for CSI (#526) * changelog++ * add schema unit tests (#530) * Add UI targetPort option (#437) Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213 * changelog++ * Update to v0.12.0 (#532) * Update to v0.12.0 * Update values.schema.json * Fix schema types * revert image repo * Adding helm test for vault server (#531) Also adds acceptance test for 'helm test' and updates the chart-verifier version. * changelog++ * fix ui.serviceNodePort schema (#537) UI service nodePort defaults to null, but is set as an integer * changelog++ * change maxUnavailable to integer (#535) change maxUnavailable from `null` to `integer` to enable upgrade from 0.11.0 to 0.12.0 when using the specific variable. * Also allow null value Co-authored-by: Theron Voran * add test for server.ha.disruptionBudget.maxUnavailable Co-authored-by: Theron Voran * changelog++ * use vault-helm-test:0.2.0 (#543) * Added webhook-certs volume mount to sidecar injector (#545) * Removed webhook-certs volume mount from leader-elector container * Added test: injector deployment manual TLS adds volume mount * changelog++ * Adding server.enterpriseLicense (#547) Sets up a vault-enterprise license for autoloading on vault startup. Mounts an existing secret to /vault/license and sets VAULT_LICENSE_PATH appropriately. * changelog++ * Add openshift overrides (#549) Adds default overrides for OpenShift (values.openshift.yaml) and uses them in the chart-verifier tests. * changelog++ * Update to v0.13.0 (#554) * Explain this fork in the README * Adding support for LoadBalancerIP field in ServiceSpec * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * DATAGO-13861: Adding support for logrotate * DATAGO-13861: Adding audit log rotation and shipment to datdog * Fixing minor typos and removing extra lines * feat(DATAGO-27002): Upgrade to 1.7.9 * chore(DATAGO-27002): Fix doc issue Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor Co-authored-by: Theron Voran Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham * changed value to use tag 1.9.6 Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 * feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * chore(59401): Upgrade vault to 1.11.x --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Aleksey Co-authored-by: Bruno Padilha <1850071+brunopadz@users.noreply.github.com> Co-authored-by: Jack Halford Co-authored-by: ChrisFraun Co-authored-by: Alex Khaerov Co-authored-by: Sam Weston Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com> Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 Co-authored-by: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Aleksey Co-authored-by: Bruno Padilha <1850071+brunopadz@users.noreply.github.com> Co-authored-by: Jack Halford Co-authored-by: ChrisFraun Co-authored-by: Alex Khaerov Co-authored-by: Sam Weston Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: hashicorp-copywrite[bot] Co-authored-by: Aleksandr Titov <26012167+AleksandrTitov@users.noreply.github.com> Co-authored-by: Steven Kriegler <61625851+justusbunsi@users.noreply.github.com> Co-authored-by: Julian Setiawan Co-authored-by: marcboudreau Co-authored-by: Hadie Laham Co-authored-by: guru1306 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Paul Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Co-authored-by: Paul Witt Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com> Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com> Co-authored-by: Javier Criado Marcos Co-authored-by: mehmetsalgar Co-authored-by: Sarah Thompson Co-authored-by: Iñigo Horcajo Co-authored-by: Rule88 Co-authored-by: Ricardo Gândara Pinto Co-authored-by: adhish2001 Co-authored-by: Adhish Maheswaran <36574103+adhish2001@users.noreply.github.com> Co-authored-by: xiaocongji <85846543+xiaocongji@users.noreply.github.com> --- .circleci/config.yml | 76 +++++-------------- .github/workflows/acceptance.yaml | 8 +- .../workflows/setup-test-tools/action.yaml | 8 +- .github/workflows/tests.yaml | 8 +- CHANGELOG.md | 21 +++++ Chart.yaml | 4 +- LICENSE.md => LICENSE | 2 + Makefile | 1 - templates/server-discovery-role.yaml | 2 +- templates/server-discovery-rolebinding.yaml | 2 +- templates/server-ha-active-service.yaml | 4 + templates/server-ha-standby-service.yaml | 6 +- templates/server-service.yaml | 2 + templates/server-serviceaccount.yaml | 3 + templates/server-statefulset.yaml | 5 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +- .../acceptance/server-ha-enterprise-perf.bats | 4 +- test/unit/server-discovery-role.bats | 41 ++++++++++ test/unit/server-discovery-rolebinding.bats | 41 ++++++++++ test/unit/server-ha-active-service.bats | 30 ++++++++ test/unit/server-ha-standby-service.bats | 30 ++++++++ test/unit/server-ha-statefulset.bats | 16 ++++ test/unit/server-headless-service.bats | 18 +++++ test/unit/server-service.bats | 17 +++++ test/unit/server-serviceaccount.bats | 10 +++ test/unit/server-statefulset.bats | 22 ++++++ test/unit/ui-service.bats | 1 - values.openshift.yaml | 6 +- values.schema.json | 41 +++++++++- values.yaml | 33 ++++++-- 30 files changed, 376 insertions(+), 90 deletions(-) rename LICENSE.md => LICENSE (99%) create mode 100755 test/unit/server-discovery-role.bats create mode 100755 test/unit/server-discovery-rolebinding.bats diff --git a/.circleci/config.yml b/.circleci/config.yml index 7582bdc21..ca48a33d4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -3,68 +3,19 @@ orbs: slack: circleci/slack@3.4.2 jobs: - bats-unit-test: - docker: - # This image is built from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 - steps: - - checkout - - run: bats ./test/unit -t - - chart-verifier: - docker: - - image: docker.mirror.hashicorp.services/cimg/go:1.16 - environment: - BATS_VERSION: "1.3.0" - CHART_VERIFIER_VERSION: "1.2.1" - steps: - - checkout - - run: - name: install chart-verifier - command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - - run: - name: install bats - command: | - curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz - tar -zxf /tmp/bats.tgz -C /tmp - sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local - - run: - name: run chart-verifier tests - command: bats ./test/chart -t - - acceptance: - docker: - # This image is build from test/docker/Test.dockerfile - - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 - - steps: - - checkout - - run: - name: terraform init & apply - command: | - echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json - export GOOGLE_CREDENTIALS=vault-helm-test.json - make provision-cluster - - run: - name: Run acceptance tests - command: bats ./test/acceptance -t - - - run: - name: terraform destroy - command: | - export GOOGLE_CREDENTIALS=vault-helm-test.json - make destroy-cluster - when: always update-helm-charts-index: docker: - - image: docker.mirror.hashicorp.services/circleci/golang:1.15.3 + - image: docker.mirror.hashicorp.services/cimg/go:1.19.2 steps: - checkout - run: name: verify Chart version matches tag version + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | - GO111MODULE=on go get github.com/mikefarah/yq/v2 - git_tag=$(echo "${CIRCLE_TAG#v}") + go install github.com/mikefarah/yq/v2@latest + export TAG=${RELEASE_TAG:-$CIRCLE_TAG} + git_tag=$(echo "${TAG#v}") chart_tag=$(yq r Chart.yaml version) if [ "${git_tag}" != "${chart_tag}" ]; then echo "chart version (${chart_tag}) did not match git version (${git_tag})" @@ -72,17 +23,25 @@ jobs: fi - run: name: update helm-charts index + environment: + RELEASE_TAG: << pipeline.parameters.release-tag >> command: | curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${RELEASE_TAG:-$CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" +parameters: + release-tag: + type: string + default: "" + description: "The tag to release, including v, e.g. v0.22.1" + workflows: version: 2 # Note: unit and acceptance tests are now being run in GitHub Actions @@ -95,3 +54,8 @@ workflows: only: /^v.*/ branches: ignore: /.*/ + manual-trigger-update-helm-charts-index: + when: << pipeline.parameters.release-tag >> + jobs: + - update-helm-charts-index: + context: helm-charts-trigger-vault diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 042bfd1d5..648616b35 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -7,19 +7,19 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.13, 1.23.10, 1.24.4, 1.25.0] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.14, 1.22.15, 1.23.12, 1.24.6, 1.25.3] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.2.0 + uses: helm/kind-action@v1.4.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.14.0 + version: v0.16.0 - run: bats --tap --timing ./test/acceptance env: diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml index 3fa285416..8c69e3db8 100644 --- a/.github/workflows/setup-test-tools/action.yaml +++ b/.github/workflows/setup-test-tools/action.yaml @@ -6,13 +6,15 @@ runs: steps: - uses: actions/setup-node@v2 with: - node-version: '14' + node-version: '16' - run: npm install -g bats@${BATS_VERSION} shell: bash env: - BATS_VERSION: '1.5.0' + BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 + with: + python-version: '3.10' - run: pip install yq shell: bash diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 53a1f039e..bcabd1d64 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -6,7 +6,7 @@ jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: ./.github/workflows/setup-test-tools - run: bats --tap --timing ./test/unit @@ -15,11 +15,11 @@ jobs: env: CHART_VERIFIER_VERSION: '1.2.1' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup test tools uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: - go-version: '1.17.4' + go-version: '1.19.2' - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - run: bats --tap --timing ./test/chart diff --git a/CHANGELOG.md b/CHANGELOG.md index aa0e4b734..631553f81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,26 @@ ## Unreleased +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) + +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + +## 0.22.1 (October 26th, 2022) + +Changes: +* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) +* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) ## 0.22.0 (September 8th, 2022) diff --git a/Chart.yaml b/Chart.yaml index 4289e6c7d..f42a831e4 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.22.0 -appVersion: 1.11.3 +version: 0.23.0 +appVersion: 1.12.1 kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/LICENSE.md b/LICENSE similarity index 99% rename from LICENSE.md rename to LICENSE index 82b4de97c..74f38c010 100644 --- a/LICENSE.md +++ b/LICENSE @@ -1,3 +1,5 @@ +Copyright (c) 2018 HashiCorp, Inc. + Mozilla Public License, version 2.0 1. Definitions diff --git a/Makefile b/Makefile index afa801370..e423f3529 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,6 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance - # filter bats unit tests to run. UNIT_TESTS_FILTER?='.*' diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 9ca23dd4c..4dba09df1 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 6e22e4c2b..280ec6ca2 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,7 +1,7 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index ef212376d..7def2a0e8 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -38,9 +39,12 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "true" {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e6d66af84..50fca4bc1 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -37,9 +38,12 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "false" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 68207a2db..e4aee81de 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -41,7 +41,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server {{- end }} {{- end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index c0d32d190..580a95375 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -10,5 +10,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "vault.serviceAccount.annotations" . }} {{ end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index afc48d695..a4ec05a28 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -49,6 +49,9 @@ spec: shareProcessNamespace: true {{ end }} {{- template "server.statefulSet.securityContext.pod" . }} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- end }} volumes: {{ template "vault.volumes" . }} - name: home @@ -102,7 +105,7 @@ spec: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR {{- if .Values.server.ha.clusterAddr }} - value: {{ .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" {{- end }} diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index f09bbb1fc..11effe99c 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 8b5c1be30..7eaf0ccf0 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.3-ent' \ + --set='server.image.tag=1.12.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats new file mode 100755 index 000000000..11473a081 --- /dev/null +++ b/test/unit/server-discovery-role.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRole: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRole: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRole: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats new file mode 100755 index 000000000..568c24072 --- /dev/null +++ b/test/unit/server-discovery-rolebinding.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRoleBinding: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d74e74913..d78f5d457 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -35,6 +35,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: disable with server.service.active.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.active.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ @@ -214,3 +226,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-active-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 045560ce9..669831411 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -46,6 +46,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: disable with server.service.standby.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.standby.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ @@ -225,3 +237,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-standby-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 342fa433d..06a0ca0a0 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -476,6 +476,22 @@ load _helpers [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] } +@test "server/ha-StatefulSet: clusterAddr gets quoted" { + cd `chart_dir` + local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' + local rendered=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set "server.ha.clusterAddr=${customUrl}" \ + . | tee /dev/stderr | \ + grep -F "${customUrl}" | tee /dev/stderr) + +local value=$(echo $rendered | + yq -Y '.' | tee /dev/stderr) + [ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] +} + #-------------------------------------------------------------------- # VAULT_RAFT_NODE_ID renders diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 4e2d13537..0794d0e49 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -17,3 +17,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/headless-Service: instance selector cannot be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 5208f6e30..70a544598 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -431,3 +431,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index fbc2b94bf..2c826032e 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -117,3 +117,13 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/serviceAccount: specify server.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 549fcb751..6206e115e 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1784,3 +1784,25 @@ load _helpers yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# hostNetwork + +@test "server/StatefulSet: server.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: server.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index f73bbce3f..384098f89 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -385,4 +385,3 @@ load _helpers [ "${actual}" = "null" ] } - diff --git a/values.openshift.yaml b/values.openshift.yaml index c932a6897..02985ed39 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.0.0-ubi" + tag: "1.1.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.3-ubi" + tag: "1.12.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.11.3-ubi" + tag: "1.12.1-ubi" diff --git a/values.schema.json b/values.schema.json index 8ffc62f0f..d953b82f8 100644 --- a/values.schema.json +++ b/values.schema.json @@ -370,9 +370,6 @@ "podDisruptionBudget": { "type": "object" }, - "podDisruptionBudget": { - "type": "object" - }, "port": { "type": "integer" }, @@ -860,6 +857,14 @@ "service": { "type": "object", "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "annotations": { "type": [ "object", @@ -875,12 +880,28 @@ "externalTrafficPolicy": { "type": "string" }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" }, "publishNotReadyAddresses": { "type": "boolean" }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "targetPort": { "type": "integer" }, @@ -907,8 +928,19 @@ "create": { "type": "boolean" }, + "extraLabels": { + "type": "object" + }, "name": { "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, @@ -991,6 +1023,9 @@ "null", "array" ] + }, + "hostNetwork": { + "type": "boolean" } } }, diff --git a/values.yaml b/values.yaml index 837cfff00..f6769794c 100644 --- a/values.yaml +++ b/values.yaml @@ -62,7 +62,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.0.0" + tag: "1.1.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -70,7 +70,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.11.3" + tag: "1.12.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -125,7 +125,6 @@ injector: # for more details. # timeoutSeconds: 30 - # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -331,7 +330,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.11.3" + tag: "1.12.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -594,6 +593,19 @@ server: # Enables a headless service to be used by the Vault Statefulset service: enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labelled themselves as the cluster leader with `vault-active: "true"` + active: + enabled: true + # Enable or disable the vault-standby service, which selects Vault pods that + # have labelled themselves as a cluster follower with `vault-active: "false"` + standby: + enabled: true + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled @@ -849,6 +861,14 @@ server: # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true # A boolean flag to setup logrotate as a side car continer logrotate: null @@ -876,6 +896,9 @@ server: pod: {} container: {} + # Should the server pods run on the host network + hostNetwork: false + # Vault UI ui: # True if you want to create a Service entry for the Vault UI. @@ -923,7 +946,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.0" + tag: "1.2.1" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered