diff --git a/CHANGELOG.md b/CHANGELOG.md index 96937b57a..3bf7e67ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) * server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) Bugs: * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 849c867b7..7def2a0e8 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -39,7 +39,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "true" {{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e0750aa64..50fca4bc1 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -38,7 +38,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "false" {{- end }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 3a9b0e7e5..913b56930 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -38,7 +38,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server {{- end }} {{- end }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index 6a2e34946..d78f5d457 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -226,3 +226,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-active-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 3a9a39f33..669831411 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -237,3 +237,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/ha-standby-Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 4e2d13537..0794d0e49 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -17,3 +17,21 @@ load _helpers yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/headless-Service: instance selector cannot be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 5208f6e30..70a544598 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -431,3 +431,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/Service: instance selector can be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/values.schema.json b/values.schema.json index 2ba9ab84d..c18395700 100644 --- a/values.schema.json +++ b/values.schema.json @@ -871,6 +871,14 @@ "externalTrafficPolicy": { "type": "string" }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" }, diff --git a/values.yaml b/values.yaml index 0045066c5..965f5a881 100644 --- a/values.yaml +++ b/values.yaml @@ -604,6 +604,11 @@ server: # have labelled themselves as a cluster follower with `vault-active: "false"` standby: enabled: true + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled