Skip to content

Commit

Permalink
Datago 30304/upgrading vault to 1.9.2 (#14)
Browse files Browse the repository at this point in the history 
* add staticSecretRenderInterval to injector (hashicorp#621)

* make staticSecretRenderInterval default to empty string

* update values schema to add staticSecretRenderInterval

* add test for default value

* adding changelog entry

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update jira action (hashicorp#644)

* No longer check for Vault team membership
* Tweak jira states and search parameters

* remove support for the leader-elector container (hashicorp#649)

* vault-helm 0.18.0 release (hashicorp#650)

* Run CI tests in github workflows  (hashicorp#657)

Ports the bats unit, chart-verifier, and bats acceptance tests to use
github workflows and actions. The acceptance tests run using kind, and
run for multiple k8s versions, on pushes to the main branch.

Adds a SKIP_CSI env check in the CSI acceptance test, set in the
workflow if K8s version is less than 1.16.

Adds kubeAdmConfigPatches to the kind config to allow testing the CSI
provider on K8s versions prior to 1.21.

Updates the Secrets Store CSI driver to 1.0.0 in tests.

Makes the HA Vault tests more robust by waiting for all consul client
pods to be Ready, and waits with a timeout for Vault to start
responding as sealed (since the tests on GitHub runners were often
failing at that point).

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Configurable PodDisruptionBudget for Injector (hashicorp#653)

* Fix spelling error in server disruptionbudget test (hashicorp#654)

* Make terminationGracePeriodSeconds configurable (hashicorp#659)

Make terminationGracePeriodSeconds configurable for server pod

* injector: ability to set deployment update strategy (continued) (hashicorp#661)

Co-authored-by: Jason Hancock <jhancock@netskope.com>

* csi: ability to set priorityClassName for csi daemonset pods (hashicorp#670)

* Fixed a small typo (hashicorp#672)

* Disable unit and acceptance tests in CircleCI (hashicorp#675)

* update CONTRIBUTING.md (hashicorp#677)

Link to the discuss forum instead of the old google group and irc
channel. Add info about the CLA.

* add namespace support for openshift route (hashicorp#679)

* Add volumes and env vars to helm hook test pod (hashicorp#673)

* Fix test typo

* Add basic server-test Pod tests

 - This covers all existing functionality that matches what's
   present in server-statefulset.bats

* Fix server-test helm hook Pod rendering

 - Properly adhere to the global.enabled flag and the presence of
   the injector.externalVaultAddr setting, the same way that
   the servers StatefulSet behaves

* Add volumes and env vars to helm hook test pod

 - Uses the same extraEnvironmentVars, volumes and volumeMounts set on
   the server statefulset to configure the Vault server test pod used by
   the helm test hook
 - This is necessary in situations where TLS is configured, but the
   certificates are not affiliated with the k8s CA / part of k8s PKI

 - Fixes hashicorpGH-665

* allow injection of TLS config for OpenShift routes (hashicorp#686)

* Add some tests on top of hashicorp#396

* convert server-route.yaml to unix newlines

* changelog

Co-authored-by: André Becker <andre@arestless.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Release 0.19.0 (hashicorp#687)

* Explain this fork in the README

* Adding support for LoadBalancerIP field in ServiceSpec

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* Update to 0.4.0

* Explain this fork in the README

* Adding support for LoadBalancerIP field in ServiceSpec

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)

* Add objectSelector to webhookconfiguration (hashicorp#456)

* changelog++

* Add CSI secrets store provider (hashicorp#461)

* updating acceptance tests to k8s 1.17 on gke (hashicorp#473)

* changelog++

* Target vault-csi-provider release 0.1.0 (hashicorp#475)

* Update to 0.10.0 (hashicorp#477)

* Update to v0.10.0

* Fix typo

* Add csi link in changelog

* Add volumes and mounts support for CSI (hashicorp#479)

* Remove extraVolumes from CSI, add volumes and mounts

* Add better example

* changelog++

* Remove extra word in readme (hashicorp#482)

* fix csi helm deployment (hashicorp#486)

* fix serviceaccount and clusterrole name reference (full name)

* add server.enabled option, align with documentation

* add unit tests

* update server.enabled behaviour to explicit true and update tests

* changelog++

* add hostNetwork value to injector deployment (hashicorp#471)

* add hostNetwork value to injector deployment

* adding unit tests

* changelog++

* feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (hashicorp#460)

Refs hashicorp#361

* changelog++

* Add logLevel and logFormat values for Vault (hashicorp#488)

* Add logLevel and logFormat values for Vault

* Add configurable tests

* Update order of log levels

* Update values.yaml

* Update per review

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* changelog++

* Custom value of agent port  (hashicorp#489)

* configure the agent port

* add unit test

* remove default

* remove default

* Update values.yaml

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* changelog++

* Add injector agent default overrides (hashicorp#493)

* Add injector agent default overrides

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* changelog++

* [injector] Add port name in injector service (hashicorp#495)

* [injector] Add port name in injector service

* [injector] Hardcore port to https

* changelog++

* Fix injector unit test failing (hashicorp#496)

* Fix injector unit test failing

* Add null check

* Add default if unset for CI

* Remove redundant logic (hashicorp#434)

* Update to v0.11.0 (hashicorp#497)

* Add container based tests documentation (hashicorp#492)

* update documentation with running unit tests using container

* promote bats version to 1.3.0

* Update CONTRIBUTING.md

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update CONTRIBUTING.md

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Set kubeVersion and added chart-verifier tests (hashicorp#510)

Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats
test, and configured to run it in CI. Some verification tests that
haven't been addressed yet are skipped.

* changelog++

* match kubeVersion on semver pre-releases (hashicorp#512)

Since clouds like GKE set their kubeVersion as a
pre-release (e.g. v1.17.17-gke.6700)

* Add ImagePullSecrets to CSI daemonset (hashicorp#519)

* changelog++

* changelog++

* fix CONTRIBUTING.md (hashicorp#501)

* updating to use new dedicated context and token (hashicorp#515)

* added values json schema (hashicorp#513)

Generated the schema using the helm schema-gen plugin, and added extra
data types to fields that allow it, such as annotations, tolerations,
enabled, etc. Enabled the "contains-value-schema" chart-verifier test.

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* changelog++

* [Issue-520] tolerations for csi-daemonset (hashicorp#521)

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* changelog++

* Add extraArgs value for CSI (hashicorp#526)

* changelog++

* add schema unit tests (hashicorp#530)

* Add UI targetPort option (hashicorp#437)

Use custom `targetPort` for UI service. See the usecase in hashicorp#385 (comment)

* changelog++

* Update to v0.12.0 (hashicorp#532)

* Update to v0.12.0

* Update values.schema.json

* Fix schema types

* revert image repo

* Adding helm test for vault server (hashicorp#531)

Also adds acceptance test for 'helm test' and updates the
chart-verifier version.

* changelog++

* fix ui.serviceNodePort schema (hashicorp#537)

UI service nodePort defaults to null, but is set as an integer

* changelog++

* change maxUnavailable to integer (hashicorp#535)

change maxUnavailable from `null` to `integer` to enable upgrade from
0.11.0 to 0.12.0 when using the specific variable.

* Also allow null value

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* add test for server.ha.disruptionBudget.maxUnavailable

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* changelog++

* use vault-helm-test:0.2.0 (hashicorp#543)

* Added webhook-certs volume mount to sidecar injector (hashicorp#545)

* Removed webhook-certs volume mount from leader-elector container

* Added test: injector deployment manual TLS adds volume mount

* changelog++

* Adding server.enterpriseLicense (hashicorp#547)

Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.

* changelog++

* Add openshift overrides (hashicorp#549)

Adds default overrides for OpenShift (values.openshift.yaml) and uses
them in the chart-verifier tests.

* changelog++

* Update to v0.13.0 (hashicorp#554)

* Explain this fork in the README

* Adding support for LoadBalancerIP field in ServiceSpec

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* feat(DATAGO-27002): Upgrade to 1.7.9

* chore(DATAGO-27002): Fix doc issue

Co-authored-by: guru1306 <tguru.ece@gmail.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Paul <paul.coignet@datadoghq.com>
Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com>
Co-authored-by: Paul Witt <paul_witt@discovery.com>
Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com>
Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com>
Co-authored-by: Javier Criado Marcos <javinavales.jcm@gmail.com>
Co-authored-by: mehmetsalgar <salgarm@gmx.de>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
Co-authored-by: Iñigo Horcajo <inigohu@gmail.com>
Co-authored-by: Rule88 <rule88@users.noreply.github.com>
Co-authored-by: Ricardo Gândara Pinto <rpinto@gmail.com>
Co-authored-by: Julian Setiawan <julian.setiawan@solace.com>
Co-authored-by: marcboudreau <marc.boudreau@solace.com>
Co-authored-by: Hadie Laham <hadie.laham@solace.com>

* fix: deploy_local.sh error with file

* minor changes

* Adding support for LoadBalancerIP field in ServiceSpec

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)

* Add objectSelector to webhookconfiguration (hashicorp#456)

* changelog++

* Add CSI secrets store provider (hashicorp#461)

* updating acceptance tests to k8s 1.17 on gke (hashicorp#473)

* changelog++

* Target vault-csi-provider release 0.1.0 (hashicorp#475)

* Update to 0.10.0 (hashicorp#477)

* Update to v0.10.0

* Fix typo

* Add csi link in changelog

* Add volumes and mounts support for CSI (hashicorp#479)

* Remove extraVolumes from CSI, add volumes and mounts

* Add better example

* changelog++

* Remove extra word in readme (hashicorp#482)

* fix csi helm deployment (hashicorp#486)

* fix serviceaccount and clusterrole name reference (full name)

* add server.enabled option, align with documentation

* add unit tests

* update server.enabled behaviour to explicit true and update tests

* changelog++

* add hostNetwork value to injector deployment (hashicorp#471)

* add hostNetwork value to injector deployment

* adding unit tests

* changelog++

* feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (hashicorp#460)

Refs hashicorp#361

* changelog++

* Add logLevel and logFormat values for Vault (hashicorp#488)

* Add logLevel and logFormat values for Vault

* Add configurable tests

* Update order of log levels

* Update values.yaml

* Update per review

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* changelog++

* Custom value of agent port  (hashicorp#489)

* configure the agent port

* add unit test

* remove default

* remove default

* Update values.yaml

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* changelog++

* Add injector agent default overrides (hashicorp#493)

* Add injector agent default overrides

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* changelog++

* [injector] Add port name in injector service (hashicorp#495)

* [injector] Add port name in injector service

* [injector] Hardcore port to https

* changelog++

* Fix injector unit test failing (hashicorp#496)

* Fix injector unit test failing

* Add null check

* Add default if unset for CI

* Remove redundant logic (hashicorp#434)

* Update to v0.11.0 (hashicorp#497)

* Add container based tests documentation (hashicorp#492)

* update documentation with running unit tests using container

* promote bats version to 1.3.0

* Update CONTRIBUTING.md

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update CONTRIBUTING.md

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Set kubeVersion and added chart-verifier tests (hashicorp#510)

Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats
test, and configured to run it in CI. Some verification tests that
haven't been addressed yet are skipped.

* changelog++

* match kubeVersion on semver pre-releases (hashicorp#512)

Since clouds like GKE set their kubeVersion as a
pre-release (e.g. v1.17.17-gke.6700)

* Add ImagePullSecrets to CSI daemonset (hashicorp#519)

* changelog++

* changelog++

* fix CONTRIBUTING.md (hashicorp#501)

* updating to use new dedicated context and token (hashicorp#515)

* added values json schema (hashicorp#513)

Generated the schema using the helm schema-gen plugin, and added extra
data types to fields that allow it, such as annotations, tolerations,
enabled, etc. Enabled the "contains-value-schema" chart-verifier test.

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* changelog++

* [Issue-520] tolerations for csi-daemonset (hashicorp#521)

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* changelog++

* Add extraArgs value for CSI (hashicorp#526)

* changelog++

* add schema unit tests (hashicorp#530)

* Add UI targetPort option (hashicorp#437)

Use custom `targetPort` for UI service. See the usecase in hashicorp#385 (comment)

* changelog++

* Update to v0.12.0 (hashicorp#532)

* Update to v0.12.0

* Update values.schema.json

* Fix schema types

* revert image repo

* Adding helm test for vault server (hashicorp#531)

Also adds acceptance test for 'helm test' and updates the
chart-verifier version.

* changelog++

* fix ui.serviceNodePort schema (hashicorp#537)

UI service nodePort defaults to null, but is set as an integer

* changelog++

* change maxUnavailable to integer (hashicorp#535)

change maxUnavailable from `null` to `integer` to enable upgrade from
0.11.0 to 0.12.0 when using the specific variable.

* Also allow null value

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* add test for server.ha.disruptionBudget.maxUnavailable

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* changelog++

* use vault-helm-test:0.2.0 (hashicorp#543)

* Added webhook-certs volume mount to sidecar injector (hashicorp#545)

* Removed webhook-certs volume mount from leader-elector container

* Added test: injector deployment manual TLS adds volume mount

* changelog++

* Adding server.enterpriseLicense (hashicorp#547)

Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.

* changelog++

* Add openshift overrides (hashicorp#549)

Adds default overrides for OpenShift (values.openshift.yaml) and uses
them in the chart-verifier tests.

* changelog++

* Update to v0.13.0 (hashicorp#554)

* Explain this fork in the README

* Adding support for LoadBalancerIP field in ServiceSpec

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* feat(DATAGO-27002): Upgrade to 1.7.9

* chore(DATAGO-27002): Fix doc issue

Co-authored-by: guru1306 <tguru.ece@gmail.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Paul <paul.coignet@datadoghq.com>
Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com>
Co-authored-by: Paul Witt <paul_witt@discovery.com>
Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com>
Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com>
Co-authored-by: Javier Criado Marcos <javinavales.jcm@gmail.com>
Co-authored-by: mehmetsalgar <salgarm@gmx.de>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
Co-authored-by: Iñigo Horcajo <inigohu@gmail.com>
Co-authored-by: Rule88 <rule88@users.noreply.github.com>
Co-authored-by: Ricardo Gândara Pinto <rpinto@gmail.com>
Co-authored-by: Julian Setiawan <julian.setiawan@solace.com>
Co-authored-by: marcboudreau <marc.boudreau@solace.com>
Co-authored-by: Hadie Laham <hadie.laham@solace.com>

* changed value to use tag 1.9.6

Co-authored-by: Kaito Ii <kaitoii1111@gmail.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Eric Miller <eric.the.miller@icloud.com>
Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com>
Co-authored-by: Jason Hancock <jhancock@netskope.com>
Co-authored-by: Vadim Grek <vadimprog@gmail.com>
Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com>
Co-authored-by: Jacob Mammoliti <jmammoliti@hashicorp.com>
Co-authored-by: Ethan J. Brown <Iristyle@users.noreply.github.com>
Co-authored-by: Michele Baldessari <michele@acksyn.org>
Co-authored-by: André Becker <andre@arestless.com>
Co-authored-by: Julian Setiawan <julian.setiawan@solace.com>
Co-authored-by: marcboudreau <marc.boudreau@solace.com>
Co-authored-by: Hadie Laham <hadie.laham@solace.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Subhrajit Nag <92374747+nagsubhrajitt@users.noreply.github.com>
Co-authored-by: guru1306 <tguru.ece@gmail.com>
Co-authored-by: Paul <paul.coignet@datadoghq.com>
Co-authored-by: Arie Lev <34907201+ArieLevs@users.noreply.github.com>
Co-authored-by: Paul Witt <paul_witt@discovery.com>
Co-authored-by: Sam Marshall <8191402+samjmarshall@users.noreply.github.com>
Co-authored-by: Hamza ZOUHAIR <34426028+HamzaZo@users.noreply.github.com>
Co-authored-by: Javier Criado Marcos <javinavales.jcm@gmail.com>
Co-authored-by: mehmetsalgar <salgarm@gmx.de>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
Co-authored-by: Iñigo Horcajo <inigohu@gmail.com>
Co-authored-by: Rule88 <rule88@users.noreply.github.com>
Co-authored-by: Ricardo Gândara Pinto <rpinto@gmail.com>
Co-authored-by: adhish2001 <adhish.maheswaran@solace.com>
  • Loading branch information
@adhish2001 @kaitoii11
@tvoran @tomhjp @sosheskaz @mikutas @jasonhancock @brainiac84 @nikstur @Iristyle @mbaldessari @aRestless @j-setiawan @hadielaham88 @jasonodonnell @nagsubhrajitt @guru1306 @coignetp @ArieLevs @paulwitt @samjmarshall @HamzaZo @javiercri @mehmetsalgar @sarahethompson @inigohu @rule88
31 people committed Jul 27, 2022
1 parent 3eca6fb commit 7f26aa5
Show file tree
Hide file tree
Showing 37 changed files with 742 additions and 269 deletions.
11 changes: 1 addition & 10 deletions .circleci/config.yml
View file
Expand Up @@ -85,16 +85,7 @@ jobs:

workflows:
version: 2
build_and_test:
jobs:
- bats-unit-test
- chart-verifier
- acceptance:
requires:
- bats-unit-test
filters:
branches:
only: main
# Note: unit and acceptance tests are now being run in GitHub Actions
update-helm-charts-index:
jobs:
- update-helm-charts-index:
Expand Down
34 changes: 34 additions & 0 deletions .github/workflows/acceptance.yaml
View file
@@ -0,0 +1,34 @@
name: Acceptance Tests

on:
push:
branches:
- main
workflow_dispatch: {}

jobs:
kind:
strategy:
fail-fast: false
matrix:
kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup test tools
uses: ./.github/workflows/setup-test-tools

- name: Create K8s Kind Cluster
uses: helm/kind-action@v1.2.0
with:
config: test/kind/config.yaml
node_image: kindest/node:v${{ matrix.kind-k8s-version }}

# Skip CSI tests if K8s version < 1.16.x
- run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV
- if: ${{ env.K8S_MINOR < 16 }}
run: echo "SKIP_CSI=true" >> $GITHUB_ENV

- run: bats ./test/acceptance -t
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
23 changes: 4 additions & 19 deletions .github/workflows/jira.yaml
View file
Expand Up @@ -13,21 +13,6 @@ jobs:
runs-on: ubuntu-latest
name: Jira sync
steps:
- name: Check if community user
if: github.event.action == 'opened'
id: vault-team-role
run: |
TEAM=vault
ROLE="$(hub api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')"
if [[ -n ${ROLE} ]]; then
echo "Actor ${{ github.actor }} is a ${TEAM} team member, skipping ticket creation"
else
echo "Actor ${{ github.actor }} is not a ${TEAM} team member"
fi
echo "::set-output name=role::${ROLE}"
env:
GITHUB_TOKEN: ${{ secrets.JIRA_SYNC_GITHUB_TOKEN }}

- name: Login
uses: atlassian/gajira-login@v2.0.0
env:
Expand All @@ -46,7 +31,7 @@ jobs:
fi
- name: Create ticket
if: github.event.action == 'opened' && !steps.vault-team-role.outputs.role
if: github.event.action == 'opened'
uses: tomhjp/gh-action-jira-create@v0.2.0
with:
project: VAULT
Expand All @@ -63,7 +48,7 @@ jobs:
uses: tomhjp/gh-action-jira-search@v0.2.1
with:
# cf[10089] is Issue Link custom field
jql: 'project = "VAULT" and issuetype = "GH Issue" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'

- name: Sync comment
if: github.event.action == 'created' && steps.search.outputs.issue
Expand All @@ -77,11 +62,11 @@ jobs:
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: Done
transition: Close

- name: Reopen ticket
if: github.event.action == 'reopened' && steps.search.outputs.issue
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "To Do"
transition: "Pending Triage"
18 changes: 18 additions & 0 deletions .github/workflows/setup-test-tools/action.yaml
View file
@@ -0,0 +1,18 @@
name: Setup common testing tools
description: Install bats and python-yq

runs:
using: "composite"
steps:
- uses: actions/setup-node@v2
with:
node-version: '14'
- run: npm install -g bats@${BATS_VERSION}
shell: bash
env:
BATS_VERSION: '1.5.0'
- run: bats -v
shell: bash
- uses: actions/setup-python@v2
- run: pip install yq
shell: bash
25 changes: 25 additions & 0 deletions .github/workflows/tests.yaml
View file
@@ -0,0 +1,25 @@
name: Tests

on: [push, workflow_dispatch]

jobs:
bats-unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ./.github/workflows/setup-test-tools
- run: bats ./test/unit -t

chart-verifier:
runs-on: ubuntu-latest
env:
CHART_VERIFIER_VERSION: '1.2.1'
steps:
- uses: actions/checkout@v2
- name: Setup test tools
uses: ./.github/workflows/setup-test-tools
- uses: actions/setup-go@v2
with:
go-version: '1.17.4'
- run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
- run: bats ./test/chart -t
29 changes: 28 additions & 1 deletion CHANGELOG.md
View file
@@ -1,5 +1,32 @@
## Unreleased

## 0.19.0 (January 20th, 2022)

CHANGES:
* Vault image default 1.9.2
* Vault K8s image default 0.14.2

Features:
* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653)
* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659)
* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661)
* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670)

Improvements:
* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)

## 0.18.0 (November 17th, 2021)

CHANGES:
* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649)
* Vault image default 1.9.0
* Vault K8s image default 0.14.1

Improvements:
* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621)

## 0.17.1 (October 25th, 2021)

Improvements:
Expand Down Expand Up @@ -46,7 +73,7 @@ Improvements:
## 0.14.0 (July 28th, 2021)

Features:
* Added templateConfig.exitOnRetryFailure annotation for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)
* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)

Improvements:
* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565)
Expand Down
12 changes: 10 additions & 2 deletions CONTRIBUTING.md
View file
Expand Up @@ -13,13 +13,14 @@ rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged,
talk to us! You can find out our thoughts and ensure that your contribution
won't clash or be obviated by Vault's normal direction. A great way to do this
is via the [Vault Google Group][2]. Sometimes Vault devs are in `#vault-tool`
on Freenode, too.
is via the [Vault Discussion Forum][1].

This document will cover what we're looking for in terms of reporting issues.
By addressing all the points we're looking for, it raises the chances we can
quickly merge or address your contributions.

[1]: https://discuss.hashicorp.com/c/vault

## Issues

### Reporting an Issue
Expand Down Expand Up @@ -237,3 +238,10 @@ Here are some examples of common test patterns:
```
Here we are check the length of the command output to see if the anything is rendered.
This style can easily be switched to check that a file is rendered instead.

## Contributor License Agreement

We require that all contributors sign our Contributor License Agreement ("CLA")
before we can accept the contribution.

[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla)
5 changes: 2 additions & 3 deletions Chart.yaml
View file
@@ -1,10 +1,9 @@
apiVersion: v2
name: vault
version: 0.17.1
appVersion: 1.8.4
version: 0.19.0
appVersion: 1.9.2
kubeVersion: ">= 1.14.0-0"
description: Install and configure Vault on Kubernetes.

home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
Expand Down
15 changes: 15 additions & 0 deletions templates/_helpers.tpl
View file
Expand Up @@ -316,6 +316,21 @@ Sets the injector node selector for pod placement
{{- end }}
{{- end -}}

{{/*
Sets the injector deployment update strategy
*/}}
{{- define "injector.strategy" -}}
{{- if .Values.injector.strategy }}
strategy:
{{- $tp := typeOf .Values.injector.strategy }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.strategy . | nindent 4 | trim }}
{{- else }}
{{- toYaml .Values.injector.strategy | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Sets extra pod annotations
*/}}
Expand Down
3 changes: 3 additions & 0 deletions templates/csi-daemonset.yaml
View file
Expand Up @@ -27,6 +27,9 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
{{ template "csi.pod.annotations" . }}
spec:
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
containers:
Expand Down
19 changes: 12 additions & 7 deletions templates/injector-deployment.yaml
View file
Expand Up @@ -17,6 +17,7 @@ spec:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{ template "injector.strategy" . }}
template:
metadata:
labels:
Expand Down Expand Up @@ -109,6 +110,10 @@ spec:
value: "{{ .Values.injector.agentDefaults.template }}"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
{{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }}
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME
valueFrom:
Expand Down Expand Up @@ -137,7 +142,13 @@ spec:
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }}
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
{{- end }}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- name: leader-elector
image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }}
args:
Expand Down Expand Up @@ -166,12 +177,6 @@ spec:
successThreshold: 1
timeoutSeconds: 5
{{- end }}
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
{{- end }}
{{- if .Values.injector.certs.secretName }}
volumes:
- name: webhook-certs
Expand Down
20 changes: 20 additions & 0 deletions templates/injector-disruptionbudget.yaml
View file
@@ -0,0 +1,20 @@
{{- if .Values.injector.podDisruptionBudget }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
{{- end -}}
14 changes: 0 additions & 14 deletions templates/injector-leader-endpoint.yaml
View file

This file was deleted.

2 changes: 1 addition & 1 deletion templates/injector-role.yaml
View file
Expand Up @@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps", "endpoints"]
resources: ["secrets", "configmaps"]
verbs:
- "create"
- "get"
Expand Down
3 changes: 2 additions & 1 deletion templates/server-route.yaml
View file
Expand Up @@ -9,6 +9,7 @@ kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
Expand All @@ -27,7 +28,7 @@ spec:
port:
targetPort: 8200
tls:
termination: passthrough
{{- toYaml .Values.server.route.tls | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion templates/server-statefulset.yaml
View file
Expand Up @@ -41,7 +41,7 @@ spec:
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }}
terminationGracePeriodSeconds: 10
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
Expand Down

0 comments on commit 7f26aa5

Please sign in to comment.