From 14daa7ff0a1455baa3723177e8b5d393045cc1d7 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 10 Nov 2022 14:10:25 +0000 Subject: [PATCH 1/5] Support selectively disabling active/standby services --- templates/server-discovery-role.yaml | 5 ++- templates/server-discovery-rolebinding.yaml | 5 ++- templates/server-ha-active-service.yaml | 2 + templates/server-ha-standby-service.yaml | 4 +- templates/server-statefulset.yaml | 1 - test/unit/server-discovery-rolebinding.bats | 41 +++++++++++++++++++++ test/unit/server-ha-active-service.bats | 12 ++++++ test/unit/server-ha-standby-service.bats | 12 ++++++ values.schema.json | 16 ++++++++ values.yaml | 4 ++ 10 files changed, 96 insertions(+), 6 deletions(-) create mode 100755 test/unit/server-discovery-rolebinding.bats diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 9ca23dd4c..92e89251e 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,7 +1,8 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if .serverEnabled -}} +{{ template "vault.serverServiceAccountEnabled" . }} {{- if eq .mode "ha" }} +{{- if .serverEnabled -}} +{{- if .serverServiceAccountEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 6e22e4c2b..9ac280cfd 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,7 +1,8 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if .serverEnabled -}} +{{ template "vault.serverServiceAccountEnabled" . }} {{- if eq .mode "ha" }} +{{- if .serverEnabled -}} +{{- if .serverServiceAccountEnabled -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index ef212376d..849c867b7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -44,3 +45,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index e6d66af84..e0750aa64 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -3,6 +3,7 @@ {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -42,4 +43,5 @@ spec: vault-active: "false" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index fb3cbfab7..065949198 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -52,7 +52,6 @@ spec: {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} - volumes: {{ template "vault.volumes" . }} - name: home diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats new file mode 100755 index 000000000..4ff9c3c26 --- /dev/null +++ b/test/unit/server-discovery-rolebinding.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRoleBinding: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.create false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.create=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d74e74913..6a2e34946 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -35,6 +35,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: disable with server.service.active.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.active.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 045560ce9..3a9a39f33 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -46,6 +46,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: disable with server.service.standby.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.enabled=true' \ + --set 'server.service.standby.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.schema.json b/values.schema.json index 676efb7c9..1cecf7119 100644 --- a/values.schema.json +++ b/values.schema.json @@ -851,6 +851,14 @@ "service": { "type": "object", "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "annotations": { "type": [ "object", @@ -869,6 +877,14 @@ "publishNotReadyAddresses": { "type": "boolean" }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "targetPort": { "type": "integer" }, diff --git a/values.yaml b/values.yaml index a8a036c90..28afffb28 100644 --- a/values.yaml +++ b/values.yaml @@ -596,6 +596,10 @@ server: # Enables a headless service to be used by the Vault Statefulset service: enabled: true + active: + enabled: true + standby: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled From 6fbd944b189e363e5003392fcb251e20e7fadea2 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 10 Nov 2022 14:37:15 +0000 Subject: [PATCH 2/5] Add changelog --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9282dd0c4..cc02c2a71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,11 @@ ## Unreleased -Features: +Changes: +* server: No longer apply Vault service discovery role and role binding when `server.serviceAccount.create` is set to false [GH-811](https://github.com/hashicorp/vault-helm/pull/811) + +Improvements: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) ## 0.22.1 (October 26th, 2022) From 6eb89c6d6dfd06b44203bf39f920467c20f2101c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 11 Nov 2022 16:11:01 +0000 Subject: [PATCH 3/5] Add server.serviceAccount.serviceDiscovery.enabled setting, tests, comments, schema --- templates/server-discovery-role.yaml | 5 +-- templates/server-discovery-rolebinding.yaml | 5 +-- test/unit/server-discovery-role.bats | 41 +++++++++++++++++++++ test/unit/server-discovery-rolebinding.bats | 4 +- values.schema.json | 11 ++++++ values.yaml | 9 +++++ 6 files changed, 67 insertions(+), 8 deletions(-) create mode 100755 test/unit/server-discovery-role.bats diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 92e89251e..4dba09df1 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,8 +1,7 @@ {{ template "vault.mode" . }} -{{ template "vault.serverServiceAccountEnabled" . }} -{{- if eq .mode "ha" }} {{- if .serverEnabled -}} -{{- if .serverServiceAccountEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 9ac280cfd..280ec6ca2 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,8 +1,7 @@ {{ template "vault.mode" . }} -{{ template "vault.serverServiceAccountEnabled" . }} -{{- if eq .mode "ha" }} {{- if .serverEnabled -}} -{{- if .serverServiceAccountEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats new file mode 100755 index 000000000..11473a081 --- /dev/null +++ b/test/unit/server-discovery-role.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/DiscoveryRole: enabled by default with ha" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DiscoveryRole: can disable with server.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.enabled=false' \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/DiscoveryRole: can disable with server.serviceAccount.serviceDiscovery.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats index 4ff9c3c26..568c24072 100755 --- a/test/unit/server-discovery-rolebinding.bats +++ b/test/unit/server-discovery-rolebinding.bats @@ -29,12 +29,12 @@ load _helpers [ "${actual}" = "false" ] } -@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.create false" { +@test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.serviceDiscovery.enabled false" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-discovery-rolebinding.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.serviceAccount.create=false' \ + --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/values.schema.json b/values.schema.json index 1cecf7119..2ba9ab84d 100644 --- a/values.schema.json +++ b/values.schema.json @@ -911,8 +911,19 @@ "create": { "type": "boolean" }, + "extraLabels": { + "type": "object" + }, "name": { "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, diff --git a/values.yaml b/values.yaml index 28afffb28..0045066c5 100644 --- a/values.yaml +++ b/values.yaml @@ -596,8 +596,12 @@ server: # Enables a headless service to be used by the Vault Statefulset service: enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labelled themselves as the cluster leader with `vault-active: "true"` active: enabled: true + # Enable or disable the vault-standby service, which selects Vault pods that + # have labelled themselves as a cluster follower with `vault-active: "false"` standby: enabled: true # clusterIP controls whether a Cluster IP address is attached to the @@ -858,6 +862,11 @@ server: # Extra labels to attach to the serviceAccount # This should be a YAML map of the labels to apply to the serviceAccount extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true # Settings for the statefulSet used to run Vault. statefulSet: From 5b5721ecbdfd6d3e93b38477ca1b5770c9ed0fb7 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 11 Nov 2022 16:12:19 +0000 Subject: [PATCH 4/5] changelog++ --- CHANGELOG.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc02c2a71..e76b0677d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,11 @@ ## Unreleased -Changes: -* server: No longer apply Vault service discovery role and role binding when `server.serviceAccount.create` is set to false [GH-811](https://github.com/hashicorp/vault-helm/pull/811) - Improvements: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) + ## 0.22.1 (October 26th, 2022) Changes: From e519d9895cb5db237cc93d7890be13b26de1d4c6 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Nov 2022 11:36:48 +0000 Subject: [PATCH 5/5] changelog++ --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e76b0677d..d5d686fd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,8 @@ ## Unreleased -Improvements: +Features: * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) - * server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) ## 0.22.1 (October 26th, 2022)