From 1e9b4fdf8907cb353ad8c8576ce42249a68142f5 Mon Sep 17 00:00:00 2001 From: xiaocongji <85846543+xiaocongji@users.noreply.github.com> Date: Tue, 21 Mar 2023 09:47:22 -0400 Subject: [PATCH] feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add staticSecretRenderInterval to injector (#621) * make staticSecretRenderInterval default to empty string * update values schema to add staticSecretRenderInterval * add test for default value * adding changelog entry Co-authored-by: Theron Voran * Update jira action (#644) * No longer check for Vault team membership * Tweak jira states and search parameters * remove support for the leader-elector container (#649) * vault-helm 0.18.0 release (#650) * Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor * Configurable PodDisruptionBudget for Injector (#653) * Fix spelling error in server disruptionbudget test (#654) * Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod * injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock * csi: ability to set priorityClassName for csi daemonset pods (#670) * Fixed a small typo (#672) * Disable unit and acceptance tests in CircleCI (#675) * update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. * add namespace support for openshift route (#679) * Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 * allow injection of TLS config for OpenShift routes (#686) * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran * Release 0.19.0 (#687) * Add extraLabels for CSI DaemonSet (#690) * Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) * Fix unit test assertions (#693) * vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H * changelog++ (#699) * change helm trigger branch from master to main (#700) * Add namespace to injector-leader-elector role, rolebinding and secret (#683) * allow to configure publishNotReadyAddresses on server services (#694) * Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 * VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran * Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 * Fix values schema to support config in YAML (#684) * Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 * Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those * Issue 629: updated to allow customization of the CLUSTER_ADDR the same… (#709) * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran * VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran * VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade * Implement support for Topology Spread Constraints (#652) * Implemented support for topology spread constraints * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Update values.yaml Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> * Add topologySpreadConstraints to values schema * Implement injector deployment topology spread UTs * also remove string from the relevant schema types * Implement injector statefulset topology spread UTs * Implement injector HA statefulset topology UTs * Allow topologySpreadConstraints to be a string Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Christopher Swenson * Update the changelog with changes from 614 and 652 (#723) * Update the changelog with changes from 614 and 652 * Update CHANGELOG.md Co-authored-by: Theron Voran Co-authored-by: Theron Voran * Prepare v0.20.0 release (#727) --------- Signed-off-by: Lionel H Co-authored-by: Kaito Ii Co-authored-by: Theron Voran Co-authored-by: Tom Proctor Co-authored-by: Eric Miller Co-authored-by: Takumi Sue <23391543+mikutas@users.noreply.github.com> Co-authored-by: Jason Hancock Co-authored-by: Vadim Grek Co-authored-by: nikstur <61635709+nikstur@users.noreply.github.com> Co-authored-by: Jacob Mammoliti Co-authored-by: Ethan J. Brown Co-authored-by: Michele Baldessari Co-authored-by: André Becker Co-authored-by: Michael Schuett Co-authored-by: Troy Fluegge Co-authored-by: lion24 Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: Christian Co-authored-by: Viacheslav Vasilyev Co-authored-by: Remco Buddelmeijer Co-authored-by: Christopher Swenson Co-authored-by: gw0 Co-authored-by: Stephen Herd Co-authored-by: Joaco Muleiro Beltran Co-authored-by: Ellis Tarn Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- CHANGELOG.md | 8 +++++ templates/_helpers.tpl | 2 +- templates/injector-deployment.yaml | 35 -------------------- templates/server-clusterrolebinding.yaml | 2 +- templates/server-ha-standby-service.yaml | 4 --- test/acceptance/csi.bats | 3 +- test/acceptance/server-ha-enterprise-dr.bats | 4 +++ values.schema.json | 3 ++ values.yaml | 4 +-- 9 files changed, 21 insertions(+), 44 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bdc728be4..105f6c57b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,10 +46,15 @@ CHANGES: * CSI provider default image to 1.1.0 * Vault K8s default image to 0.16.0 * Earliest Kubernetes version tested is now 1.16 +<<<<<<< HEAD * Helm 3.6+ now required Features: * Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) +======= +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) +>>>>>>> c575574 (feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16)) Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) @@ -58,7 +63,10 @@ Improvements: * Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) * server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) * server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) +<<<<<<< HEAD * Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) +======= +>>>>>>> c575574 (feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16)) ## 0.19.0 (January 20th, 2022) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 2ebb2b493..bcc6496c0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -126,7 +126,7 @@ template logic. {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index fc0cf29e1..e69ba72ef 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -140,41 +140,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 8cdd61143..0ebacf2d5 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -21,4 +21,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index b8ee6f38e..e6d66af84 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,12 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -<<<<<<< HEAD {{- template "vault.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} -======= -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} ->>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)) # Service for standby Vault pod apiVersion: v1 kind: Service diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 0973043a2..84742d5d0 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -17,7 +17,8 @@ check_skip_csi() { # Install Secrets Store CSI driver CSI_DRIVER_VERSION=1.0.0 - helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + helm install secrets-store-csi-driver secrets-store-csi-driver --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version="${CSI_DRIVER_VERSION}" --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index f09bbb1fc..a5092afc4 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -75,7 +75,11 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ +<<<<<<< HEAD --set='server.image.tag=1.11.3-ent' \ +======= + --set='server.image.tag=1.10.3-ent' \ +>>>>>>> c575574 (feat(DATAGO-30305): Upgrade vault server to 1.10.x (#16)) --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.schema.json b/values.schema.json index 3e08c9dd0..c4fb12c45 100644 --- a/values.schema.json +++ b/values.schema.json @@ -866,6 +866,9 @@ "enabled": { "type": "boolean" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "externalTrafficPolicy": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 854676efc..4adce942a 100644 --- a/values.yaml +++ b/values.yaml @@ -125,7 +125,6 @@ injector: # for more details. # timeoutSeconds: 30 - # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -172,6 +171,8 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector @@ -977,7 +978,6 @@ csi: extraLabels: {} - # Priority class for csi pods priorityClassName: ""