feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12)

* Add objectSelector to webhookconfiguration (hashicorp#456)

* changelog++

* Add CSI secrets store provider (hashicorp#461)

* updating acceptance tests to k8s 1.17 on gke (hashicorp#473)

* changelog++

* Target vault-csi-provider release 0.1.0 (hashicorp#475)

* Update to 0.10.0 (hashicorp#477)

* Update to v0.10.0

* Fix typo

* Add csi link in changelog

* Add volumes and mounts support for CSI (hashicorp#479)

* Remove extraVolumes from CSI, add volumes and mounts

* Add better example

* changelog++

* Remove extra word in readme (hashicorp#482)

* fix csi helm deployment (hashicorp#486)

* fix serviceaccount and clusterrole name reference (full name)

* add server.enabled option, align with documentation

* add unit tests

* update server.enabled behaviour to explicit true and update tests

* changelog++

* add hostNetwork value to injector deployment (hashicorp#471)

* add hostNetwork value to injector deployment

* adding unit tests

* changelog++

* feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (hashicorp#460)

Refs hashicorp#361

* changelog++

* Add logLevel and logFormat values for Vault (hashicorp#488)

* Add logLevel and logFormat values for Vault

* Add configurable tests

* Update order of log levels

* Update values.yaml

* Update per review

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <[email protected]>

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <[email protected]>

Co-authored-by: Tom Proctor <[email protected]>

* changelog++

* Custom value of agent port  (hashicorp#489)

* configure the agent port

* add unit test

* remove default

* remove default

* Update values.yaml

Co-authored-by: Jason O'Donnell <[email protected]>

Co-authored-by: Jason O'Donnell <[email protected]>

* changelog++

* Add injector agent default overrides (hashicorp#493)

* Add injector agent default overrides

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <[email protected]>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <[email protected]>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <[email protected]>

Co-authored-by: Theron Voran <[email protected]>

* changelog++

* [injector] Add port name in injector service (hashicorp#495)

* [injector] Add port name in injector service

* [injector] Hardcore port to https

* changelog++

* Fix injector unit test failing (hashicorp#496)

* Fix injector unit test failing

* Add null check

* Add default if unset for CI

* Remove redundant logic (hashicorp#434)

* Update to v0.11.0 (hashicorp#497)

* Add container based tests documentation (hashicorp#492)

* update documentation with running unit tests using container

* promote bats version to 1.3.0

* Update CONTRIBUTING.md

Co-authored-by: Jason O'Donnell <[email protected]>

* Update CONTRIBUTING.md

Co-authored-by: Jason O'Donnell <[email protected]>

Co-authored-by: Jason O'Donnell <[email protected]>

* Set kubeVersion and added chart-verifier tests (hashicorp#510)

Set min kubeVersion in Chart.yaml to 1.14. Added a chart-verifier bats
test, and configured to run it in CI. Some verification tests that
haven't been addressed yet are skipped.

* changelog++

* match kubeVersion on semver pre-releases (hashicorp#512)

Since clouds like GKE set their kubeVersion as a
pre-release (e.g. v1.17.17-gke.6700)

* Add ImagePullSecrets to CSI daemonset (hashicorp#519)

* changelog++

* changelog++

* fix CONTRIBUTING.md (hashicorp#501)

* updating to use new dedicated context and token (hashicorp#515)

* added values json schema (hashicorp#513)

Generated the schema using the helm schema-gen plugin, and added extra
data types to fields that allow it, such as annotations, tolerations,
enabled, etc. Enabled the "contains-value-schema" chart-verifier test.

Co-authored-by: Jason O'Donnell <[email protected]>

* changelog++

* [Issue-520] tolerations for csi-daemonset (hashicorp#521)

Co-authored-by: Theron Voran <[email protected]>

* changelog++

* Add extraArgs value for CSI (hashicorp#526)

* changelog++

* add schema unit tests (hashicorp#530)

* Add UI targetPort option (hashicorp#437)

Use custom `targetPort` for UI service. See the usecase in hashicorp#385 (comment)

* changelog++

* Update to v0.12.0 (hashicorp#532)

* Update to v0.12.0

* Update values.schema.json

* Fix schema types

* revert image repo

* Adding helm test for vault server (hashicorp#531)

Also adds acceptance test for 'helm test' and updates the
chart-verifier version.

* changelog++

* fix ui.serviceNodePort schema (hashicorp#537)

UI service nodePort defaults to null, but is set as an integer

* changelog++

* change maxUnavailable to integer (hashicorp#535)

change maxUnavailable from `null` to `integer` to enable upgrade from
0.11.0 to 0.12.0 when using the specific variable.

* Also allow null value

Co-authored-by: Theron Voran <[email protected]>

* add test for server.ha.disruptionBudget.maxUnavailable

Co-authored-by: Theron Voran <[email protected]>

* changelog++

* use vault-helm-test:0.2.0 (hashicorp#543)

* Added webhook-certs volume mount to sidecar injector (hashicorp#545)

* Removed webhook-certs volume mount from leader-elector container

* Added test: injector deployment manual TLS adds volume mount

* changelog++

* Adding server.enterpriseLicense (hashicorp#547)

Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.

* changelog++

* Add openshift overrides (hashicorp#549)

Adds default overrides for OpenShift (values.openshift.yaml) and uses
them in the chart-verifier tests.

* changelog++

* Update to v0.13.0 (hashicorp#554)

* Explain this fork in the README

* Adding support for LoadBalancerIP field in ServiceSpec

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* DATAGO-13861: Adding support for logrotate

* DATAGO-13861: Adding audit log rotation and shipment to datdog

* Fixing minor typos and removing extra lines

* feat(DATAGO-27002): Upgrade to 1.7.9

* chore(DATAGO-27002): Fix doc issue

Co-authored-by: guru1306 <[email protected]>
Co-authored-by: Jason O'Donnell <[email protected]>
Co-authored-by: Tom Proctor <[email protected]>
Co-authored-by: Theron Voran <[email protected]>
Co-authored-by: Paul <[email protected]>
Co-authored-by: Arie Lev <[email protected]>
Co-authored-by: Paul Witt <[email protected]>
Co-authored-by: Sam Marshall <[email protected]>
Co-authored-by: Hamza ZOUHAIR <[email protected]>
Co-authored-by: Javier Criado Marcos <[email protected]>
Co-authored-by: mehmetsalgar <[email protected]>
Co-authored-by: Sarah Thompson <[email protected]>
Co-authored-by: Iñigo Horcajo <[email protected]>
Co-authored-by: Rule88 <[email protected]>
Co-authored-by: Ricardo Gândara Pinto <[email protected]>
Co-authored-by: Julian Setiawan <[email protected]>
Co-authored-by: marcboudreau <[email protected]>
Co-authored-by: Hadie Laham <[email protected]>

Makefile

@@ -4,6 +4,7 @@ CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
 ACCEPTANCE_TESTS?=acceptance
 
+<<<<<<< HEAD
 # filter bats unit tests to run.
 UNIT_TESTS_FILTER?='.*'
 
@@ -16,6 +17,8 @@ KIND_CLUSTER_NAME?=vault-helm
 # kind k8s version
 KIND_K8S_VERSION?=v1.26.3
 
+=======
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
 # Generate json schema for chart values. See test/README.md for more details.
 values-schema:
 	helm schema-gen values.yaml > values.schema.json

README.md

@@ -46,6 +46,7 @@ Please see the many options supported in the `values.yaml`
 file. These are also fully documented directly on the
 [Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html).
 
+
 ## Customizations
 
 This Helm chart has been customized in the following ways:

templates/_helpers.tpl

@@ -131,6 +131,8 @@ template logic.
     {{- $_ := set . "mode" "external" -}}
   {{- else if not .serverEnabled -}}
     {{- $_ := set . "mode" "external" -}}
+  {{- else if ne (.Values.server.enabled | toString) "true" -}}
+    {{- $_ := set . "mode" "external" -}}
   {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
     {{- $_ := set . "mode" "dev" -}}
   {{- else if eq (.Values.server.ha.enabled | toString) "true" -}}

templates/csi-daemonset.yaml

@@ -1,10 +1,14 @@
+<<<<<<< HEAD
 {{/*
 Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}
 
 {{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
+=======
+{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -14,9 +18,12 @@ metadata:
     app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
+<<<<<<< HEAD
     {{- if  .Values.csi.daemonSet.extraLabels -}}
       {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
     {{- end -}}
+=======
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
   {{ template "csi.daemonSet.annotations" . }}
 spec:
   updateStrategy:

templates/injector-deployment.yaml

@@ -46,6 +46,13 @@ spec:
       {{ template "injector.securityContext.pod" . -}}
       {{- if not .Values.global.openshift }}
       hostNetwork: {{ .Values.injector.hostNetwork }}
+<<<<<<< HEAD
+=======
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: {{ .Values.injector.gid | default 1000 }}
+        runAsUser: {{ .Values.injector.uid | default 100 }}
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
       {{- end }}
       containers:
         - name: sidecar-injector
@@ -111,12 +118,15 @@ spec:
               value: "{{ .Values.injector.agentDefaults.memLimit }}"
             - name: AGENT_INJECT_DEFAULT_TEMPLATE
               value: "{{ .Values.injector.agentDefaults.template }}"
+<<<<<<< HEAD
             - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
               value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
             {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}
             - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
               value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
             {{- end }}
+=======
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
             {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
             - name: POD_NAME
               valueFrom:
@@ -156,12 +166,15 @@ spec:
             successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
             timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
 {{- if .Values.injector.certs.secretName }}
+<<<<<<< HEAD
           volumeMounts:
             - name: webhook-certs
               mountPath: /etc/webhook/certs
               readOnly: true
 {{- end }}
 {{- if .Values.injector.certs.secretName }}
+=======
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
       volumes:
         - name: webhook-certs
           secret:

templates/server-ha-standby-service.yaml

@@ -5,10 +5,14 @@ SPDX-License-Identifier: MPL-2.0
 
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
+<<<<<<< HEAD
 {{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 {{- if eq .mode "ha" }}
 {{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
+=======
+{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
 # Service for standby Vault pod
 apiVersion: v1
 kind: Service

test/acceptance/csi.bats

@@ -4,7 +4,6 @@ load _helpers
 
 @test "csi: testing deployment" {
   cd `chart_dir`
-
   kubectl delete namespace acceptance --ignore-not-found=true
   kubectl create namespace acceptance
 

test/unit/csi-daemonset.bats

@@ -304,7 +304,11 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+<<<<<<< HEAD
 @test "csi/daemonset: tolerations can be set as string" {
+=======
+@test "csi/daemonset: tolerations can be set" {
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
   cd `chart_dir`
   local actual=$(helm template \
       --show-only templates/csi-daemonset.yaml  \
@@ -315,6 +319,7 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+<<<<<<< HEAD
 @test "csi/daemonset: tolerations can be set as YAML" {
   cd `chart_dir`
   local actual=$(helm template \
@@ -352,6 +357,8 @@ load _helpers
 }
 
 
+=======
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
 #--------------------------------------------------------------------
 # volumes
 
@@ -372,6 +379,7 @@ load _helpers
   [ "${actual}" = "{}" ]
 }
 
+<<<<<<< HEAD
 @test "csi/daemonset: csi providersDir default" {
   cd `chart_dir`
 
@@ -403,6 +411,8 @@ load _helpers
   [ "${actual}" = "/alt/csi-prov-dir" ]
 }
 
+=======
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
 #--------------------------------------------------------------------
 # volumeMounts
 
@@ -540,6 +550,7 @@ load _helpers
       yq -r '.timeoutSeconds' | tee /dev/stderr)
   [ "${actual}" = "14" ]
 }
+<<<<<<< HEAD
 
 @test "csi/daemonset: VAULT_ADDR defaults to Agent unix socket" {
   cd `chart_dir`
@@ -743,4 +754,6 @@ load _helpers
   local value=$(echo $object |
       yq -r '.limits.cpu' | tee /dev/stderr)
   [ "${value}" = "500m" ]
-}
+}
+=======
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))

test/unit/schema.bats

@@ -7,9 +7,15 @@ load _helpers
 # schema, setting it as a string fails 'helm template'.
 @test "schema: csi enabled datatype" {
   cd `chart_dir`
+<<<<<<< HEAD
   run helm template . --set csi.enabled="123"
   [ "$status" -eq 1 ]
   [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
+=======
+  run helm template . --set csi.enabled="nope"
+  [ "$status" -eq 1 ]
+  [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ]
+>>>>>>> c4ab664 (feat(DATAGO-27002): Upgrade vault to version 1.7.9 (#12))
 
   run helm template . --set csi.enabled=true
   [ "$status" -eq 0 ]

test/unit/server-statefulset.bats

@@ -1857,3 +1857,59 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr)
   [ "${actual}" = "8200" ]
 }
+
+#--------------------------------------------------------------------
+# enterprise license autoload support
+@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr)
+      [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ]
+}
+
+@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr)
+      [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ]
+}
+
+@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
+      [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ]
+}
+
+@test "server/StatefulSet: blank secretName does not set env var" {
+  cd `chart_dir`
+
+  # setting secretName=null
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretName=null' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
+      [ "${actual}" = '' ]
+
+  # omitting secretName
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'server.enterpriseLicense.secretKey=bar' \
+      . | tee /dev/stderr |
+      yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr)
+      [ "${actual}" = '' ]
+}