diff --git a/CHANGELOG.md b/CHANGELOG.md index e9c2857c0..99df5a6fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +CHANGES: +* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) + Improvements: * Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 0cc13823b..aefbf0882 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -141,35 +141,6 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }} - - name: leader-elector - image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} - args: - - --election={{ template "vault.fullname" . }}-agent-injector-leader - - --election-namespace={{ .Release.Namespace }} - - --http=0.0.0.0:4040 - - --ttl={{ .Values.injector.leaderElector.ttl }} - livenessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 4040 - scheme: HTTP - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - {{- end }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/templates/injector-leader-endpoint.yaml b/templates/injector-leader-endpoint.yaml deleted file mode 100644 index 42c4c0ae7..000000000 --- a/templates/injector-leader-endpoint.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true")}} -# This is created here so it can be cleaned up easily, since if -# the endpoint is left around the leader won't expire for about a minute. -apiVersion: v1 -kind: Endpoints -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader - annotations: - deprecated: "true" - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index 446efaf59..e7e383d16 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} rules: - apiGroups: [""] - resources: ["secrets", "configmaps", "endpoints"] + resources: ["secrets", "configmaps"] verbs: - "create" - "get" diff --git a/test/acceptance/injector-leader-elector.bats b/test/acceptance/injector-leader-elector.bats index 6f9f0b41f..0f91e02a3 100644 --- a/test/acceptance/injector-leader-elector.bats +++ b/test/acceptance/injector-leader-elector.bats @@ -12,8 +12,7 @@ load _helpers helm install "$(name_prefix)" \ --wait \ --timeout=5m \ - --set="injector.replicas=3" \ - --set="injector.leaderElector.useContainer=true" . + --set="injector.replicas=3" . kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name')) @@ -23,21 +22,15 @@ load _helpers tries=0 until [ $tries -ge 60 ] do - ## The new internal leader mechanism uses a ConfigMap owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name) leader=$(kubectl get pods $owner -o json | jq -r .metadata.name) [ -n "${leader}" ] && [ "${leader}" != "null" ] && break - - ## Also check the old leader-elector container - old_leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)" - [ -n "${old_leader}" ] && break - ((++tries)) sleep .5 done # Check the leader name is valid - i.e. one of the 3 pods - [[ " ${pods[@]} " =~ " ${leader} " || " ${pods[@]} " =~ " ${old_leader} " ]] + [[ " ${pods[@]} " =~ " ${leader} " ]] } diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index 75ab2982c..b6fa4ae62 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -166,108 +166,3 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } - -#-------------------------------------------------------------------- -# Old leader-elector container support -# Note: deprecated and will be removed soon - -@test "injector/deployment: leader elector - sidecar is created only when enabled" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "1" ] - - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - -@test "injector/deployment: leader elector image name is configurable" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.image.repository=SomeOtherImage" \ - --set "injector.leaderElector.image.tag=SomeOtherTag" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].image' | tee /dev/stderr) - [ "${actual}" = "SomeOtherImage:SomeOtherTag" ] -} - -@test "injector/deployment: leader elector TTL is configurable" { - cd `chart_dir` - # Default value 60s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=60s" ] - - # Configured to 30s - local actual=$(helm template \ - --show-only templates/injector-deployment.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - --set "injector.leaderElector.ttl=30s" \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[1].args[3]' | tee /dev/stderr) - [ "${actual}" = "--ttl=30s" ] -} - -@test "injector/leader-endpoint: created/skipped as appropriate" { - cd `chart_dir` - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "global.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.enabled=false" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$( (helm template \ - --show-only templates/injector-leader-endpoint.yaml \ - --set "injector.replicas=2" \ - --set "injector.leaderElector.useContainer=true" \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/values.schema.json b/values.schema.json index 162c773e7..26f136748 100644 --- a/values.schema.json +++ b/values.schema.json @@ -290,23 +290,6 @@ "properties": { "enabled": { "type": "boolean" - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "ttl": { - "type": "string" - }, - "useContainer": { - "type": "boolean" } } }, diff --git a/values.yaml b/values.yaml index 425a082ce..60add2e35 100644 --- a/values.yaml +++ b/values.yaml @@ -37,16 +37,6 @@ injector: # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - # Note: The deployment of the leader-elector container will soon be removed - # from this chart since vault-k8s now uses an internal mechanism to - # determine leadership. - # To enable the deployment of the leader-elector container for use with - # vault-k8s 0.12.0 and earlier, set `useContainer=true` - useContainer: false - image: - repository: "gcr.io/google_containers/leader-elector" - tag: "0.4" - ttl: 60s # If true, will enable a node exporter metrics endpoint at /metrics. metrics: