From 5764a87d3fa1b85eb90fdbe644024bf60f9c9dd2 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 11:22:18 -0500 Subject: [PATCH 1/5] Add new vault-k8s envs --- templates/injector-deployment.yaml | 4 +++ test/unit/injector-deployment.bats | 51 ++++++++++++++++++++++++++++++ values.yaml | 13 ++++++-- 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 16f622375..fa3688eb4 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -60,6 +60,10 @@ spec: - name: AGENT_INJECT_TLS_AUTO_HOSTS value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc {{- end }} + - name: AGENT_INJECT_LOG_FORMAT + value: {{ .Values.injector.logFormat | default "standard" }} + - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN + value: {{ .Values.injector.revokeOnShutdown | default false }} args: - agent-inject - 2>&1 diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index fb00ee398..dc962b862 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -222,3 +222,54 @@ load _helpers yq -r '.[3].value' | tee /dev/stderr) [ "${actual}" = "auth/k8s" ] } + +@test "injector/deployment: custom logLevel" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.logLevel=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] + + local actual=$(echo $object | + yq -r '.[1].value' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + +@test "injector/deployment: custom logFormat" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.logFormat=json' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[7].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] + + local actual=$(echo $object | + yq -r '.[7].value' | tee /dev/stderr) + [ "${actual}" = "json" ] +} + +@test "injector/deployment: custom revoke on shutdown" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.revokeOnShutdown=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[8].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] + + local actual=$(echo $object | + yq -r '.[8].value' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.yaml b/values.yaml index 24cbfd6f0..45544e67c 100644 --- a/values.yaml +++ b/values.yaml @@ -22,7 +22,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.2.0" + tag: "0.3.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -30,11 +30,20 @@ injector: # required. agentImage: repository: "vault" - tag: "1.3.2" + tag: "1.3.3" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" + # Configures the log verbosity of the injector + logLevel: "info" + + # Configures the log format of the injector + logFormat: "standard" + + # Configures all Vault Agent sidecars to revoke their token when shutting down + revokeOnShutdown: false + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. This should be set to a multiline string. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector From e19737310d05b7fef99d024df4d25377820a8c00 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 11:23:25 -0500 Subject: [PATCH 2/5] update vault image --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 45544e67c..5c95ad04f 100644 --- a/values.yaml +++ b/values.yaml @@ -88,7 +88,7 @@ server: image: repository: "vault" - tag: "1.3.2" + tag: "1.3.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From cb381d2ff87c26b32a55329f84b1f8099386dc6d Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 13:20:59 -0500 Subject: [PATCH 3/5] Add default tests for envs --- test/unit/injector-deployment.bats | 48 ++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index dc962b862..c67c4feef 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -223,6 +223,22 @@ load _helpers [ "${actual}" = "auth/k8s" ] } +@test "injector/deployment: defualt logLevel" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[1].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ] + + local actual=$(echo $object | + yq -r '.[1].value' | tee /dev/stderr) + [ "${actual}" = "info" ] +} + @test "injector/deployment: custom logLevel" { cd `chart_dir` local object=$(helm template \ @@ -240,6 +256,22 @@ load _helpers [ "${actual}" = "foo" ] } +@test "injector/deployment: default logFormat" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[7].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ] + + local actual=$(echo $object | + yq -r '.[7].value' | tee /dev/stderr) + [ "${actual}" = "standard" ] +} + @test "injector/deployment: custom logFormat" { cd `chart_dir` local object=$(helm template \ @@ -257,6 +289,22 @@ load _helpers [ "${actual}" = "json" ] } +@test "injector/deployment: default revoke on shutdown" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[8].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ] + + local actual=$(echo $object | + yq -r '.[8].value' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + @test "injector/deployment: custom revoke on shutdown" { cd `chart_dir` local object=$(helm template \ From 3bec79346d58bdb82195916309ac9d71d07977b6 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 13:23:47 -0500 Subject: [PATCH 4/5] Add note about supported log parameters --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index 5c95ad04f..e31e40f84 100644 --- a/values.yaml +++ b/values.yaml @@ -35,10 +35,10 @@ injector: # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" - # Configures the log verbosity of the injector + # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info logLevel: "info" - # Configures the log format of the injector + # Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" # Configures all Vault Agent sidecars to revoke their token when shutting down From 9867854bf514d53b9cc84f2644ae4db592b099ac Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 6 Mar 2020 13:25:01 -0500 Subject: [PATCH 5/5] Fix typo in test name --- test/unit/injector-deployment.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index c67c4feef..54b5c1ceb 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -223,7 +223,7 @@ load _helpers [ "${actual}" = "auth/k8s" ] } -@test "injector/deployment: defualt logLevel" { +@test "injector/deployment: default logLevel" { cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \