Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add configuration options for Vault UI service #285

Merged
merged 3 commits into from
Aug 20, 2020
Merged

Add configuration options for Vault UI service #285

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cee70b1
Add configuration options for Vault UI service
lawliet89 May 4, 2020
c157dc8
Merge branch 'master' into ui-service-tweak
lawliet89 Jul 16, 2020
956b101
Create active label only on HA
lawliet89 Jul 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 6 additions & 8 deletions templates/ui-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,6 @@
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if eq (.Values.ui.enabled | toString) "true" }}
# Headless service for Vault server DNS entries. This service should only
# point to Vault servers. For access to an agent, one should assume that
# the agent is installed locally on the node and the NODE_IP should be used.
# If the node can't run a Vault agent, then this service can be used to
# communicate directly to a server agent.
apiVersion: v1
kind: Service
metadata:
Expand All @@ -23,7 +18,10 @@ spec:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
publishNotReadyAddresses: true
{{- if .Values.ui.activeVaultPodOnly }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only true if in HA mode. I think we don't even need a configurable here. If it's HA mode, just set the selector criteria, else point to the single deployed pod.

Thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can add an additional condition to check that HA mode is on.

I think this should be configurable to handle other possible use cases like #326. What do you think? I could remove this option if you think otherwise.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think configurable is fine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added the check for HA in 956b101

vault-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.ui.externalPort }}
Expand All @@ -43,5 +41,5 @@ spec:
{{- end }}
{{- end -}}

{{ end }}
{{ end }}
{{- end }}
{{- end }}
42 changes: 42 additions & 0 deletions test/unit/ui-service.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,3 +248,45 @@ load _helpers
yq -r '.spec.ports[0].name' | tee /dev/stderr)
[ "${actual}" = "https" ]
}

@test "ui/Service: publishNotReadyAddresses set true by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'ui.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "ui/Service: publishNotReadyAddresses can be set to false" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'ui.enabled=true' \
--set 'ui.publishNotReadyAddresses=false' \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = 'false' ]
}

@test "ui/Service: active pod only selector not set by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'ui.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.selector["vault-active"]' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

@test "ui/Service: active pod only selector can be set" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'ui.enabled=true' \
--set 'ui.activeVaultPodOnly=true' \
. | tee /dev/stderr |
yq -r '.spec.selector["vault-active"]' | tee /dev/stderr)
[ "${actual}" = 'true' ]
}
3 changes: 3 additions & 0 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -425,6 +425,9 @@ ui:
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
enabled: false
publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: false
serviceType: "ClusterIP"
serviceNodePort: null
externalPort: 8200
Expand Down