Merge upstream 0.5.0 into fork

.gitignore

@@ -6,5 +6,7 @@ terraform.tfvars
 values.dev.yaml
 vaul-helm-dev-creds.json
 ./test/acceptance/vaul-helm-dev-creds.json
+./test/terraform/vaul-helm-dev-creds.json
+./test/unit/vaul-helm-dev-creds.json
 ./test/acceptance/values.yaml
 ./test/acceptance/values.yml

CHANGELOG.md

@@ -1,3 +1,118 @@
+## Unreleased
+
+Features:
+
+Improvements:
+* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
+* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
+
+Bugs:
+* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
+
+## 0.5.0 (April 9th, 2020)
+
+Features:
+
+* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)]
+* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
+* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
+
+* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
+* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
+* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)]
+* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)]
+* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)]
+
+## 0.4.0 (February 21st, 2020)
+
+Improvements:
+
+* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)]
+* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)]
+* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)]
+* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)]
+* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)]
+
+Bugs:
+
+* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)]
+
+## 0.3.3 (January 14th, 2020)
+
+Security:
+
+* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175)
+
+Bugs:
+
+* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
+
+## 0.3.2 (January 8th, 2020)
+
+Bugs:
+
+* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
+
+## 0.3.1 (January 2nd, 2020)
+
+Bugs:
+
+* Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
+
+## 0.3.0 (December 19th, 2019)
+
+Features:
+
+* Extra containers can now be added to the Vault pods
+* Added configurability of pod probes
+* Added Vault Agent Injector 
+
+Improvements:
+
+* Moved `global.image` to `server.image`
+* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true`
+* Added better HTTP/HTTPS scheme support to http probes
+* Added configurable node port for Vault service
+* `server.authDelegator` is now enabled by default
+
+Bugs:
+
+* Fixed upgrade bug by removing chart label which contained the version
+* Fixed typo on `serviceAccount` (was `serviceaccount`)
+* Fixed readiness/liveliness HTTP probe default to accept standbys
+
+## 0.2.1 (November 12th, 2019)
+
+Bugs:
+
+* Removed `readOnlyRootFilesystem` causing issues when validating deployments
+
+## 0.2.0 (October 29th, 2019)
+
+Features:
+
+* Added load balancer support
+* Added ingress support
+* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
+* Removed root requirements, now runs as Vault user
+
+Improvements:
+
+* Added namespace value to all rendered objects
+* Made ports configurable in services
+* Added the ability to add custom annotations to services
+* Added docker image for running bats test in CircleCI
+* Removed restrictions around `dev` mode such as annotations
+* `readOnlyRootFilesystem` is now configurable
+* Image Pull Policy is now configurable
+
+Bugs:
+
+* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
+* Fixed bug where audit storage was not being mounted in HA mode
+* Fixed bug where Vault pod wasn't receiving SIGTERM signals
+
+
 ## 0.1.2 (August 22nd, 2019)
 
 Features:

CONTRIBUTING.md

@@ -53,3 +53,157 @@ quickly merge or address your contributions.
 5. The issue is closed. Sometimes, valid issues will be closed to keep
    the issue tracker clean. The issue is still indexed and available for
    future viewers, or can be re-opened if necessary.
+
+## Testing
+
+The Helm chart ships with both unit and acceptance tests.
+
+The unit tests don't require any active Kubernetes cluster and complete
+very quickly. These should be used for fast feedback during development.
+The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
+
+### Prequisites
+* [Bats](https://github.com/bats-core/bats-core)
+  ```bash
+  brew install bats-core
+  ```
+* [yq](https://pypi.org/project/yq/)
+  ```bash
+  brew install python-yq
+  ```
+* [helm](https://helm.sh)
+  ```bash
+  brew install kubernetes-helm
+  ```
+
+### Running The Tests
+
+To run the unit tests:
+
+    bats ./test/unit
+
+To run the acceptance tests:
+
+    bats ./test/acceptance
+
+If the acceptance tests fail, deployed resources in the Kubernetes cluster
+may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
+start from a clean slate.
+
+**Note:** There is a Terraform configuration in the
+[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/master/test/terraform) directory
+that can be used to quickly bring up a GKE cluster and configure
+`kubectl` and `helm` locally. This can be used to quickly spin up a test
+cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
+cluster.
+
+### Writing Unit Tests
+
+Changes to the Helm chart should be accompanied by appropriate unit tests.
+
+#### Formatting
+
+- Put tests in the test file in the same order as the variables appear in the `values.yaml`.
+- Start tests for a chart value with a header that says what is being tested, like this:
+    ```
+    #--------------------------------------------------------------------
+    # annotations
+    ```
+
+- Name the test based on what it's testing in the following format (this will be its first line):
+    ```
+    @test "<section being tested>: <short description of the test case>" {
+    ```
+
+    When adding tests to an existing file, the first section will be the same as the other tests in the file.
+
+#### Test Details
+
+[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way.
+In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output.
+In this way, we're able to test that the various conditionals in the templates render as we would expect.
+
+Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well.
+The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/).
+`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length).
+The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match.
+
+The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of  `helm template` piped to `yq`.
+
+The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`.
+
+#### Test Examples
+
+Here are some examples of common test patterns:
+
+- Check that a value is disabled by default
+
+    ```
+    @test "ui/Service: no type by default" {
+      cd `chart_dir`
+      local actual=$(helm template \
+          --show-only templates/ui-service.yaml  \
+          . | tee /dev/stderr |
+          yq -r '.spec.type' | tee /dev/stderr)
+      [ "${actual}" = "null" ]
+    }
+    ```
+
+    In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`.
+    This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`.
+
+
+- Check that a template value is rendered to a specific value
+    ```
+    @test "ui/Service: specified type" {
+      cd `chart_dir`
+      local actual=$(helm template \
+          --show-only templates/ui-service.yaml  \
+          --set 'ui.serviceType=LoadBalancer' \
+          . | tee /dev/stderr |
+          yq -r '.spec.type' | tee /dev/stderr)
+      [ "${actual}" = "LoadBalancer" ]
+    }
+    ```
+
+    This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value.
+
+- Check that a template value contains several values
+    ```
+	@test "server/standalone-StatefulSet: custom resources" {
+	  cd `chart_dir`
+	  local actual=$(helm template \
+		  --show-only templates/server-statefulset.yaml  \
+		  --set 'server.standalone.enabled=true' \
+		  --set 'server.resources.requests.memory=256Mi' \
+		  --set 'server.resources.requests.cpu=250m' \
+		  . | tee /dev/stderr |
+		  yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr)
+	  [ "${actual}" = "256Mi" ]
+
+	  local actual=$(helm template \
+		  --show-only templates/server-statefulset.yaml  \
+		  --set 'server.standalone.enabled=true' \
+		  --set 'server.resources.limits.memory=256Mi' \
+		  --set 'server.resources.limits.cpu=250m' \
+		  . | tee /dev/stderr |
+		  yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr)
+	  [ "${actual}" = "256Mi" ]
+    ```
+
+    *Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work.
+
+- Check that an entire template file is not rendered
+    ```
+    @test "syncCatalog/Deployment: disabled by default" {
+      cd `chart_dir`
+      local actual=$( (helm template \
+          --show-only templates/server-statefulset.yaml  \
+          --set 'global.enabled=false' \
+          . || echo "---") | tee /dev/stderr |
+          yq 'length > 0' | tee /dev/stderr)
+      [ "${actual}" = "false" ]
+    }
+    ```
+    Here we are check the length of the command output to see if the anything is rendered.
+    This style can easily be switched to check that a file is rendered instead.

Chart.yaml

@@ -1,6 +1,6 @@
-apiVersion: v1
+apiVersion: v2
 name: vault
-version: 0.1.7
+version: 0.5.0
 description: Install and configure Vault on Kubernetes.
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png