Merge remote-tracking branch 'origin/main' into ingressClassName-continued

Author: tvoran

.circleci/config.yml

@@ -94,7 +94,7 @@ workflows:
             - bats-unit-test
           filters:
             branches:
-              only: master
+              only: main
   update-helm-charts-index:
     jobs:
       - update-helm-charts-index:

CHANGELOG.md

@@ -1,7 +1,28 @@
 ## Unreleased
 
+Improvements:
+* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590)
+
+## 0.16.1 (September 29th, 2021)
+
+CHANGES:
+* Vault image default 1.8.3
+* Vault K8s image default 0.13.1
+
+## 0.16.0 (September 16th, 2021)
+
+CHANGES:
+* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`.
+
+Improvements:
+ * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603)
+ * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607)
+
+## 0.15.0 (August 23rd, 2021)
+
 Improvements:
 * Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572)
+* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584)
 
 ## 0.14.0 (July 28th, 2021)
 

CONTRIBUTING.md

@@ -26,7 +26,7 @@ quickly merge or address your contributions.
 
 * Make sure you test against the latest released version. It is possible
   we already fixed the bug you're experiencing. Even better is if you can test
-  against `master`, as bugs are fixed regularly but new versions are only
+  against `main`, as bugs are fixed regularly but new versions are only
   released every few months.
 
 * Provide steps to reproduce the issue, and if possible include the expected
@@ -121,7 +121,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
 start from a clean slate.
 
 **Note:** There is a Terraform configuration in the
-[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/master/test/terraform) directory
+[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
 that can be used to quickly bring up a GKE cluster and configure
 `kubectl` and `helm` locally. This can be used to quickly spin up a test
 cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes

Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: vault
-version: 0.14.0
-appVersion: 1.8.0
+version: 0.16.1
+appVersion: 1.8.3
 kubeVersion: ">= 1.14.0-0"
 description: Official HashiCorp Vault Chart
 home: https://www.vaultproject.io

Makefile

@@ -40,6 +40,7 @@ else
 	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
 	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
 	-e KUBECONFIG=/helm-test/.kube/config \
+	-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
 	-w /helm-test \
 	$(TEST_IMAGE) \
 	make acceptance

templates/_helpers.tpl

@@ -353,6 +353,21 @@ Sets extra injector service annotations
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets extra injector webhook annotations
+*/}}
+{{- define "injector.webhookAnnotations" -}}
+  {{- if .Values.injector.webhookAnnotations }}
+  annotations:
+    {{- $tp := typeOf .Values.injector.webhookAnnotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets extra ui service annotations
 */}}
@@ -640,3 +655,38 @@ imagePullSecrets:
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable.
+Supported inputs are Values.server.service and Values.ui
+*/}}
+{{- define "service.externalTrafficPolicy" -}}
+{{- $type := "" -}}
+{{- if .serviceType -}}
+{{- $type = .serviceType -}}
+{{- else if .type -}}
+{{- $type = .type -}}
+{{- end -}}
+{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }}
+  externalTrafficPolicy: {{ .externalTrafficPolicy }}
+{{- else }}
+{{- end }}
+{{- end -}}
+
+{{/*
+loadBalancer configuration for the the UI service.
+Supported inputs are Values.ui
+*/}}
+{{- define "service.loadBalancer" -}}
+{{- if  eq (.serviceType | toString) "LoadBalancer" }}
+{{- if .loadBalancerIP }}
+  loadBalancerIP: {{ .loadBalancerIP }}
+{{- end }}
+{{- with .loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{- range . }}
+  - {{ . }}
+{{- end }}
+{{- end -}}
+{{- end }}
+{{- end -}}

templates/csi-daemonset.yaml

@@ -44,7 +44,7 @@ spec:
             - name: providervol
               mountPath: "/provider"
             - name: mountpoint-dir
-              mountPath: /var/lib/kubelet/pods
+              mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
               mountPropagation: HostToContainer
             {{- if .Values.csi.volumeMounts }}
               {{- toYaml .Values.csi.volumeMounts | nindent 12}}
@@ -70,10 +70,10 @@ spec:
       volumes:
         - name: providervol
           hostPath:
-            path: "/etc/kubernetes/secrets-store-csi-providers"
+            path: {{ .Values.csi.daemonSet.providersDir }}
         - name: mountpoint-dir
           hostPath:
-            path: /var/lib/kubelet/pods
+            path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
        {{- if .Values.csi.volumes }}
          {{- toYaml .Values.csi.volumes | nindent 8}}
        {{- end }}

templates/injector-certs-secret.yaml

@@ -7,4 +7,4 @@ metadata:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
+{{- end }}

templates/injector-deployment.yaml

@@ -110,6 +110,10 @@ spec:
             - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
               value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
             {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
           args:
             - agent-inject
             - 2>&1
@@ -133,13 +137,7 @@ spec:
             periodSeconds: 2
             successThreshold: 1
             timeoutSeconds: 5
-{{- if .Values.injector.certs.secretName }}
-          volumeMounts:
-            - name: webhook-certs
-              mountPath: /etc/webhook/certs
-              readOnly: true
-{{- end }}
-        {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+        {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true") }}
         - name: leader-elector
           image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }}
           args:
@@ -168,6 +166,12 @@ spec:
             successThreshold: 1
             timeoutSeconds: 5
         {{- end }}
+{{- if .Values.injector.certs.secretName }}
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+{{- end }}
 {{- if .Values.injector.certs.secretName }}
       volumes:
         - name: webhook-certs

templates/injector-leader-endpoint.yaml

@@ -1,12 +1,14 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) (eq (.Values.injector.leaderElector.useContainer | toString) "true")}}
 # This is created here so it can be cleaned up easily, since if
 # the endpoint is left around the leader won't expire for about a minute.
 apiVersion: v1
 kind: Endpoints
 metadata:
   name: {{ template "vault.fullname" . }}-agent-injector-leader
+  annotations:
+    deprecated: "true"
   labels:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
+{{- end }}

templates/injector-mutating-webhook.yaml

@@ -11,6 +11,7 @@ metadata:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- template "injector.webhookAnnotations" . }}
 webhooks:
   - name: vault.hashicorp.com
     sideEffects: None

templates/injector-role.yaml

@@ -9,11 +9,17 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
   - apiGroups: [""]
-    resources: ["endpoints", "secrets"]
+    resources: ["secrets", "configmaps", "endpoints"]
     verbs:
       - "create"
       - "get"
       - "watch"
       - "list"
       - "update"
-{{- end }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs:
+      - "get"
+      - "patch"
+      - "delete"
+{{- end }}

templates/injector-rolebinding.yaml

@@ -15,4 +15,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "vault.fullname" . }}-agent-injector
     namespace: {{ .Release.Namespace }}
-{{- end }}
+{{- end }}

templates/server-ha-active-service.yaml

@@ -21,6 +21,7 @@ spec:
   {{- if .Values.server.service.clusterIP }}
   clusterIP: {{ .Values.server.service.clusterIP }}
   {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
   publishNotReadyAddresses: true
   ports:
     - name: {{ include "vault.scheme" . }}

templates/server-ha-standby-service.yaml

@@ -21,6 +21,7 @@ spec:
   {{- if .Values.server.service.clusterIP }}
   clusterIP: {{ .Values.server.service.clusterIP }}
   {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
   publishNotReadyAddresses: true
   ports:
     - name: {{ include "vault.scheme" . }}
@@ -38,4 +39,4 @@ spec:
     component: server
     vault-active: "false"
 {{- end }}
-{{- end }}
+{{- end }}

templates/server-ingress.yaml

@@ -8,7 +8,10 @@
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
 {{- end }}
 {{- $servicePort := .Values.server.service.port -}}
-{{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
+{{- $kubeVersion := .Capabilities.KubeVersion.Version }}
+{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
+apiVersion: networking.k8s.io/v1
+{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
 {{ else }}
 apiVersion: extensions/v1beta1
@@ -51,8 +54,15 @@ spec:
         {{- range (.paths | default (list "/")) }}
           - path: {{ . }}
             backend:
+              {{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
+              service:
+                name: {{ $serviceName }}
+                port:
+                  number: {{ $servicePort }}
+              {{ else }}
               serviceName: {{ $serviceName }}
               servicePort: {{ $servicePort }}
+              {{ end }}
         {{- end }}
   {{- end }}
 {{- end }}

templates/server-service.yaml

@@ -21,6 +21,7 @@ spec:
   {{- if .Values.server.service.clusterIP }}
   clusterIP: {{ .Values.server.service.clusterIP }}
   {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
   # We want the servers to become available even if they're not ready
   # since this DNS is also used for join operations.
   publishNotReadyAddresses: true

templates/ui-service.yaml

@@ -30,16 +30,8 @@ spec:
       nodePort: {{ .Values.ui.serviceNodePort }}
       {{- end }}
   type: {{ .Values.ui.serviceType }}
-  {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerSourceRanges) }}
-  loadBalancerSourceRanges:
-    {{- range $cidr := .Values.ui.loadBalancerSourceRanges }}
-      - {{ $cidr }}
-    {{- end }}
-  {{- end }}
-  {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerIP) }}
-  loadBalancerIP: {{ .Values.ui.loadBalancerIP }}
-  {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.ui }}
+  {{- include "service.loadBalancer" .Values.ui }}
 {{- end -}}
-
 {{- end }}
 {{- end }}

test/README.md

@@ -4,6 +4,8 @@
 
 The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster.
 
+Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license.
+
 ### Running in a GKE cluster
 
 * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project.

test/acceptance/csi.bats

@@ -9,7 +9,8 @@ load _helpers
   kubectl create namespace acceptance
 
   # Install Secrets Store CSI driver
-  helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/charts/secrets-store-csi-driver-0.0.20.tgz?raw=true \
+  CSI_DRIVER_VERSION=0.2.0
+  helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/v${CSI_DRIVER_VERSION}/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \
     --wait --timeout=5m \
     --namespace=acceptance \
     --set linux.image.pullPolicy="IfNotPresent"

test/acceptance/injector-leader-elector.bats

@@ -12,7 +12,8 @@ load _helpers
   helm install "$(name_prefix)" \
     --wait \
     --timeout=5m \
-    --set="injector.replicas=3" .
+    --set="injector.replicas=3" \
+    --set="injector.leaderElector.useContainer=true" .
   kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m
 
   pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name'))
@@ -22,21 +23,22 @@ load _helpers
   tries=0
   until [ $tries -ge 60 ]
   do
-    leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)"
-    [ -n "${leader}" ] && break
-    ((tries++))
+    ## The new internal leader mechanism uses a ConfigMap
+    owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name)
+    leader=$(kubectl get pods $owner -o json | jq -r .metadata.name)
+    [ -n "${leader}" ] && [ "${leader}" != "null" ] && break
+
+    ## Also check the old leader-elector container
+    old_leader="$(echo "$(kubectl exec ${pods[0]} -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)"
+    [ -n "${old_leader}" ] && break
+
+    ((++tries))
     sleep .5
   done
 
   # Check the leader name is valid - i.e. one of the 3 pods
-  [[ " ${pods[@]} " =~ " ${leader} " ]]
+  [[ " ${pods[@]} " =~ " ${leader} " || " ${pods[@]} " =~ " ${old_leader} " ]]
 
-  # Check every pod agrees on who the leader is
-  for pod in "${pods[@]}"
-  do
-    pod_leader="$(echo "$(kubectl exec $pod -c sidecar-injector -- wget --quiet --output-document - localhost:4040)" | jq -r .name)"
-    [ "${pod_leader}" == "${leader}" ]
-  done
 }
 
 setup() {