diff --git a/.circleci/config.yml b/.circleci/config.yml index f4344171d..f9fec4e95 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,6 +6,58 @@ orbs: slack: circleci/slack@3.4.2 jobs: + bats-unit-test: + docker: + # This image is built from test/docker/Test.dockerfile + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 + steps: + - checkout + - run: bats ./test/unit -t + + chart-verifier: + docker: + - image: docker.mirror.hashicorp.services/cimg/go:1.16 + environment: + BATS_VERSION: "1.3.0" + CHART_VERIFIER_VERSION: "1.0.0" + steps: + - checkout + - run: + name: install chart-verifier + command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: + name: install bats + command: | + curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz + tar -zxf /tmp/bats.tgz -C /tmp + sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local + - run: + name: run chart-verifier tests + command: bats ./test/chart -t + + acceptance: + docker: + # This image is build from test/docker/Test.dockerfile + - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0 + + steps: + - checkout + - run: + name: terraform init & apply + command: | + echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json + export GOOGLE_CREDENTIALS=vault-helm-test.json + make provision-cluster + - run: + name: Run acceptance tests + command: bats ./test/acceptance -t + + - run: + name: terraform destroy + command: | + export GOOGLE_CREDENTIALS=vault-helm-test.json + make destroy-cluster + when: always update-helm-charts-index: docker: - image: docker.mirror.hashicorp.services/cimg/go:1.19.2 @@ -54,7 +106,16 @@ parameters: workflows: version: 2 - # Note: unit and acceptance tests are now being run in GitHub Actions + build_and_test: + jobs: + - bats-unit-test + - chart-verifier + - acceptance: + requires: + - bats-unit-test + filters: + branches: + only: master update-helm-charts-index: jobs: - update-helm-charts-index: diff --git a/.github/actions/setup-test-tools/action.yaml b/.github/actions/setup-test-tools/action.yaml new file mode 100644 index 000000000..6da07b5b7 --- /dev/null +++ b/.github/actions/setup-test-tools/action.yaml @@ -0,0 +1,24 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +name: Setup common testing tools +description: Install bats and python-yq +runs: + using: "composite" + steps: + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + with: + node-version: '16' + - run: npm install -g bats@${BATS_VERSION} + shell: bash + env: + BATS_VERSION: '1.8.2' + - run: bats -v + shell: bash + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 + with: + python-version: '3.10' + - run: pip install yq + shell: bash +permissions: + contents: read diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..8a90ccaa9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 + +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index e3c28e3f7..4c8720d90 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -1,26 +1,24 @@ name: Acceptance Tests - on: [push, workflow_dispatch] - jobs: kind: strategy: fail-fast: false matrix: - kind-k8s-version: [1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3] + kind-k8s-version: [1.22.17, 1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] runs-on: ubuntu-latest steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools - + uses: ./.github/actions/setup-test-tools - name: Create K8s Kind Cluster - uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 + uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0 with: config: test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.17.0 - + version: v0.19.0 - run: bats --tap --timing ./test/acceptance env: VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} +permissions: + contents: read diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 000000000..ec209f5dd --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,14 @@ +# If the repository is public, be sure to change to GitHub hosted runners +name: Lint GitHub Actions Workflows +on: + push: + paths: + - .github/workflows/**.yml + pull_request: + paths: + - .github/workflows/**.yml +permissions: + contents: read +jobs: + actionlint: + uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 5bfd153ae..ea3e7b562 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,25 +1,24 @@ name: Tests - on: [push, workflow_dispatch] - jobs: bats-unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - uses: ./.github/workflows/setup-test-tools + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: ./.github/actions/setup-test-tools - run: bats --tap --timing ./test/unit - chart-verifier: runs-on: ubuntu-latest env: CHART_VERIFIER_VERSION: '1.10.1' steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup test tools - uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: ./.github/actions/setup-test-tools + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.19.2' - - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" - run: bats --tap --timing ./test/chart +permissions: + contents: read diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml new file mode 100644 index 000000000..55cebb53d --- /dev/null +++ b/.github/workflows/update-helm-charts-index.yml @@ -0,0 +1,40 @@ +name: update-helm-charts-index +on: + push: + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + +permissions: + contents: read + +jobs: + update-helm-charts-index: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: verify Chart version matches tag version + run: |- + export TAG=${{ github.ref_name }} + git_tag="${TAG#v}" + chart_tag=$(yq -r '.version' Chart.yaml) + if [ "${git_tag}" != "${chart_tag}" ]; then + echo "chart version (${chart_tag}) did not match git version (${git_tag})" + exit 1 + fi + - name: update helm-charts index + id: update + env: + GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }} + run: |- + gh workflow run publish-charts.yml \ + --repo hashicorp/helm-charts \ + --ref main \ + -f SOURCE_TAG="${{ github.ref_name }}" \ + -f SOURCE_REPO="${{ github.repository }}" + - uses: hashicorp/actions-slack-status@v1 + if: ${{always()}} + with: + success-message: "vault-helm charts index update triggered successfully. View the run ." + failure-message: "vault-helm charts index update trigger failed." + status: ${{job.status}} + slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}} diff --git a/CHANGELOG.md b/CHANGELOG.md index 788803eb7..73bf4ec1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,33 @@ ## Unreleased +## 0.25.0 (June 26, 2023) + +Changes: +* Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Improvements: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Bugs: +* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) + +## 0.24.1 (April 17, 2023) + +Bugs: +* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) + ## 0.24.0 (April 6, 2023) Changes: * Earliest Kubernetes version tested is now 1.22 -* `vault` updated to 1.13.1 +* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) +* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) +* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) Features: * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 000000000..af6a3500f --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @hashicorp/vault-ecosystem-foundations diff --git a/Chart.yaml b/Chart.yaml index a4f7485d5..104b05f3f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,9 +3,9 @@ apiVersion: v2 name: vault -version: 0.24.0 -appVersion: 1.13.1 -kubeVersion: ">= 1.22.0-0" +version: 0.25.0 +appVersion: 1.14.0 +kubeVersion: ">= 1.20.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index aca803d6d..5639d83f9 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -859,6 +859,34 @@ Sets the injector toleration for pod placement {{- end }} {{- end -}} +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} {{/* Sets extra CSI provider pod annotations */}} diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml index cb373f833..7af08e8f9 100644 --- a/templates/csi-agent-configmap.yaml +++ b/templates/csi-agent-configmap.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- template "vault.csiEnabled" . -}} {{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} apiVersion: v1 diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 4a53599fd..e4fdb2de7 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -45,6 +45,8 @@ spec: {{- end }} serviceAccountName: {{ template "vault.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} @@ -54,6 +56,11 @@ spec: args: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + {{- end }} {{- if .Values.csi.extraArgs }} {{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- end }} @@ -73,13 +80,6 @@ spec: {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} {{- end }} - env: - - name: VAULT_ADDR - {{- if .Values.global.externalVaultAddr }} - value: "{{ .Values.global.externalVaultAddr }}" - {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} - {{- end }} volumeMounts: - name: providervol mountPath: "/provider" diff --git a/templates/csi-role.yaml b/templates/csi-role.yaml new file mode 100644 index 000000000..dd23af655 --- /dev/null +++ b/templates/csi-role.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-role + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "vault.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/templates/csi-rolebinding.yaml b/templates/csi-rolebinding.yaml new file mode 100644 index 000000000..e61f2dc2d --- /dev/null +++ b/templates/csi-rolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index e51c11c22..cb2d0fb5f 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -109,6 +109,14 @@ spec: value: "{{ .Values.injector.agentDefaults.memRequest }}" - name: AGENT_INJECT_MEM_LIMIT value: "{{ .Values.injector.agentDefaults.memLimit }}" + {{- if .Values.injector.agentDefaults.ephemeralRequest }} + - name: AGENT_INJECT_EPHEMERAL_REQUEST + value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" + {{- end }} + {{- if .Values.injector.agentDefaults.ephemeralLimit }} + - name: AGENT_INJECT_EPHEMERAL_LIMIT + value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" + {{- end }} - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE @@ -155,12 +163,6 @@ spec: periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} successThreshold: {{ .Values.injector.startupProbe.successThreshold }} timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c617b8068..4661fb4f6 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -62,16 +62,16 @@ check_skip_csi() { for i in $(seq 10); do sleep 2 - if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "returning cached response: path=/v1/auth/kubernetes/login")" ]; then + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then echo "Agent returned a cached login response" return fi - echo "Waiting for a cached response from Agent..." + echo "Waiting to confirm the Agent is renewing CSI's auth token..." done # Print the logs and fail the test - echo "Failed to find a log for a cached Agent response" + echo "Failed to find a log for the Agent renewing CSI's auth token" kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider exit 1 diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 911cf8dfe..264be67f6 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index c63f76368..15025c94e 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index b6752619d..9cc56e80d 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -191,6 +191,25 @@ load _helpers [ "${actual}" = "--debug=true" ] } +# HMAC secret arg +@test "csi/daemonset: HMAC secret arg is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.hmacSecretName=foo" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=foo" ] +} + # Extra args @test "csi/daemonset: extra args can be passed" { cd `chart_dir` @@ -199,7 +218,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) - [ "${actual}" = "2" ] + [ "${actual}" = "3" ] local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -209,15 +228,15 @@ load _helpers yq -r '.spec.template.spec.containers[0]') local actual=$(echo $object | yq -r '.args | length' | tee /dev/stderr) - [ "${actual}" = "5" ] + [ "${actual}" = "6" ] local actual=$(echo $object | - yq -r '.args[2]' | tee /dev/stderr) + yq -r '.args[3]' | tee /dev/stderr) [ "${actual}" = "--foo=bar" ] local actual=$(echo $object | - yq -r '.args[3]' | tee /dev/stderr) + yq -r '.args[4]' | tee /dev/stderr) [ "${actual}" = "--bar baz" ] local actual=$(echo $object | - yq -r '.args[4]' | tee /dev/stderr) + yq -r '.args[5]' | tee /dev/stderr) [ "${actual}" = "first" ] } @@ -349,6 +368,74 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# nodeSelector +@test "csi/daemonset: nodeSelector not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .nodeSelector? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.nodeSelector=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: nodeSelector can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.nodeSelector.foo=bar,csi.pod.nodeSelector.baz=qux" \ + . | tee /dev/stderr | + yq '.spec.template.spec.nodeSelector.foo == "bar" and .spec.template.spec.nodeSelector.baz == "qux"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# affinity +@test "csi/daemonset: affinity not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.affinity=foobar' \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: affinity can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set "csi.pod.affinity.podAntiAffinity=foobar" \ + . | tee /dev/stderr | + yq '.spec.template.spec.affinity.podAntiAffinity == "foobar"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Extra Labels diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats new file mode 100644 index 000000000..e7eb7e62c --- /dev/null +++ b/test/unit/csi-role.bats @@ -0,0 +1,39 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/Role: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Role: names" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-role" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "vault-csi-provider-hmac-key" ] +} + +@test "csi/Role: HMAC secret name configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'csi.hmacSecretName=foo' \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} \ No newline at end of file diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats new file mode 100644 index 000000000..caf368b74 --- /dev/null +++ b/test/unit/csi-rolebinding.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/RoleBinding: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/RoleBinding: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ] +} \ No newline at end of file diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 5abe2846d..962b1f25b 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -973,6 +973,8 @@ EOF --set 'injector.agentDefaults.cpuRequest=cpuRequest' \ --set 'injector.agentDefaults.memLimit=memLimit' \ --set 'injector.agentDefaults.memRequest=memRequest' \ + --set 'injector.agentDefaults.ephemeralLimit=ephemeralLimit' \ + --set 'injector.agentDefaults.ephemeralRequest=ephemeralRequest' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) @@ -991,6 +993,14 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_MEM_REQUEST")) | .[] .value' | tee /dev/stderr) [ "${value}" = "memRequest" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_EPHEMERAL_LIMIT")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "ephemeralLimit" ] + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_EPHEMERAL_REQUEST")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "ephemeralRequest" ] } @test "injector/deployment: agent default template" { @@ -1041,4 +1051,4 @@ EOF local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] -} \ No newline at end of file +} diff --git a/test/unit/prometheus-prometheusrules.bats b/test/unit/prometheus-prometheusrules.bats index 87736cfcb..efe4d250c 100755 --- a/test/unit/prometheus-prometheusrules.bats +++ b/test/unit/prometheus-prometheusrules.bats @@ -6,7 +6,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -26,16 +26,16 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ - --set 'serverTelemetry.prometheusRules.rules.baz=qux' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[1].baz=qux' \ .) | tee /dev/stderr ) [ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ] [ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ] [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-vault" ] [ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ] - [ "$(echo "$output" | yq -r '.spec.groups[0].rules.foo')" = "bar" ] - [ "$(echo "$output" | yq -r '.spec.groups[0].rules.baz')" = "qux" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules[0].foo')" = "bar" ] + [ "$(echo "$output" | yq -r '.spec.groups[0].rules[1].baz')" = "qux" ] } @test "prometheus/PrometheusRules-server: assertSelectors default" { @@ -43,7 +43,7 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ . ) | tee /dev/stderr) [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] @@ -55,7 +55,7 @@ load _helpers local output=$( (helm template \ --show-only templates/prometheus-prometheusrules.yaml \ --set 'serverTelemetry.prometheusRules.enabled=true' \ - --set 'serverTelemetry.prometheusRules.rules.foo=bar' \ + --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ --set 'serverTelemetry.prometheusRules.selectors.baz=qux' \ --set 'serverTelemetry.prometheusRules.selectors.bar=foo' \ . ) | tee /dev/stderr) diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 0794d0e49..f4aebbd3d 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -2,7 +2,7 @@ load _helpers -@test "server/headless-Service: publishNotReadyAddresses can be changed" { +@test "server/headless-Service: publishNotReadyAddresses cannot be changed" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-headless-service.yaml \ @@ -15,7 +15,25 @@ load _helpers --set 'server.service.publishNotReadyAddresses=false' \ . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] +} + +@test "server/headless-Service: instance selector cannot be disabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.instanceSelector.enabled=false' \ + . | tee /dev/stderr | + yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) + [ "${actual}" = "release-name" ] } @test "server/headless-Service: instance selector cannot be disabled" { diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 7295c2500..149e3c04b 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1996,3 +1996,193 @@ load _helpers yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# extraPorts + +@test "server/standalone-StatefulSet: adds extra ports" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.extraPorts[0].containerPort=1111' \ + --set 'server.extraPorts[0].name=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "foo")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.containerPort' | tee /dev/stderr) + [ "${actual}" = "1111" ] + + local actual=$(echo $object | + yq -r '.name' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} + +#-------------------------------------------------------------------- +# readinessProbe + +@test "server/StatefulSet: server.readinessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.readinessProbe.enabled=true' \ + --set 'server.readinessProbe.path=foo' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].readinessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + + +#-------------------------------------------------------------------- +# livenessProbe + +@test "server/StatefulSet: server.livenessProbe.port is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.livenessProbe.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.port' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + +#-------------------------------------------------------------------- +# enterprise license autoload support +@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] +} + +@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] +} + +@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=foo' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] +} + +@test "server/StatefulSet: blank secretName does not set env var" { + cd `chart_dir` + + # setting secretName=null + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretName=null' \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] + + # omitting secretName + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '' ] +} + +#-------------------------------------------------------------------- +# securityContext + +@test "server/standalone-StatefulSet: default statefulSet.securityContext.pod" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: default statefulSet.securityContext.container" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr) + [ ! "${actual}" = "null" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.pod yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.pod.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.container yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.container.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.pod yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.pod=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "server/standalone-StatefulSet: specify statefulSet.securityContext.container yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.statefulSet.securityContext.container=foo: bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].securityContext.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# hostNetwork + +@test "server/StatefulSet: server.hostNetwork not set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: server.hostNetwork is set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.hostNetwork=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.openshift.yaml b/values.openshift.yaml index da71dcfb9..6e575e4d4 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -13,9 +13,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.13.1-ubi" + tag: "1.14.0-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.13.1-ubi" + tag: "1.14.0-ubi" diff --git a/values.schema.json b/values.schema.json index b6729cb3e..9d5d66421 100644 --- a/values.schema.json +++ b/values.schema.json @@ -139,6 +139,13 @@ "pod": { "type": "object", "properties": { + "affinity": { + "type": [ + "null", + "object", + "string" + ] + }, "annotations": { "type": [ "object", @@ -148,6 +155,13 @@ "extraLabels": { "type": "object" }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, "tolerations": { "type": [ "null", @@ -269,6 +283,12 @@ "memRequest": { "type": "string" }, + "ephemeralLimit": { + "type": "string" + }, + "ephemeralRequest": { + "type": "string" + }, "template": { "type": "string" }, @@ -1066,6 +1086,25 @@ } } }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusRules": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rules": { + "type": "array" + }, + "selectors": { + "type": "object" + } + } + } + } + }, "ui": { "type": "object", "properties": { diff --git a/values.yaml b/values.yaml index d2465f214..6804aff50 100644 --- a/values.yaml +++ b/values.yaml @@ -73,7 +73,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" # The default values for the injected Vault Agent containers. agentDefaults: @@ -83,6 +83,8 @@ injector: cpuRequest: "250m" memLimit: "128Mi" memRequest: "64Mi" + # ephemeralLimit: "128Mi" + # ephemeralRequest: "64Mi" # Default template type for secrets when no custom template is specified. # Possible values include: "json" and "map". @@ -381,7 +383,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -529,7 +531,7 @@ server: livenessProbe: enabled: false path: "/v1/sys/health?standbyok=true" - # Port nuumber on which livenessProbe will be checked. + # Port number on which livenessProbe will be checked. port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 @@ -679,7 +681,9 @@ server: # NodePort, or LoadBalancer. #type: ClusterIP - # Do not wait for pods to be ready + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. publishNotReadyAddresses: true # The externalTrafficPolicy can be set to either Cluster or Local @@ -1022,7 +1026,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.3.0" + tag: "1.4.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -1050,6 +1054,10 @@ csi: # cpu: 50m # memory: 128Mi + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + # Settings for the daemonSet used to run the provider. daemonSet: updateStrategy: @@ -1082,6 +1090,17 @@ csi: # in a PodSpec. tolerations: [] + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + # Extra labels to attach to the vault-csi-provider pod # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} @@ -1092,7 +1111,7 @@ csi: image: repository: "hashicorp/vault" - tag: "1.13.1" + tag: "1.14.0" pullPolicy: IfNotPresent logFormat: standard @@ -1219,7 +1238,7 @@ serverTelemetry: selectors: {} # Some example rules. - rules: {} + rules: [] # - alert: vault-HighResponseTime # annotations: # message: The response time of Vault is over 500ms on average over the last 5 minutes.